Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Advice__Swift-MT103.pdf.bat.exe

Overview

General Information

Sample name:Payment Advice__Swift-MT103.pdf.bat.exe
Analysis ID:1467078
MD5:ae9e6ffdc6b75b93d96748b6e2801096
SHA1:c3ba04cbc0d773ca5b036c44e6b7b97b4c5e936f
SHA256:6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978
Tags:batexeRATRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment Advice__Swift-MT103.pdf.bat.exe (PID: 1412 cmdline: "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe" MD5: AE9E6FFDC6B75B93D96748B6E2801096)
    • powershell.exe (PID: 1100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7480 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5304 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PQHcRKfCm.exe (PID: 7424 cmdline: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe MD5: AE9E6FFDC6B75B93D96748B6E2801096)
    • schtasks.exe (PID: 7648 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PQHcRKfCm.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe" MD5: AE9E6FFDC6B75B93D96748B6E2801096)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "3.8.0 Pro", "Host:Port:Password": "204.10.160.230:7983", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7QOC3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000F.00000002.2088942310.00000000012BA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x691e0:$a1: Remcos restarted by watchdog!
        • 0x69738:$a3: %02i:%02i:%02i:%03i
        • 0x69abd:$a4: * Remcos v
        0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6320c:$str_b2: Executing file:
        • 0x64328:$str_b3: GetDirectListeningPort
        • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x63e30:$str_b7: \update.vbs
        • 0x63234:$str_b9: Downloaded file:
        • 0x63220:$str_b10: Downloading file:
        • 0x632c4:$str_b12: Failed to upload file:
        • 0x642f0:$str_b13: StartForward
        • 0x64310:$str_b14: StopForward
        • 0x63dd8:$str_b15: fso.DeleteFile "
        • 0x63d6c:$str_b16: On Error Resume Next
        • 0x63e08:$str_b17: fso.DeleteFolder "
        • 0x632b4:$str_b18: Uploaded file:
        • 0x63274:$str_b19: Unable to delete:
        • 0x63da0:$str_b20: while fso.FileExists("
        • 0x63749:$str_c0: [Firefox StoredLogins not found]
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.2.PQHcRKfCm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          15.2.PQHcRKfCm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x679e0:$a1: Remcos restarted by watchdog!
          • 0x67f38:$a3: %02i:%02i:%02i:%03i
          • 0x682bd:$a4: * Remcos v
          15.2.PQHcRKfCm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x61a0c:$str_b2: Executing file:
          • 0x62b28:$str_b3: GetDirectListeningPort
          • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x62630:$str_b7: \update.vbs
          • 0x61a34:$str_b9: Downloaded file:
          • 0x61a20:$str_b10: Downloading file:
          • 0x61ac4:$str_b12: Failed to upload file:
          • 0x62af0:$str_b13: StartForward
          • 0x62b10:$str_b14: StopForward
          • 0x625d8:$str_b15: fso.DeleteFile "
          • 0x6256c:$str_b16: On Error Resume Next
          • 0x62608:$str_b17: fso.DeleteFolder "
          • 0x61ab4:$str_b18: Uploaded file:
          • 0x61a74:$str_b19: Unable to delete:
          • 0x625a0:$str_b20: while fso.FileExists("
          • 0x61f49:$str_c0: [Firefox StoredLogins not found]
          15.2.PQHcRKfCm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x61900:$s1: \Classes\mscfile\shell\open\command
          • 0x61960:$s1: \Classes\mscfile\shell\open\command
          • 0x61948:$s2: eventvwr.exe
          11.2.PQHcRKfCm.exe.3b0b308.4.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 31 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe, ParentProcessId: 1412, ParentProcessName: Payment Advice__Swift-MT103.pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ProcessId: 1100, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe, ParentProcessId: 1412, ParentProcessName: Payment Advice__Swift-MT103.pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ProcessId: 1100, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe, ParentImage: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe, ParentProcessId: 7424, ParentProcessName: PQHcRKfCm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp", ProcessId: 7648, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe, ParentProcessId: 1412, ParentProcessName: Payment Advice__Swift-MT103.pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp", ProcessId: 5304, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe, ParentProcessId: 1412, ParentProcessName: Payment Advice__Swift-MT103.pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ProcessId: 1100, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe, ParentProcessId: 1412, ParentProcessName: Payment Advice__Swift-MT103.pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp", ProcessId: 5304, ProcessName: schtasks.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 9B 9A 85 2C AD 0E 2F 7E E9 73 AC 9B C0 D0 32 9C 79 B1 9A DF 6B 20 91 C8 61 27 47 7D 8F 5A C8 49 8A AE FA 1D CC 34 89 FF 77 DB 76 F0 E9 EE E6 2C 0C A7 DB 88 EF B7 16 BC C8 D9 E5 44 63 CC 57 6A 21 18 CD C3 2E 4A D7 78 E9 6F 6B B6 03 8E CF 2C C7 01 BE 77 93 0A 82 5B 77 32 8D C5 28 B0 61 B3 DF C8 A9 E4 5A 88 AD EF 21 F1 DB B7 34 20 39 FB A4 7F ED B7 70 2A BE 3D E6 2E 87 57 53 75 C7 CE , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe, ProcessId: 7364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-O7QOC3\exepath

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpackMalware Configuration Extractor: Remcos {"Version": "3.8.0 Pro", "Host:Port:Password": "204.10.160.230:7983", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7QOC3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeReversingLabs: Detection: 39%
            Multi AV Scanner detection for submitted file
            Source: Payment Advice__Swift-MT103.pdf.bat.exeReversingLabs: Detection: 39%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088942310.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 7364, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7692, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Payment Advice__Swift-MT103.pdf.bat.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_004315EC
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a2c78827-8
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040838E
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004087A0
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00407848
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004068CD FindFirstFileW,FindNextFileW,15_2_004068CD
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0044BA59 FindFirstFileExA,15_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406D28

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 204.10.160.230
            Source: global trafficTCP traffic: 192.168.2.5:49708 -> 204.10.160.230:7983
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,15_2_0041936B
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, PQHcRKfCm.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, PQHcRKfCm.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/R
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, PQHcRKfCm.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, PQHcRKfCm.exe, 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, PQHcRKfCm.exe, 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpH
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpL
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, PQHcRKfCm.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2071167730.0000000003241000.00000004.00000800.00020000.00000000.sdmp, PQHcRKfCm.exe, 0000000B.00000002.2111705485.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, PQHcRKfCm.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000015_2_00409340
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_00414EC1
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,15_2_00409468

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088942310.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 7364, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7692, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041A76C SystemParametersInfoW,15_2_0041A76C

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: PQHcRKfCm.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            .NET source code contains very large array initializations
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.326bc1c.1.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.5d90000.6.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
            Source: 11.2.PQHcRKfCm.exe.2ac80b8.0.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Payment Advice__Swift-MT103.pdf.bat.exe
            Source: initial sampleStatic PE information: Filename: Payment Advice__Swift-MT103.pdf.bat.exe
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_00414DB4
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_0304E3A40_2_0304E3A4
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030704180_2_03070418
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030733A80_2_030733A8
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030733B80_2_030733B8
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030737F00_2_030737F0
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_0307B5C00_2_0307B5C0
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030704080_2_03070408
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030758880_2_03075888
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_030758980_2_03075898
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_03072F800_2_03072F80
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_03074E980_2_03074E98
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B67100_2_078B6710
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B67200_2_078B6720
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B6E200_2_078B6E20
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B7A780_2_078B7A78
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B41C00_2_078B41C0
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078BBED80_2_078BBED8
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078BAE070_2_078BAE07
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B6E100_2_078B6E10
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B863B0_2_078B863B
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B86480_2_078B8648
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078BA5100_2_078BA510
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B0B000_2_078B0B00
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B00060_2_078B0006
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeCode function: 0_2_078B00400_2_078B0040
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F1041811_2_00F10418
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F1589811_2_00F15898
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F1588811_2_00F15888
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F133B811_2_00F133B8
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F133A811_2_00F133A8
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F1040811_2_00F10408
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F14E9811_2_00F14E98
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F137F011_2_00F137F0
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F1A7E011_2_00F1A7E0
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_00F12F8011_2_00F12F80
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_0282E3A411_2_0282E3A4
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_02A4092011_2_02A40920
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_02A4091011_2_02A40910
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_02A7BB9811_2_02A7BB98
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_02A7BB8811_2_02A7BB88
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B671011_2_070B6710
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B672011_2_070B6720
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B6E2011_2_070B6E20
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B7A7811_2_070B7A78
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070BAE0711_2_070BAE07
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B6E1011_2_070B6E10
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B863B11_2_070B863B
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070BBEC911_2_070BBEC9
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070BA51011_2_070BA510
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B0B0011_2_070B0B00
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B000611_2_070B0006
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_070B004011_2_070B0040
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0042515215_2_00425152
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0043528615_2_00435286
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004513D415_2_004513D4
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0045050B15_2_0045050B
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0043651015_2_00436510
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004316FB15_2_004316FB
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0043569E15_2_0043569E
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0044370015_2_00443700
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004257FB15_2_004257FB
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004128E315_2_004128E3
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0042596415_2_00425964
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041B91715_2_0041B917
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0043D9CC15_2_0043D9CC
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00435AD315_2_00435AD3
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00424BC315_2_00424BC3
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0043DBFB15_2_0043DBFB
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0044ABA915_2_0044ABA9
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00433C0B15_2_00433C0B
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00434D8A15_2_00434D8A
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0043DE2A15_2_0043DE2A
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041CEAF15_2_0041CEAF
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00435F0815_2_00435F08
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: String function: 00402073 appears 51 times
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: String function: 00432B90 appears 53 times
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: String function: 00432525 appears 41 times
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: invalid certificate
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2071167730.0000000003241000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs Payment Advice__Swift-MT103.pdf.bat.exe
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2074670330.0000000005D90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs Payment Advice__Swift-MT103.pdf.bat.exe
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2076325480.0000000007710000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Payment Advice__Swift-MT103.pdf.bat.exe
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000000.2022050151.0000000000E18000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFnSq.exe\ vs Payment Advice__Swift-MT103.pdf.bat.exe
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2069363171.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Advice__Swift-MT103.pdf.bat.exe
            Source: Payment Advice__Swift-MT103.pdf.bat.exeBinary or memory string: OriginalFilenameFnSq.exe\ vs Payment Advice__Swift-MT103.pdf.bat.exe
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: PQHcRKfCm.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PQHcRKfCm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, LlG26VIhkp2otoPSKg.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, LlG26VIhkp2otoPSKg.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, LlG26VIhkp2otoPSKg.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@21/16@1/2
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00415C90
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,15_2_0040E2E7
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,15_2_00419493
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00418A00
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeFile created: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMutant created: NULL
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMutant created: \Sessions\1\BaseNamedObjects\zvqLTnVqDOptRkxUHH
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmp319C.tmpJump to behavior
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Payment Advice__Swift-MT103.pdf.bat.exeReversingLabs: Detection: 39%
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeFile read: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess created: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess created: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, DemoForm.cs.Net Code: InitializeComponent
            Source: PQHcRKfCm.exe.0.dr, DemoForm.cs.Net Code: InitializeComponent
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, Pf0Tr2lQuWJUvSD1g7.cs.Net Code: uA0rEXdpnZ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.326bc1c.1.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.326bc1c.1.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, Pf0Tr2lQuWJUvSD1g7.cs.Net Code: uA0rEXdpnZ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, Pf0Tr2lQuWJUvSD1g7.cs.Net Code: uA0rEXdpnZ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.5d90000.6.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.5d90000.6.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
            Source: 11.2.PQHcRKfCm.exe.2ac80b8.0.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
            Source: 11.2.PQHcRKfCm.exe.2ac80b8.0.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041A8DA
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 11_2_02A7A250 push eax; mov dword ptr [esp], ecx11_2_02A7A264
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004000D8 push es; iretd 15_2_004000D9
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040008C push es; iretd 15_2_0040008D
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004542E6 push ecx; ret 15_2_004542F9
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0045B4FD push esi; ret 15_2_0045B506
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00432BD6 push ecx; ret 15_2_00432BE9
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00454C08 push eax; ret 15_2_00454C26
            Source: Payment Advice__Swift-MT103.pdf.bat.exeStatic PE information: section name: .text entropy: 7.923659229684686
            Source: PQHcRKfCm.exe.0.drStatic PE information: section name: .text entropy: 7.923659229684686
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csHigh entropy of concatenated method names: 'TQHZDrcJr8', 'V6xZYU3uGC', 'VTyZfc9TZc', 'sfAZO2pRmG', 'jxdZGl0cZA', 'uQ3Z24y6Kq', 'pryZSXA1UB', 'D3yZlg4mPe', 'ApkZ8vjePk', 'DgeZQ1FCRA'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, zIHrQVxTSWY6OHZ6Xs.csHigh entropy of concatenated method names: 'ShKEXU39R', 'h3LFgdTyA', 'dRQnnWiAH', 'JVjPFcZM0', 'ek8BhnGw9', 'M0h3qkIIo', 'aNc6iV24Gv9rs6hMtr', 'vtneHrd65CWU7p6fv0', 'NyyKPLKpk', 'MDN7dOaNp'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, JtIWfnOGJ5DA0MlTI5.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zybxRJP9s4', 'st9xtOyPAi', 'pdUxz4wJ21', 'x6KZhVwPg7', 'M9VZejbHML', 'x44Zx83way', 'vwNZZb05wu', 'WGObpNJ9YoBOUu8mDE4'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, ibq9x3T9oRKHqVGeey.csHigh entropy of concatenated method names: 'D9IKYVsglV', 'r2bKfkOphE', 'ThLKOelXrn', 'uQEKGMRStG', 'N7dK25gBo1', 'Q7YKS3Q1tu', 'NjKKlfnuDG', 'JghK8h49CX', 'D52KQZ772e', 's5pKWjku4J'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, aA7NMMiGaWHp6F6XCk.csHigh entropy of concatenated method names: 'jOqSYysG1n', 'MUMSOW6TZH', 'd4wS2Nxtch', 'Mem2tBUtJu', 'kg72zKnx8f', 'rTEShRDbAR', 'ACcSeNeiJZ', 'Q1mSxC1U3K', 'GtOSZ2jIg2', 'MNqSrMpNlo'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, q7tsGCsDdd1VyFRP4y.csHigh entropy of concatenated method names: 'FCGSV6dwxn', 'Js0Svg8jve', 'RRCSEjdWFC', 'XnBSFYSjht', 'xUyS9Fu5sL', 'pkVSnWYFxp', 'U2fSPmi9ZA', 'QA4SIB7noI', 'S5ySBjyCAD', 'LiLS34K5rN'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, xs0JgLBfoWbGPUjsc1.csHigh entropy of concatenated method names: 'DPMOFjvZNr', 'IUsOnabrg6', 'i0COI1dZT2', 'BfoOB0uPn8', 'WRCO6GRnNf', 'pJuOJHpK5s', 'Ii8Oaw6rRh', 'tfbOKRKS1v', 'yY6OLfDjR8', 'L2KO7r1Sfm'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, cWXL4OfbYHBCEa78ug.csHigh entropy of concatenated method names: 'Dispose', 'DDdeR5DfNp', 'tDFxpfai6E', 'SOD117XlH0', 'D2betq9x39', 'NRKezHqVGe', 'ProcessDialogKey', 'by3xhnyV7x', 'mQRxere7et', 'pfVxxox5ax'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, S7Z0i8b109Gd15wJMj.csHigh entropy of concatenated method names: 'ToString', 'p5qJ5qvQf1', 'TxeJpMj8X9', 'I4gJkgg6wo', 'voUJN4ULH1', 'txIJyGSYGB', 'WEEJjT72aR', 'TcaJiR3mpm', 'DOgJXvOjEj', 'XA1Js6mfDJ'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, fkwh0RzeFOT2NoyWu6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eqILglYQD6', 'QR5L6mQS2V', 'h0OLJ6pTNA', 'F6nLaUL1AT', 'Xj2LK7bTOC', 'WTkLLlwlHM', 'BpWL7gWB4M'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, rILejLehSpUEnqa25oK.csHigh entropy of concatenated method names: 'y5CLVdcARX', 'Lw3Lv6Dv7s', 'z93LE5J6bc', 'rkrLFcJS9h', 'jNeL9XNTHM', 'yGPLnshPbA', 'sv7LPAgux9', 'sJDLIUq9Oa', 'PsuLBBGfbv', 'BkPL3Oe4ei'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, S1iZtBwdiPDlOwaSao.csHigh entropy of concatenated method names: 'uwH2DOdcFk', 'Qd12fMUHvK', 'Vcg2GD1DC2', 'O0s2SgP6JH', 'pn42lKI3Tq', 'z1MG45IQkD', 'bBqGd15roT', 'nZEGqvo9Ar', 'yXQGTnkTdD', 'vVhGRd0Ts6'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, UaVgHueZJoV8ArQquSK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zgI7MsMLoy', 'G9v7AWr3cW', 'iIE7bk6kgh', 'HnN7cq96tF', 'wBf74jsgwt', 'mS37dYLt0h', 'jwg7q1dvgL'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, j8kiIGmJa8pHyTXcmY.csHigh entropy of concatenated method names: 'sMvgIDMXuV', 'H29gBYJg5M', 'zdXgw43TDf', 'l8tgpgdpEn', 'uxDgNHGCb7', 'Y8ogyEfdKQ', 'w7LgikIRIR', 'GXEgXVJiMx', 'ogSgoDFAMy', 'jXMg5pGH0s'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, oLWxi0dZiwTN1dP5g1.csHigh entropy of concatenated method names: 'reDaTcX1uN', 'taqateUiPG', 'wTiKhCytMK', 'ROGKe4CB4f', 'wpqa5VJGJp', 'e7sa0pl3Ch', 'FncamME85t', 'vUfaMDmlbR', 'uT7aALrJjo', 'XvtaboaYcu'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, LlG26VIhkp2otoPSKg.csHigh entropy of concatenated method names: 'EcDfMCFKCn', 'bykfAkS37G', 'TWNfbOrhe3', 'Y57fcWQZdx', 'ynkf4QX681', 'rgWfdpTqdY', 'Eg7fqCqOJu', 'n7wfTIc7TS', 'QbTfRfBpZE', 'b8kftkTEXh'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, FnyV7xRWQRre7etJfV.csHigh entropy of concatenated method names: 'RExKwlt115', 'OcsKpikifZ', 'CmaKkfhZ9f', 'CgGKNWXxZU', 'FYiKM8OlIS', 'NpyKytqgDZ', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, DB82N5rZvIALMvPp5i.csHigh entropy of concatenated method names: 'MNieSlG26V', 'akpel2otoP', 'rfoeQWbGPU', 'KsceW1PCFu', 'TnDe64yb1i', 'ctBeJdiPDl', 'lY6UnCAZwS0XkObUPc', 'W82Rf2HxAOWGMct4q1', 'LhVeehrW2E', 'dM0eZseriq'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, CCFu3C3p8XohWcnD4y.csHigh entropy of concatenated method names: 'Mx3G9uV5dP', 'B5HGPe3qjF', 'RLBOkKYENy', 'seQONUTasP', 'YDLOyHT0Oj', 'QoROjFNT8s', 's3KOiO2fnX', 'FUcOXpRdyV', 'udsOslwIR2', 'sydOoEtC4R'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, cxiZF5Mo7TeXpVKfWE.csHigh entropy of concatenated method names: 'WJ46oafEQ9', 'IGO60LeDJh', 'z0M6MMY0bh', 'ubR6AIVUAN', 'xGs6p3RqNZ', 'WIb6kQiqXN', 'SpH6N3xUBQ', 'xq76yZlG3j', 'gRA6j8YPra', 'P4u6iTHCDJ'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4fcbc80.2.raw.unpack, Nx5axgt980aUd64ocs.csHigh entropy of concatenated method names: 'STLLekWgAF', 'Y2YLZtPLuS', 'rrbLrMnF4Z', 'YQJLYy6K6l', 'nGgLfJQBoR', 'zP4LG4BdQM', 'kixL2eFjBW', 'R2DKqCM2Kr', 'YtAKTHgqC5', 'iOXKR0yGbS'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csHigh entropy of concatenated method names: 'TQHZDrcJr8', 'V6xZYU3uGC', 'VTyZfc9TZc', 'sfAZO2pRmG', 'jxdZGl0cZA', 'uQ3Z24y6Kq', 'pryZSXA1UB', 'D3yZlg4mPe', 'ApkZ8vjePk', 'DgeZQ1FCRA'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, zIHrQVxTSWY6OHZ6Xs.csHigh entropy of concatenated method names: 'ShKEXU39R', 'h3LFgdTyA', 'dRQnnWiAH', 'JVjPFcZM0', 'ek8BhnGw9', 'M0h3qkIIo', 'aNc6iV24Gv9rs6hMtr', 'vtneHrd65CWU7p6fv0', 'NyyKPLKpk', 'MDN7dOaNp'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, JtIWfnOGJ5DA0MlTI5.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zybxRJP9s4', 'st9xtOyPAi', 'pdUxz4wJ21', 'x6KZhVwPg7', 'M9VZejbHML', 'x44Zx83way', 'vwNZZb05wu', 'WGObpNJ9YoBOUu8mDE4'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, ibq9x3T9oRKHqVGeey.csHigh entropy of concatenated method names: 'D9IKYVsglV', 'r2bKfkOphE', 'ThLKOelXrn', 'uQEKGMRStG', 'N7dK25gBo1', 'Q7YKS3Q1tu', 'NjKKlfnuDG', 'JghK8h49CX', 'D52KQZ772e', 's5pKWjku4J'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, aA7NMMiGaWHp6F6XCk.csHigh entropy of concatenated method names: 'jOqSYysG1n', 'MUMSOW6TZH', 'd4wS2Nxtch', 'Mem2tBUtJu', 'kg72zKnx8f', 'rTEShRDbAR', 'ACcSeNeiJZ', 'Q1mSxC1U3K', 'GtOSZ2jIg2', 'MNqSrMpNlo'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, q7tsGCsDdd1VyFRP4y.csHigh entropy of concatenated method names: 'FCGSV6dwxn', 'Js0Svg8jve', 'RRCSEjdWFC', 'XnBSFYSjht', 'xUyS9Fu5sL', 'pkVSnWYFxp', 'U2fSPmi9ZA', 'QA4SIB7noI', 'S5ySBjyCAD', 'LiLS34K5rN'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, xs0JgLBfoWbGPUjsc1.csHigh entropy of concatenated method names: 'DPMOFjvZNr', 'IUsOnabrg6', 'i0COI1dZT2', 'BfoOB0uPn8', 'WRCO6GRnNf', 'pJuOJHpK5s', 'Ii8Oaw6rRh', 'tfbOKRKS1v', 'yY6OLfDjR8', 'L2KO7r1Sfm'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, cWXL4OfbYHBCEa78ug.csHigh entropy of concatenated method names: 'Dispose', 'DDdeR5DfNp', 'tDFxpfai6E', 'SOD117XlH0', 'D2betq9x39', 'NRKezHqVGe', 'ProcessDialogKey', 'by3xhnyV7x', 'mQRxere7et', 'pfVxxox5ax'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, S7Z0i8b109Gd15wJMj.csHigh entropy of concatenated method names: 'ToString', 'p5qJ5qvQf1', 'TxeJpMj8X9', 'I4gJkgg6wo', 'voUJN4ULH1', 'txIJyGSYGB', 'WEEJjT72aR', 'TcaJiR3mpm', 'DOgJXvOjEj', 'XA1Js6mfDJ'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, fkwh0RzeFOT2NoyWu6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eqILglYQD6', 'QR5L6mQS2V', 'h0OLJ6pTNA', 'F6nLaUL1AT', 'Xj2LK7bTOC', 'WTkLLlwlHM', 'BpWL7gWB4M'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, rILejLehSpUEnqa25oK.csHigh entropy of concatenated method names: 'y5CLVdcARX', 'Lw3Lv6Dv7s', 'z93LE5J6bc', 'rkrLFcJS9h', 'jNeL9XNTHM', 'yGPLnshPbA', 'sv7LPAgux9', 'sJDLIUq9Oa', 'PsuLBBGfbv', 'BkPL3Oe4ei'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, S1iZtBwdiPDlOwaSao.csHigh entropy of concatenated method names: 'uwH2DOdcFk', 'Qd12fMUHvK', 'Vcg2GD1DC2', 'O0s2SgP6JH', 'pn42lKI3Tq', 'z1MG45IQkD', 'bBqGd15roT', 'nZEGqvo9Ar', 'yXQGTnkTdD', 'vVhGRd0Ts6'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, UaVgHueZJoV8ArQquSK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zgI7MsMLoy', 'G9v7AWr3cW', 'iIE7bk6kgh', 'HnN7cq96tF', 'wBf74jsgwt', 'mS37dYLt0h', 'jwg7q1dvgL'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, j8kiIGmJa8pHyTXcmY.csHigh entropy of concatenated method names: 'sMvgIDMXuV', 'H29gBYJg5M', 'zdXgw43TDf', 'l8tgpgdpEn', 'uxDgNHGCb7', 'Y8ogyEfdKQ', 'w7LgikIRIR', 'GXEgXVJiMx', 'ogSgoDFAMy', 'jXMg5pGH0s'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, oLWxi0dZiwTN1dP5g1.csHigh entropy of concatenated method names: 'reDaTcX1uN', 'taqateUiPG', 'wTiKhCytMK', 'ROGKe4CB4f', 'wpqa5VJGJp', 'e7sa0pl3Ch', 'FncamME85t', 'vUfaMDmlbR', 'uT7aALrJjo', 'XvtaboaYcu'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, LlG26VIhkp2otoPSKg.csHigh entropy of concatenated method names: 'EcDfMCFKCn', 'bykfAkS37G', 'TWNfbOrhe3', 'Y57fcWQZdx', 'ynkf4QX681', 'rgWfdpTqdY', 'Eg7fqCqOJu', 'n7wfTIc7TS', 'QbTfRfBpZE', 'b8kftkTEXh'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, FnyV7xRWQRre7etJfV.csHigh entropy of concatenated method names: 'RExKwlt115', 'OcsKpikifZ', 'CmaKkfhZ9f', 'CgGKNWXxZU', 'FYiKM8OlIS', 'NpyKytqgDZ', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, DB82N5rZvIALMvPp5i.csHigh entropy of concatenated method names: 'MNieSlG26V', 'akpel2otoP', 'rfoeQWbGPU', 'KsceW1PCFu', 'TnDe64yb1i', 'ctBeJdiPDl', 'lY6UnCAZwS0XkObUPc', 'W82Rf2HxAOWGMct4q1', 'LhVeehrW2E', 'dM0eZseriq'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, CCFu3C3p8XohWcnD4y.csHigh entropy of concatenated method names: 'Mx3G9uV5dP', 'B5HGPe3qjF', 'RLBOkKYENy', 'seQONUTasP', 'YDLOyHT0Oj', 'QoROjFNT8s', 's3KOiO2fnX', 'FUcOXpRdyV', 'udsOslwIR2', 'sydOoEtC4R'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, cxiZF5Mo7TeXpVKfWE.csHigh entropy of concatenated method names: 'WJ46oafEQ9', 'IGO60LeDJh', 'z0M6MMY0bh', 'ubR6AIVUAN', 'xGs6p3RqNZ', 'WIb6kQiqXN', 'SpH6N3xUBQ', 'xq76yZlG3j', 'gRA6j8YPra', 'P4u6iTHCDJ'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4f14c60.4.raw.unpack, Nx5axgt980aUd64ocs.csHigh entropy of concatenated method names: 'STLLekWgAF', 'Y2YLZtPLuS', 'rrbLrMnF4Z', 'YQJLYy6K6l', 'nGgLfJQBoR', 'zP4LG4BdQM', 'kixL2eFjBW', 'R2DKqCM2Kr', 'YtAKTHgqC5', 'iOXKR0yGbS'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, Pf0Tr2lQuWJUvSD1g7.csHigh entropy of concatenated method names: 'TQHZDrcJr8', 'V6xZYU3uGC', 'VTyZfc9TZc', 'sfAZO2pRmG', 'jxdZGl0cZA', 'uQ3Z24y6Kq', 'pryZSXA1UB', 'D3yZlg4mPe', 'ApkZ8vjePk', 'DgeZQ1FCRA'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, zIHrQVxTSWY6OHZ6Xs.csHigh entropy of concatenated method names: 'ShKEXU39R', 'h3LFgdTyA', 'dRQnnWiAH', 'JVjPFcZM0', 'ek8BhnGw9', 'M0h3qkIIo', 'aNc6iV24Gv9rs6hMtr', 'vtneHrd65CWU7p6fv0', 'NyyKPLKpk', 'MDN7dOaNp'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, JtIWfnOGJ5DA0MlTI5.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zybxRJP9s4', 'st9xtOyPAi', 'pdUxz4wJ21', 'x6KZhVwPg7', 'M9VZejbHML', 'x44Zx83way', 'vwNZZb05wu', 'WGObpNJ9YoBOUu8mDE4'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, ibq9x3T9oRKHqVGeey.csHigh entropy of concatenated method names: 'D9IKYVsglV', 'r2bKfkOphE', 'ThLKOelXrn', 'uQEKGMRStG', 'N7dK25gBo1', 'Q7YKS3Q1tu', 'NjKKlfnuDG', 'JghK8h49CX', 'D52KQZ772e', 's5pKWjku4J'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, aA7NMMiGaWHp6F6XCk.csHigh entropy of concatenated method names: 'jOqSYysG1n', 'MUMSOW6TZH', 'd4wS2Nxtch', 'Mem2tBUtJu', 'kg72zKnx8f', 'rTEShRDbAR', 'ACcSeNeiJZ', 'Q1mSxC1U3K', 'GtOSZ2jIg2', 'MNqSrMpNlo'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, q7tsGCsDdd1VyFRP4y.csHigh entropy of concatenated method names: 'FCGSV6dwxn', 'Js0Svg8jve', 'RRCSEjdWFC', 'XnBSFYSjht', 'xUyS9Fu5sL', 'pkVSnWYFxp', 'U2fSPmi9ZA', 'QA4SIB7noI', 'S5ySBjyCAD', 'LiLS34K5rN'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, xs0JgLBfoWbGPUjsc1.csHigh entropy of concatenated method names: 'DPMOFjvZNr', 'IUsOnabrg6', 'i0COI1dZT2', 'BfoOB0uPn8', 'WRCO6GRnNf', 'pJuOJHpK5s', 'Ii8Oaw6rRh', 'tfbOKRKS1v', 'yY6OLfDjR8', 'L2KO7r1Sfm'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, cWXL4OfbYHBCEa78ug.csHigh entropy of concatenated method names: 'Dispose', 'DDdeR5DfNp', 'tDFxpfai6E', 'SOD117XlH0', 'D2betq9x39', 'NRKezHqVGe', 'ProcessDialogKey', 'by3xhnyV7x', 'mQRxere7et', 'pfVxxox5ax'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, S7Z0i8b109Gd15wJMj.csHigh entropy of concatenated method names: 'ToString', 'p5qJ5qvQf1', 'TxeJpMj8X9', 'I4gJkgg6wo', 'voUJN4ULH1', 'txIJyGSYGB', 'WEEJjT72aR', 'TcaJiR3mpm', 'DOgJXvOjEj', 'XA1Js6mfDJ'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, fkwh0RzeFOT2NoyWu6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eqILglYQD6', 'QR5L6mQS2V', 'h0OLJ6pTNA', 'F6nLaUL1AT', 'Xj2LK7bTOC', 'WTkLLlwlHM', 'BpWL7gWB4M'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, rILejLehSpUEnqa25oK.csHigh entropy of concatenated method names: 'y5CLVdcARX', 'Lw3Lv6Dv7s', 'z93LE5J6bc', 'rkrLFcJS9h', 'jNeL9XNTHM', 'yGPLnshPbA', 'sv7LPAgux9', 'sJDLIUq9Oa', 'PsuLBBGfbv', 'BkPL3Oe4ei'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, S1iZtBwdiPDlOwaSao.csHigh entropy of concatenated method names: 'uwH2DOdcFk', 'Qd12fMUHvK', 'Vcg2GD1DC2', 'O0s2SgP6JH', 'pn42lKI3Tq', 'z1MG45IQkD', 'bBqGd15roT', 'nZEGqvo9Ar', 'yXQGTnkTdD', 'vVhGRd0Ts6'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, UaVgHueZJoV8ArQquSK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zgI7MsMLoy', 'G9v7AWr3cW', 'iIE7bk6kgh', 'HnN7cq96tF', 'wBf74jsgwt', 'mS37dYLt0h', 'jwg7q1dvgL'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, j8kiIGmJa8pHyTXcmY.csHigh entropy of concatenated method names: 'sMvgIDMXuV', 'H29gBYJg5M', 'zdXgw43TDf', 'l8tgpgdpEn', 'uxDgNHGCb7', 'Y8ogyEfdKQ', 'w7LgikIRIR', 'GXEgXVJiMx', 'ogSgoDFAMy', 'jXMg5pGH0s'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, oLWxi0dZiwTN1dP5g1.csHigh entropy of concatenated method names: 'reDaTcX1uN', 'taqateUiPG', 'wTiKhCytMK', 'ROGKe4CB4f', 'wpqa5VJGJp', 'e7sa0pl3Ch', 'FncamME85t', 'vUfaMDmlbR', 'uT7aALrJjo', 'XvtaboaYcu'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, LlG26VIhkp2otoPSKg.csHigh entropy of concatenated method names: 'EcDfMCFKCn', 'bykfAkS37G', 'TWNfbOrhe3', 'Y57fcWQZdx', 'ynkf4QX681', 'rgWfdpTqdY', 'Eg7fqCqOJu', 'n7wfTIc7TS', 'QbTfRfBpZE', 'b8kftkTEXh'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, FnyV7xRWQRre7etJfV.csHigh entropy of concatenated method names: 'RExKwlt115', 'OcsKpikifZ', 'CmaKkfhZ9f', 'CgGKNWXxZU', 'FYiKM8OlIS', 'NpyKytqgDZ', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, DB82N5rZvIALMvPp5i.csHigh entropy of concatenated method names: 'MNieSlG26V', 'akpel2otoP', 'rfoeQWbGPU', 'KsceW1PCFu', 'TnDe64yb1i', 'ctBeJdiPDl', 'lY6UnCAZwS0XkObUPc', 'W82Rf2HxAOWGMct4q1', 'LhVeehrW2E', 'dM0eZseriq'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, CCFu3C3p8XohWcnD4y.csHigh entropy of concatenated method names: 'Mx3G9uV5dP', 'B5HGPe3qjF', 'RLBOkKYENy', 'seQONUTasP', 'YDLOyHT0Oj', 'QoROjFNT8s', 's3KOiO2fnX', 'FUcOXpRdyV', 'udsOslwIR2', 'sydOoEtC4R'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, cxiZF5Mo7TeXpVKfWE.csHigh entropy of concatenated method names: 'WJ46oafEQ9', 'IGO60LeDJh', 'z0M6MMY0bh', 'ubR6AIVUAN', 'xGs6p3RqNZ', 'WIb6kQiqXN', 'SpH6N3xUBQ', 'xq76yZlG3j', 'gRA6j8YPra', 'P4u6iTHCDJ'
            Source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.7710000.9.raw.unpack, Nx5axgt980aUd64ocs.csHigh entropy of concatenated method names: 'STLLekWgAF', 'Y2YLZtPLuS', 'rrbLrMnF4Z', 'YQJLYy6K6l', 'nGgLfJQBoR', 'zP4LG4BdQM', 'kixL2eFjBW', 'R2DKqCM2Kr', 'YtAKTHgqC5', 'iOXKR0yGbS'
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004063C6 ShellExecuteW,URLDownloadToFileW,15_2_004063C6
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeFile created: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp"
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00418A00

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)
            Source: Possible double extension: pdf.batStatic PE information: Payment Advice__Swift-MT103.pdf.bat.exe
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041A8DA
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTR
            Delayed program exit found
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040E18D Sleep,ExitProcess,15_2_0040E18D
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: 9000000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: A000000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: A1F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: B1F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: B5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: C5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: D5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: E830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: F830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: 10830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: 11830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: E60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: 8320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: 9320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: 9500000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: A500000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: A8B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: B8B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: 8320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: 9500000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory allocated: A8B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_004186FE
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4482Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 705Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6570Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 929Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeWindow / User API: threadDelayed 2470Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeWindow / User API: threadDelayed 7524Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeAPI coverage: 5.1 %
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe TID: 1680Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204Thread sleep count: 4482 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep count: 705 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe TID: 7388Thread sleep count: 2470 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe TID: 7388Thread sleep time: -7410000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe TID: 7388Thread sleep count: 7524 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe TID: 7388Thread sleep time: -22572000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe TID: 7524Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040838E
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004087A0
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00407848
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004068CD FindFirstFileW,FindNextFileW,15_2_004068CD
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0044BA59 FindFirstFileExA,15_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406D28
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481414196.0000000000E65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: PQHcRKfCm.exe, 0000000B.00000002.2109474939.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2069657582.000000000147F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C:@>6
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004327AE
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041A8DA
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004407B5 mov eax, dword ptr fs:[00000030h]15_2_004407B5
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,15_2_00410763
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004327AE
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004328FC SetUnhandledExceptionFilter,15_2_004328FC
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004398AC
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00432D5C
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMemory written: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMemory written: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00410B5C
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004175E1 mouse_event,15_2_004175E1
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeProcess created: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeProcess created: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"Jump to behavior
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1
            Source: Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004329DA cpuid 15_2_004329DA
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: EnumSystemLocalesW,15_2_0044F17B
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: EnumSystemLocalesW,15_2_0044F130
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: EnumSystemLocalesW,15_2_0044F216
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_0044F2A3
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetLocaleInfoA,15_2_0040E2BB
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetLocaleInfoW,15_2_0044F4F3
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_0044F61C
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetLocaleInfoW,15_2_0044F723
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_0044F7F0
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: EnumSystemLocalesW,15_2_00445914
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: GetLocaleInfoW,15_2_00445E1C
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_0044EEB8
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeQueries volume information: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeQueries volume information: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_0040A0B0 GetLocalTime,wsprintfW,15_2_0040A0B0
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004195F8 GetUserNameW,15_2_004195F8
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: 15_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,15_2_004466BF
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088942310.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 7364, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7692, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040A953
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: \key3.db15_2_0040AA71

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3
            Yara detected Remcos RAT
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.PQHcRKfCm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.4320050.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Payment Advice__Swift-MT103.pdf.bat.exe.42aaa30.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b80928.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.PQHcRKfCm.exe.3b0b308.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088942310.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Payment Advice__Swift-MT103.pdf.bat.exe PID: 7364, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7424, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PQHcRKfCm.exe PID: 7692, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\PQHcRKfCm.exeCode function: cmd.exe15_2_0040567A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol111
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Windows Service            		13
            Obfuscated Files or Information            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook122
            Process Injection            		12
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Scheduled Task/Job            		1
            DLL Side-Loading            		LSA Secrets33
            System Information Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading            		Cached Domain Credentials121
            Security Software Discovery            		VNCGUI Input Capture12
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt122
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467078 Sample: Payment Advice__Swift-MT103... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 46 geoplugin.net 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 14 other signatures 2->58 8 Payment Advice__Swift-MT103.pdf.bat.exe 7 2->8         started        12 PQHcRKfCm.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\PQHcRKfCm.exe, PE32 8->38 dropped 40 C:\Users\...\PQHcRKfCm.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp319C.tmp, XML 8->42 dropped 44 Payment Advice__Sw...103.pdf.bat.exe.log, ASCII 8->44 dropped 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 Payment Advice__Swift-MT103.pdf.bat.exe 2 13 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 64 Multi AV Scanner detection for dropped file 12->64 66 Contains functionalty to change the wallpaper 12->66 68 Machine Learning detection for dropped file 12->68 70 4 other signatures 12->70 22 PQHcRKfCm.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 204.10.160.230, 49708, 7983 UNREAL-SERVERSUS Canada 14->48 50 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 14->50 72 Detected Remcos RAT 14->72 74 Loading BitLocker PowerShell Module 18->74 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Payment Advice__Swift-MT103.pdf.bat.exe39%ReversingLabsWin32.Packed.Generic
            Payment Advice__Swift-MT103.pdf.bat.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\PQHcRKfCm.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\PQHcRKfCm.exe39%ReversingLabsWin32.Packed.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://geoplugin.net/json.gp0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            http://geoplugin.net/R0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpH0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpL0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
            204.10.160.2300%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
              • URL Reputation: safe
              		unknown
              204.10.160.230true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpHPayment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/RPayment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp/CPayment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, PQHcRKfCm.exe, 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, PQHcRKfCm.exe, 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://geoplugin.net/json.gpLPayment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481244177.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Advice__Swift-MT103.pdf.bat.exe, 00000000.00000002.2071167730.0000000003241000.00000004.00000800.00020000.00000000.sdmp, PQHcRKfCm.exe, 0000000B.00000002.2111705485.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.chiark.greenend.org.uk/~sgtatham/putty/0Payment Advice__Swift-MT103.pdf.bat.exe, PQHcRKfCm.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              http://geoplugin.net/json.gpSystem32Payment Advice__Swift-MT103.pdf.bat.exe, 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              178.237.33.50
              		geoplugin.netNetherlands
              		8455ATOM86-ASATOM86NLfalse
              204.10.160.230
              		unknownCanada
              		64236UNREAL-SERVERSUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1467078
              Start date and time:2024-07-03 17:48:41 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 10m 8s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:19
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Payment Advice__Swift-MT103.pdf.bat.exe
              Detection:MAL
              Classification:mal100.rans.troj.spyw.evad.winEXE@21/16@1/2
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 170
              • Number of non-executed functions: 203
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: Payment Advice__Swift-MT103.pdf.bat.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              11:49:30API Interceptor4784543x Sleep call for process: Payment Advice__Swift-MT103.pdf.bat.exe modified
              11:49:32API Interceptor25x Sleep call for process: powershell.exe modified
              11:49:35API Interceptor2x Sleep call for process: PQHcRKfCm.exe modified
              17:49:33Task SchedulerRun new task: PQHcRKfCm path: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              178.237.33.50UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              file.exeGet hashmaliciousGuLoader, RemcosBrowse
              • geoplugin.net/json.gp
              172001946670b1e83321a2b0b2afa526495dda6118492d61c1dbccf1f24b87b00c0e2fc524979.dat-decoded.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              PO#2195112.vbsGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
              • geoplugin.net/json.gp
              PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
              • geoplugin.net/json.gp
              204.10.160.230UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                Documento di Pagamento_Intesa Sanpaolo_pdf.bat.exeGet hashmaliciousRemcosBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  geoplugin.netUniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  file.exeGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  172001946670b1e83321a2b0b2afa526495dda6118492d61c1dbccf1f24b87b00c0e2fc524979.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  PO#2195112.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ATOM86-ASATOM86NLUniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  file.exeGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  172001946670b1e83321a2b0b2afa526495dda6118492d61c1dbccf1f24b87b00c0e2fc524979.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  PO#2195112.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  UNREAL-SERVERSUSUniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                  • 204.10.160.230
                  TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                  • 212.162.149.42
                  TT Fizetesi Bizonylat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                  • 212.162.149.42
                  z89PO25-06-2024orderlist_PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.132
                  Documento di Pagamento_Intesa Sanpaolo_pdf.bat.exeGet hashmaliciousRemcosBrowse
                  • 204.10.160.230
                  Plinth.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.176
                  Ikkevren.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.176
                  rvohv1J7S8.exeGet hashmaliciousGuLoaderBrowse
                  • 162.251.122.108
                  ikpo.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.176
                  Maersk Arrival Bill of Lading 238591458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.151

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PQHcRKfCm.exe.log

                  Download File
                  Process:C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.34331486778365
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice__Swift-MT103.pdf.bat.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.34331486778365
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                  Download File
                  Process:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):962
                  Entropy (8bit):5.013130376969173
                  Encrypted:false
                  SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                  MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                  SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                  SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                  SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                  Malicious:false
                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):2232
                  Entropy (8bit):5.380192968514367
                  Encrypted:false
                  SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:+LHyIFKL3IZ2KRH9Ougss
                  MD5:9D72473420FB49ED982B50779FFDCA22
                  SHA1:D67176453325850CCE3A55698D638E7E762FB7E9
                  SHA-256:AD01609D608CA443EC64E858CAFB8920BDEB3E6600B2E97F5C05F28F21A33FB8
                  SHA-512:555B6F0DC6E50A5E6D4F94DD857732E623FA5A58BE4C3FD4878622756C6CB714F5CA11EA56C4A2A1816358069E924F7990F6F20ED5C353427FAC993708EF55DB
                  Malicious:false
                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_calkz5xu.qtz.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwmnvu4c.4ut.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4m1sisr.doi.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5qythae.3o4.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4cejotj.wpc.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsteecit.dil.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxpc05bu.1xp.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuy2ahqh.b0p.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\tmp319C.tmp

                  Download File
                  Process:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  File Type:XML 1.0 document, ASCII text
                  Category:dropped
                  Size (bytes):1582
                  Entropy (8bit):5.108595207513484
                  Encrypted:false
                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxFxvn:cgergYrFdOFzOzN33ODOiDdKrsuTlv
                  MD5:29A7F53B94F6DF1A2CEF19AE2733D948
                  SHA1:7F5A19B4692E49770880C8E4C5848E2693B6B612
                  SHA-256:A4CA79622BCF3ACA0B108A7F69D5205E6A42CF0A7C53D5F52C6372FD5B3A2254
                  SHA-512:EE9139DC9659D0921439BF75565868F25307882D12EE1057F3F515AA3C77CE0282D6CC0DDC06257ED6415A994DACF58460BF891A17DE2878810B56C46AD62273
                  Malicious:true
                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                  C:\Users\user\AppData\Local\Temp\tmp4459.tmp

                  Download File
                  Process:C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
                  File Type:XML 1.0 document, ASCII text
                  Category:dropped
                  Size (bytes):1582
                  Entropy (8bit):5.108595207513484
                  Encrypted:false
                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxFxvn:cgergYrFdOFzOzN33ODOiDdKrsuTlv
                  MD5:29A7F53B94F6DF1A2CEF19AE2733D948
                  SHA1:7F5A19B4692E49770880C8E4C5848E2693B6B612
                  SHA-256:A4CA79622BCF3ACA0B108A7F69D5205E6A42CF0A7C53D5F52C6372FD5B3A2254
                  SHA-512:EE9139DC9659D0921439BF75565868F25307882D12EE1057F3F515AA3C77CE0282D6CC0DDC06257ED6415A994DACF58460BF891A17DE2878810B56C46AD62273
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                  C:\Users\user\AppData\Roaming\PQHcRKfCm.exe

                  Download File
                  Process:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):1030664
                  Entropy (8bit):7.919516942105526
                  Encrypted:false
                  SSDEEP:24576:yJZQK8ebdmaOLAuHz7SaLf+/9S+YrMpjrh1y:yJZQ9aOs47SaL2/c+jh1y
                  MD5:AE9E6FFDC6B75B93D96748B6E2801096
                  SHA1:C3BA04CBC0D773CA5B036C44E6B7B97B4C5E936F
                  SHA-256:6EECADFD2838192C745CF88FA82ED4E96D9F27B15F1372AB24A5E94FDBA22978
                  SHA-512:FBDEDB0D46D9417ABB21495BC928DB10275B5A5EDFCBCF94A570721EE534F74B915DEC23EBF0125FCAF154C24FED89982680AB8BE18260CF6C1C79F8A3DD148A
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 39%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.f..............0..L...6......2j... ........@.. ....................................@..................................i..O........3...............6........................................................... ............... ..H............text...XJ... ...L.................. ..`.rsrc....3.......4...N..............@..@.reloc..............................@..B.................j......H...................,....... ............................................0...........s....}......}......}.....(.......((.....{....r...p"...A...s....o .....{.....{....r...p(....%.or.....ol.....{....r#..p(....o`.....{....r3..p(....of.....{.....{....o!...ob............s"...(#....*..*....0...........($...rC..p(%...s&....+..*...0............(....o'.....9.....s(.....o)...s*.....(....o+.......o,...u.........,..o-.......o......8......(/.......{......{&.....{'.....{(...sH.......{*...-

                  C:\Users\user\AppData\Roaming\PQHcRKfCm.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Preview:[ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.919516942105526
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  • Win32 Executable (generic) a (10002005/4) 49.97%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Payment Advice__Swift-MT103.pdf.bat.exe
                  File size:1'030'664 bytes
                  MD5:ae9e6ffdc6b75b93d96748b6e2801096
                  SHA1:c3ba04cbc0d773ca5b036c44e6b7b97b4c5e936f
                  SHA256:6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978
                  SHA512:fbdedb0d46d9417abb21495bc928db10275b5a5edfcbcf94a570721ee534f74b915dec23ebf0125fcaf154c24fed89982680ab8be18260cf6c1c79f8a3dd148a
                  SSDEEP:24576:yJZQK8ebdmaOLAuHz7SaLf+/9S+YrMpjrh1y:yJZQ9aOs47SaL2/c+jh1y
                  TLSH:422512B461988E6EF2DE577EE0E900108BF1B1463493EB5D1DE4C0C91DD6BA2C53B58B
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f..............0..L...6......2j... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:2749a4a6b8e4570b

                  Static PE Info

                  General

                  Entrypoint:0x4f6a32
                  Entrypoint Section:.text
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6684DB3F [Wed Jul 3 05:01:51 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Authenticode Signature

                  Signature Valid:false
                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                  Signature Validation Error:The digital signature of the object did not verify
                  Error Number:-2146869232
                  Not Before, Not After
                  • 13/11/2018 01:00:00 09/11/2021 00:59:59
                  Subject Chain
                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                  Version:3
                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                  Serial:7C1118CBBADC95DA3752C46E47A27438

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add dword ptr [eax], eax
                  add byte ptr [eax], al
                  add al, byte ptr [eax]
                  add byte ptr [eax], al
                  add eax, dword ptr [eax]
                  add byte ptr [eax], al
                  add al, 00h
                  add byte ptr [eax], al
                  add eax, 06000000h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf69e00x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x3394.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0xf84000x3608
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xf4a580xf4c00e2f8c1cd01fc656d989f3dcdff21e45aFalse0.9302660559244127data7.923659229684686IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xf80000x33940x3400ef7ee0b3dee5655c597a1f7078991dc8False0.9213491586538461data7.756468630283422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xfc0000xc0x200e1977dd477b3936d7bfc927d50985c9fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xf80c80x2f27PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9724132217711872
                  RT_GROUP_ICON0xfb0000x14data1.05
                  RT_VERSION0xfb0240x36adata0.43363844393592677

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 17:49:33.622704029 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:33.634155035 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:33.634251118 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:33.640335083 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:33.647166014 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:34.233861923 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:34.276812077 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:34.311299086 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:34.316342115 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:34.322016001 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:34.323838949 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:34.330334902 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:34.888545990 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:34.911360025 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:34.916707993 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:35.014050961 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:35.058058023 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:35.082268000 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:49:35.087354898 CEST8049710178.237.33.50192.168.2.5
                  Jul 3, 2024 17:49:35.087476969 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:49:35.087579966 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:49:35.092693090 CEST8049710178.237.33.50192.168.2.5
                  Jul 3, 2024 17:49:35.727715969 CEST8049710178.237.33.50192.168.2.5
                  Jul 3, 2024 17:49:35.727802038 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:49:35.742166042 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:49:35.747055054 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:49:36.719805956 CEST8049710178.237.33.50192.168.2.5
                  Jul 3, 2024 17:49:36.719913960 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:50:05.335278988 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:50:05.337177992 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:50:05.341995955 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:50:35.727622032 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:50:35.728976011 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:50:35.734327078 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:51:06.121937990 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:51:06.123430014 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:51:06.128618002 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:51:25.057776928 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:51:25.370642900 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:51:25.979940891 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:51:27.183187008 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:51:29.589323044 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:51:34.401810884 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:51:36.522989035 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:51:36.527506113 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:51:36.532310009 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:51:44.011195898 CEST4971080192.168.2.5178.237.33.50
                  Jul 3, 2024 17:52:06.962016106 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:52:06.963587999 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:52:06.969194889 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:52:37.399322033 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:52:37.401345968 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:52:37.406236887 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:53:07.824580908 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:53:07.831072092 CEST497087983192.168.2.5204.10.160.230
                  Jul 3, 2024 17:53:07.836406946 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:53:38.380131006 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:53:38.397254944 CEST798349708204.10.160.230192.168.2.5
                  Jul 3, 2024 17:53:38.397329092 CEST497087983192.168.2.5204.10.160.230

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 17:49:35.068299055 CEST6488153192.168.2.51.1.1.1
                  Jul 3, 2024 17:49:35.075187922 CEST53648811.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 3, 2024 17:49:35.068299055 CEST192.168.2.51.1.1.10x5dc6Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 3, 2024 17:49:35.075187922 CEST1.1.1.1192.168.2.50x5dc6No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • geoplugin.net

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549710178.237.33.50807364C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 17:49:35.087579966 CEST71OUTGET /json.gp HTTP/1.1
                  Host: geoplugin.net
                  Cache-Control: no-cache
                  Jul 3, 2024 17:49:35.727715969 CEST1170INHTTP/1.1 200 OK
                  date: Wed, 03 Jul 2024 15:49:35 GMT
                  server: Apache
                  content-length: 962
                  content-type: application/json; charset=utf-8
                  cache-control: public, max-age=300
                  access-control-allow-origin: *
                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:11:49:29
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
                  Imagebase:0xd20000
                  File size:1'030'664 bytes
                  MD5 hash:AE9E6FFDC6B75B93D96748B6E2801096
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2071631158.00000000042AA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:3
                  Start time:11:49:30
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
                  Imagebase:0xd90000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:11:49:30
                  Start date:03/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:11:49:30
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"
                  Imagebase:0xd90000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:11:49:31
                  Start date:03/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:11:49:31
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp319C.tmp"
                  Imagebase:0x8b0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:11:49:31
                  Start date:03/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:11:49:32
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
                  Imagebase:0x2e0000
                  File size:1'030'664 bytes
                  MD5 hash:AE9E6FFDC6B75B93D96748B6E2801096
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:10
                  Start time:11:49:32
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Payment Advice__Swift-MT103.pdf.bat.exe"
                  Imagebase:0x760000
                  File size:1'030'664 bytes
                  MD5 hash:AE9E6FFDC6B75B93D96748B6E2801096
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.4481027121.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:11
                  Start time:11:49:33
                  Start date:03/07/2024
                  Path:C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
                  Imagebase:0x520000
                  File size:1'030'664 bytes
                  MD5 hash:AE9E6FFDC6B75B93D96748B6E2801096
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2113634237.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 39%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:12
                  Start time:11:49:33
                  Start date:03/07/2024
                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Imagebase:0x7ff6ef0c0000
                  File size:496'640 bytes
                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:13
                  Start time:11:49:35
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\user\AppData\Local\Temp\tmp4459.tmp"
                  Imagebase:0x8b0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:14
                  Start time:11:49:36
                  Start date:03/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:15
                  Start time:11:49:36
                  Start date:03/07/2024
                  Path:C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Roaming\PQHcRKfCm.exe"
                  Imagebase:0xd30000
                  File size:1'030'664 bytes
                  MD5 hash:AE9E6FFDC6B75B93D96748B6E2801096
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2088942310.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:10.8%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:1.3%
                    Total number of Nodes:302
                    Total number of Limit Nodes:20
                    execution_graph 31780 30766a4 31781 30764a1 31780->31781 31782 30766ae 31780->31782 31787 307934b 31782->31787 31806 30792b8 31782->31806 31824 30792a9 31782->31824 31783 3076841 31788 30792ec 31787->31788 31790 3079361 31787->31790 31789 30792f6 31788->31789 31842 3079d82 31788->31842 31852 30797fa 31788->31852 31858 307a03c 31788->31858 31864 3079b1c 31788->31864 31873 30798dd 31788->31873 31883 3079a3e 31788->31883 31888 307981e 31788->31888 31893 3079993 31788->31893 31897 3079795 31788->31897 31902 30799d6 31788->31902 31912 3079876 31788->31912 31916 307994b 31788->31916 31921 3079aae 31788->31921 31927 3079700 31788->31927 31932 3079c62 31788->31932 31789->31783 31790->31783 31807 30792d2 31806->31807 31808 3079d82 4 API calls 31807->31808 31809 3079c62 2 API calls 31807->31809 31810 3079700 2 API calls 31807->31810 31811 3079aae 2 API calls 31807->31811 31812 307994b 2 API calls 31807->31812 31813 3079876 2 API calls 31807->31813 31814 30799d6 4 API calls 31807->31814 31815 3079795 2 API calls 31807->31815 31816 3079993 2 API calls 31807->31816 31817 30792f6 31807->31817 31818 307981e 2 API calls 31807->31818 31819 3079a3e 2 API calls 31807->31819 31820 30798dd 4 API calls 31807->31820 31821 3079b1c 2 API calls 31807->31821 31822 307a03c 2 API calls 31807->31822 31823 30797fa 2 API calls 31807->31823 31808->31817 31809->31817 31810->31817 31811->31817 31812->31817 31813->31817 31814->31817 31815->31817 31816->31817 31817->31783 31818->31817 31819->31817 31820->31817 31821->31817 31822->31817 31823->31817 31825 30792d2 31824->31825 31826 3079d82 4 API calls 31825->31826 31827 3079c62 2 API calls 31825->31827 31828 3079700 2 API calls 31825->31828 31829 3079aae 2 API calls 31825->31829 31830 307994b 2 API calls 31825->31830 31831 3079876 2 API calls 31825->31831 31832 30799d6 4 API calls 31825->31832 31833 3079795 2 API calls 31825->31833 31834 3079993 2 API calls 31825->31834 31835 30792f6 31825->31835 31836 307981e 2 API calls 31825->31836 31837 3079a3e 2 API calls 31825->31837 31838 30798dd 4 API calls 31825->31838 31839 3079b1c 2 API calls 31825->31839 31840 307a03c 2 API calls 31825->31840 31841 30797fa 2 API calls 31825->31841 31826->31835 31827->31835 31828->31835 31829->31835 31830->31835 31831->31835 31832->31835 31833->31835 31834->31835 31835->31783 31836->31835 31837->31835 31838->31835 31839->31835 31840->31835 31841->31835 31843 3079d87 31842->31843 31844 3079e00 31843->31844 31846 3079962 31843->31846 31946 30757c0 31844->31946 31950 30757b8 31844->31950 31845 307a15d 31847 3079977 31846->31847 31938 3075710 31846->31938 31942 3075708 31846->31942 31847->31789 31853 3079806 31852->31853 31854 3079aa8 31853->31854 31954 3075d90 31853->31954 31958 3075d8b 31853->31958 31854->31789 31855 3079856 31855->31789 31859 3079806 31858->31859 31860 3079aa8 31859->31860 31862 3075d90 WriteProcessMemory 31859->31862 31863 3075d8b WriteProcessMemory 31859->31863 31860->31789 31861 3079856 31861->31789 31862->31861 31863->31861 31865 3079b3f 31864->31865 31871 3075d90 WriteProcessMemory 31865->31871 31872 3075d8b WriteProcessMemory 31865->31872 31866 3079806 31867 3079aa8 31866->31867 31869 3075d90 WriteProcessMemory 31866->31869 31870 3075d8b WriteProcessMemory 31866->31870 31867->31789 31868 3079856 31868->31789 31869->31868 31870->31868 31871->31866 31872->31866 31874 30798e3 31873->31874 31875 307a0ee 31874->31875 31876 3079806 31874->31876 31962 307a3e8 31874->31962 31967 307a3f8 31874->31967 31877 3079aa8 31876->31877 31881 3075d90 WriteProcessMemory 31876->31881 31882 3075d8b WriteProcessMemory 31876->31882 31877->31789 31878 3079856 31878->31789 31881->31878 31882->31878 31884 3079f77 31883->31884 31980 3075e80 31884->31980 31984 3075e78 31884->31984 31885 3079ddb 31885->31789 31889 3079824 31888->31889 31891 3075d90 WriteProcessMemory 31889->31891 31892 3075d8b WriteProcessMemory 31889->31892 31890 3079856 31890->31789 31891->31890 31892->31890 31895 3075d90 WriteProcessMemory 31893->31895 31896 3075d8b WriteProcessMemory 31893->31896 31894 30799b7 31894->31789 31895->31894 31896->31894 31898 307979b 31897->31898 31988 307600c 31898->31988 31992 3076018 31898->31992 31904 30798fb 31902->31904 31903 307a0ee 31904->31903 31905 3079806 31904->31905 31910 307a3e8 2 API calls 31904->31910 31911 307a3f8 2 API calls 31904->31911 31906 3079aa8 31905->31906 31908 3075d90 WriteProcessMemory 31905->31908 31909 3075d8b WriteProcessMemory 31905->31909 31906->31789 31907 3079856 31907->31789 31908->31907 31909->31907 31910->31904 31911->31904 31996 307a3b0 31912->31996 32001 307a39f 31912->32001 31913 307988e 31913->31789 31917 3079951 31916->31917 31919 3075710 ResumeThread 31917->31919 31920 3075708 ResumeThread 31917->31920 31918 3079977 31918->31789 31919->31918 31920->31918 31922 3079806 31921->31922 31923 3079aa8 31922->31923 31925 3075d90 WriteProcessMemory 31922->31925 31926 3075d8b WriteProcessMemory 31922->31926 31923->31789 31924 3079856 31924->31789 31925->31924 31926->31924 31928 307970a 31927->31928 31930 307600c CreateProcessA 31928->31930 31931 3076018 CreateProcessA 31928->31931 31929 30797db 31930->31929 31931->31929 31933 3079806 31932->31933 31934 3079aa8 31933->31934 31936 3075d90 WriteProcessMemory 31933->31936 31937 3075d8b WriteProcessMemory 31933->31937 31934->31789 31935 3079856 31935->31789 31936->31935 31937->31935 31939 3075750 ResumeThread 31938->31939 31941 3075781 31939->31941 31941->31847 31943 3075750 ResumeThread 31942->31943 31945 3075781 31943->31945 31945->31847 31947 3075805 Wow64SetThreadContext 31946->31947 31949 307584d 31947->31949 31949->31845 31951 3075805 Wow64SetThreadContext 31950->31951 31953 307584d 31951->31953 31953->31845 31955 3075dd8 WriteProcessMemory 31954->31955 31957 3075e2f 31955->31957 31957->31855 31959 3075d90 WriteProcessMemory 31958->31959 31961 3075e2f 31959->31961 31961->31855 31963 307a40d 31962->31963 31972 3075cd0 31963->31972 31976 3075cc8 31963->31976 31964 307a42c 31964->31874 31968 307a40d 31967->31968 31970 3075cd0 VirtualAllocEx 31968->31970 31971 3075cc8 VirtualAllocEx 31968->31971 31969 307a42c 31969->31874 31970->31969 31971->31969 31973 3075d10 VirtualAllocEx 31972->31973 31975 3075d4d 31973->31975 31975->31964 31977 3075d10 VirtualAllocEx 31976->31977 31979 3075d4d 31977->31979 31979->31964 31981 3075ecb ReadProcessMemory 31980->31981 31983 3075f0f 31981->31983 31983->31885 31985 3075e81 ReadProcessMemory 31984->31985 31987 3075f0f 31985->31987 31987->31885 31989 30760a1 CreateProcessA 31988->31989 31991 3076263 31989->31991 31991->31991 31993 30760a1 CreateProcessA 31992->31993 31995 3076263 31993->31995 31997 307a3c5 31996->31997 31999 30757c0 Wow64SetThreadContext 31997->31999 32000 30757b8 Wow64SetThreadContext 31997->32000 31998 307a3db 31998->31913 31999->31998 32000->31998 32002 307a3c5 32001->32002 32004 30757c0 Wow64SetThreadContext 32002->32004 32005 30757b8 Wow64SetThreadContext 32002->32005 32003 307a3db 32003->31913 32004->32003 32005->32003 31671 304d740 31672 304d74d 31671->31672 31673 304d787 31672->31673 31675 304d098 31672->31675 31676 304d0a3 31675->31676 31677 304e098 31676->31677 31679 304d1c4 31676->31679 31680 304d1cf 31679->31680 31683 30477e0 31680->31683 31682 304e507 31682->31677 31684 30477eb 31683->31684 31685 3048deb 31684->31685 31687 304b4a0 31684->31687 31685->31682 31691 304b4c7 31687->31691 31695 304b4d8 31687->31695 31688 304b4b6 31688->31685 31692 304b4d8 31691->31692 31698 304b5bf 31692->31698 31693 304b4e7 31693->31688 31697 304b5bf 2 API calls 31695->31697 31696 304b4e7 31696->31688 31697->31696 31699 304b5ca 31698->31699 31700 304b577 31698->31700 31701 304b604 31699->31701 31708 304b8bc 31699->31708 31713 304b868 31699->31713 31717 304b858 31699->31717 31700->31693 31701->31693 31702 304b5fc 31702->31701 31703 304b808 GetModuleHandleW 31702->31703 31704 304b835 31703->31704 31704->31693 31709 304b870 31708->31709 31712 304b8c2 31708->31712 31711 304b8a1 31709->31711 31721 304b030 31709->31721 31711->31702 31714 304b87c 31713->31714 31715 304b030 LoadLibraryExW 31714->31715 31716 304b8a1 31714->31716 31715->31716 31716->31702 31719 304b868 31717->31719 31718 304b8a1 31718->31702 31719->31718 31720 304b030 LoadLibraryExW 31719->31720 31720->31718 31722 304ba48 LoadLibraryExW 31721->31722 31724 304bac1 31722->31724 31724->31711 32006 304daa0 DuplicateHandle 32007 304db36 32006->32007 31763 307a610 31764 307a79b 31763->31764 31766 307a636 31763->31766 31766->31764 31767 3077328 31766->31767 31768 307a890 PostMessageW 31767->31768 31769 307a8fc 31768->31769 31769->31766 31725 78b3400 31727 78b3401 31725->31727 31726 78b3483 31727->31726 31730 78b40a8 31727->31730 31737 78b40b8 31727->31737 31731 78b40ab 31730->31731 31732 78b4127 31730->31732 31731->31732 31733 78b40b6 31731->31733 31735 78b40ee 31732->31735 31741 78b37d0 31732->31741 31733->31735 31736 78b37d0 DrawTextExW 31733->31736 31735->31726 31736->31735 31738 78b40b9 31737->31738 31739 78b37d0 DrawTextExW 31738->31739 31740 78b40ee 31738->31740 31739->31740 31740->31726 31740->31740 31742 78b37db 31741->31742 31745 78b4fdc 31742->31745 31744 78b5c2d 31744->31735 31747 78b4fe7 31745->31747 31746 78b5cd1 31746->31744 31747->31746 31751 78b6be1 31747->31751 31755 78b6bf0 31747->31755 31748 78b5dd5 31748->31744 31752 78b6be4 31751->31752 31759 78b660c 31752->31759 31756 78b6bf1 31755->31756 31757 78b660c DrawTextExW 31756->31757 31758 78b6c0d 31757->31758 31758->31748 31761 78b6c28 DrawTextExW 31759->31761 31762 78b6c0d 31761->31762 31762->31748 32047 78b9f70 32048 78b9f9d 32047->32048 32051 78b6710 32048->32051 32050 78ba315 32053 78b671b 32051->32053 32052 78b40b8 DrawTextExW 32052->32053 32053->32052 32054 78ba805 32053->32054 32054->32050 31770 304d858 31771 304d89e GetCurrentProcess 31770->31771 31773 304d8f0 GetCurrentThread 31771->31773 31774 304d8e9 31771->31774 31775 304d926 31773->31775 31776 304d92d GetCurrentProcess 31773->31776 31774->31773 31775->31776 31777 304d963 GetCurrentThreadId 31776->31777 31779 304d9bc 31777->31779 32008 3044668 32009 304467a 32008->32009 32010 3044686 32009->32010 32014 3044779 32009->32014 32019 3043e24 32010->32019 32012 30446a5 32015 304479d 32014->32015 32023 3044877 32015->32023 32027 3044888 32015->32027 32020 3043e2f 32019->32020 32035 304756c 32020->32035 32022 3047b8d 32022->32012 32025 30448af 32023->32025 32024 304498c 32024->32024 32025->32024 32031 3044524 32025->32031 32029 30448af 32027->32029 32028 304498c 32028->32028 32029->32028 32030 3044524 CreateActCtxA 32029->32030 32030->32028 32032 3045d18 CreateActCtxA 32031->32032 32034 3045ddb 32032->32034 32034->32034 32036 3047577 32035->32036 32039 3047780 32036->32039 32038 3047dbd 32038->32022 32040 304778b 32039->32040 32043 30477b0 32040->32043 32042 3047e9a 32042->32038 32044 30477bb 32043->32044 32045 30477e0 2 API calls 32044->32045 32046 3047f8d 32045->32046 32046->32042

                    Executed Functions

                    Function 078B7A78 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 378 78b7a78-78b7a9a 380 78b7a9c 378->380 381 78b7aa1-78b7ae4 378->381 380->381 383 78b7aeb-78b7afe 381->383 384 78b7b1b-78b7b1f 383->384 385 78b7b00-78b7b04 383->385 388 78b7b4a-78b7b52 384->388 389 78b7b21-78b7b28 384->389 386 78b7b68-78b7b70 385->386 387 78b7b06-78b7b0d 385->387 391 78b7ba4-78b7bde 386->391 392 78b7b72-78b7b9c 386->392 394 78b7b0f-78b7b16 387->394 395 78b7b5e-78b7b66 387->395 388->391 396 78b7b2a-78b7b31 389->396 397 78b7b40-78b7b48 389->397 408 78b7c47-78b7c60 391->408 392->391 404 78b7b18-78b7b19 394->404 405 78b7b54-78b7b5c 394->405 395->391 402 78b7b33-78b7b34 396->402 403 78b7b36-78b7b3e 396->403 397->391 402->392 403->391 404->392 405->391 409 78b7be0-78b7c37 408->409 410 78b7c66-78b7c77 408->410 416 78b7c39-78b7c42 409->416 417 78b7c43-78b7c44 409->417 416->417 417->408
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: <$<
                    • API String ID: 0-213342407
                    • Opcode ID: 94213835d490c075d04b3fb30e50a797445831b463ae8807b634f8fc34cc6ca8
                    • Instruction ID: 930ca4438271b7f6100de8a398c11838efdbf32d71feb3b4bf404112fff185a2
                    • Opcode Fuzzy Hash: 94213835d490c075d04b3fb30e50a797445831b463ae8807b634f8fc34cc6ca8
                    • Instruction Fuzzy Hash: D261F1B0E1521ADFCB28CF9AC8446EEBBB6FF99304F10906AD405A7361DB345A45CF90
                    Function 078B41C0 Relevance: 1.7, Strings: 1, Instructions: 453COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 613 78b41c0-78b41d0 614 78b41dc-78b41f9 613->614 615 78b41d2-78b41db 613->615 619 78b428a-78b4298 614->619 616 78b422c-78b422e 615->616 754 78b4231 call 78b9940 616->754 755 78b4231 call 78b9950 616->755 618 78b4234-78b4236 620 78b4238-78b4243 618->620 621 78b427d-78b4283 618->621 624 78b41fe-78b4209 619->624 625 78b429e-78b42a0 619->625 627 78b4252-78b4258 620->627 628 78b4245-78b424a 620->628 621->619 622 78b4285 621->622 622->619 636 78b420b-78b4210 624->636 637 78b4218-78b421e 624->637 748 78b42a3 call 78b445b 625->748 749 78b42a3 call 78b4468 625->749 750 78b42a3 call 78b43e0 625->750 751 78b42a3 call 78b4190 625->751 752 78b42a3 call 78b41b0 625->752 753 78b42a3 call 78b41c0 625->753 629 78b425e-78b4271 call 78b3920 627->629 630 78b43d5-78b43ec 627->630 628->627 629->621 642 78b4273-78b427c 629->642 649 78b43ee-78b440a 630->649 650 78b446c-78b448c 630->650 632 78b42a9-78b42c2 633 78b42cc-78b42d6 632->633 634 78b42c4-78b42c6 632->634 644 78b42dc-78b42ef 633->644 645 78b43a6-78b43c3 call 78b3930 633->645 634->633 636->637 637->630 638 78b4224-78b422a 637->638 638->616 648 78b42f0-78b42f3 644->648 664 78b43ca-78b43d4 645->664 652 78b42f7-78b42fa 648->652 653 78b42f5 648->653 658 78b4448-78b4450 649->658 659 78b440c-78b443d 649->659 665 78b448e-78b4492 650->665 666 78b44b4-78b44e9 call 78b3940 650->666 654 78b42fc 652->654 655 78b4303-78b430e 652->655 653->652 654->655 667 78b431d-78b4323 655->667 668 78b4310-78b4315 655->668 659->658 665->666 669 78b4494-78b4498 665->669 707 78b44ee-78b44f7 666->707 667->630 670 78b4329-78b433c 667->670 668->667 673 78b449a-78b449f 669->673 674 78b44f8-78b4501 669->674 677 78b4349-78b4350 670->677 678 78b433e-78b4347 670->678 673->666 676 78b44a1-78b44b2 673->676 684 78b457f-78b458c 674->684 685 78b4503-78b4539 call 78b3950 674->685 676->666 677->648 683 78b4352-78b4354 677->683 678->683 686 78b4398-78b43a4 call 78b3930 683->686 687 78b4356-78b4396 call 78b3930 * 2 683->687 689 78b4593-78b4595 684->689 690 78b458e call 78b3960 684->690 686->664 687->664 692 78b4597-78b45a4 689->692 693 78b45a5-78b45be 689->693 690->689 708 78b45c0-78b45c1 693->708 709 78b45c5-78b4624 693->709 712 78b463f-78b4651 708->712 713 78b45c3 708->713 719 78b468f-78b4693 709->719 720 78b4626-78b463d 709->720 717 78b4653-78b4655 712->717 718 78b4681 712->718 713->709 723 78b4677-78b467f 717->723 724 78b4657-78b4661 717->724 725 78b4686-78b4689 718->725 726 78b46be-78b46fd 719->726 727 78b4695-78b46b8 719->727 720->712 723->725 729 78b4663 724->729 730 78b4665-78b4673 724->730 725->719 735 78b46ff-78b4705 726->735 736 78b4706-78b471b 726->736 727->726 729->730 730->730 733 78b4675 730->733 733->723 735->736 740 78b471d-78b4729 736->740 741 78b4731-78b4758 736->741 740->741 744 78b475a-78b475e 741->744 745 78b4768 741->745 744->745 746 78b4760 744->746 747 78b4769 745->747 746->745 747->747 748->632 749->632 750->632 751->632 752->632 753->632 754->618 755->618
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: b2c1cf90a6d8186b499b677810bf48d911bc0f43df49d437e0cf0fd1ecc43053
                    • Instruction ID: a1c2ded6a499bf0fa49faf506a774d0288225de7923a94db0aa9205004ba5ea6
                    • Opcode Fuzzy Hash: b2c1cf90a6d8186b499b677810bf48d911bc0f43df49d437e0cf0fd1ecc43053
                    • Instruction Fuzzy Hash: B80291B1E002598FDB24DFA8C485AEEBBF1EF89314F158469D409EB352DB349C45CB92
                    Function 078B6720 Relevance: .6, Instructions: 637COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a27727c11fde4627615d1e602f83c4e0c3c8bebdcfc5da6e37c83d2c7751eac7
                    • Instruction ID: 4d1bd413c552fd0c5966029a8f774413e629cd5b9e04ee391c90550ae196f7ca
                    • Opcode Fuzzy Hash: a27727c11fde4627615d1e602f83c4e0c3c8bebdcfc5da6e37c83d2c7751eac7
                    • Instruction Fuzzy Hash: B772A271D1162ACBCB24EF68C894ADDF7B1FF59300F1086AAD449B7250EB306A85CF91
                    Function 078B6E20 Relevance: .5, Instructions: 479COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 48a31620262336ac6dd53d583e432277d77ba5abdb88c2314a4a3a0fec85b9c1
                    • Instruction ID: 1c58c28290212d76c22a162cdee22e50506c53ab24d3aaa095cdb913a0e4e6c8
                    • Opcode Fuzzy Hash: 48a31620262336ac6dd53d583e432277d77ba5abdb88c2314a4a3a0fec85b9c1
                    • Instruction Fuzzy Hash: 1332B271D1122ACFCB25DF68C890BEDB7B1BF99300F5086A9D509B7250EB706A85CF51
                    Function 078B6710 Relevance: .3, Instructions: 311COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2fa4ebe442e7844eca24ae27f585037194a4db3bbf5a763749eca886ea691cc4
                    • Instruction ID: 1413369d0d90a187256bf305f54aa5d8fd0412db1de049718d092a54f459d829
                    • Opcode Fuzzy Hash: 2fa4ebe442e7844eca24ae27f585037194a4db3bbf5a763749eca886ea691cc4
                    • Instruction Fuzzy Hash: 1DF190B5D012298FDB24DFA9C880BDDF7B1BF99300F1085AAD459B7250EB706A85CF51
                    Function 03070408 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd875ec475dd4fbdb003daf58e8152d00793497ab3db95e6cc1b64dcc3b8bfa6
                    • Instruction ID: 9b09118e95225c6e53d5aa6ba3c5479fe503444907c6e589abf3c662b1d305ca
                    • Opcode Fuzzy Hash: dd875ec475dd4fbdb003daf58e8152d00793497ab3db95e6cc1b64dcc3b8bfa6
                    • Instruction Fuzzy Hash: D72126B1D056188BEB18CF96C9447EEBBF6AFC8300F18C16AD408B7264DB7405458F60
                    Function 03070418 Relevance: .1, Instructions: 65COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3b27d6a8d27769d305385231b1785756a4db5fd806a919b443238914f53f1c5
                    • Instruction ID: 52bf1b36d50d6534fec6941cd4c02770a97bc8826d40ca345dfd57ad94486c2c
                    • Opcode Fuzzy Hash: c3b27d6a8d27769d305385231b1785756a4db5fd806a919b443238914f53f1c5
                    • Instruction Fuzzy Hash: 6A21D3B1D056188BEB58CFABC9447EEFEF6AFC8300F14C16AD409B6264DB7409458F94
                    Function 0304D858 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 294 304d858-304d8e7 GetCurrentProcess 298 304d8f0-304d924 GetCurrentThread 294->298 299 304d8e9-304d8ef 294->299 300 304d926-304d92c 298->300 301 304d92d-304d961 GetCurrentProcess 298->301 299->298 300->301 303 304d963-304d969 301->303 304 304d96a-304d982 301->304 303->304 307 304d98b-304d9ba GetCurrentThreadId 304->307 308 304d9c3-304da25 307->308 309 304d9bc-304d9c2 307->309 309->308
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0304D8D6
                    • GetCurrentThread.KERNEL32 ref: 0304D913
                    • GetCurrentProcess.KERNEL32 ref: 0304D950
                    • GetCurrentThreadId.KERNEL32 ref: 0304D9A9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: a15a429c5c15cfd5a094ec90d6b88698ab62c816b9e52d52b359ec8d7ceb42c1
                    • Instruction ID: c78707baae81933eed44c5dbf87847f7efb3bfb01cf1019b26a2c0ff04f58770
                    • Opcode Fuzzy Hash: a15a429c5c15cfd5a094ec90d6b88698ab62c816b9e52d52b359ec8d7ceb42c1
                    • Instruction Fuzzy Hash: FB5145B09013498FDB54DFA9D648BAEBBF1FF88314F248069E019A7360D7389984CB65
                    Function 0307600C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 432 307600c-30760ad 434 30760e6-3076106 432->434 435 30760af-30760b9 432->435 442 307613f-307616e 434->442 443 3076108-3076112 434->443 435->434 436 30760bb-30760bd 435->436 437 30760e0-30760e3 436->437 438 30760bf-30760c9 436->438 437->434 440 30760cd-30760dc 438->440 441 30760cb 438->441 440->440 444 30760de 440->444 441->440 449 30761a7-3076261 CreateProcessA 442->449 450 3076170-307617a 442->450 443->442 445 3076114-3076116 443->445 444->437 447 3076139-307613c 445->447 448 3076118-3076122 445->448 447->442 451 3076126-3076135 448->451 452 3076124 448->452 463 3076263-3076269 449->463 464 307626a-30762f0 449->464 450->449 453 307617c-307617e 450->453 451->451 454 3076137 451->454 452->451 455 30761a1-30761a4 453->455 456 3076180-307618a 453->456 454->447 455->449 458 307618e-307619d 456->458 459 307618c 456->459 458->458 460 307619f 458->460 459->458 460->455 463->464 474 30762f2-30762f6 464->474 475 3076300-3076304 464->475 474->475 478 30762f8 474->478 476 3076306-307630a 475->476 477 3076314-3076318 475->477 476->477 479 307630c 476->479 480 307631a-307631e 477->480 481 3076328-307632c 477->481 478->475 479->477 480->481 482 3076320 480->482 483 307633e-3076345 481->483 484 307632e-3076334 481->484 482->481 485 3076347-3076356 483->485 486 307635c 483->486 484->483 485->486 487 307635d 486->487 487->487
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0307624E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: d1c01e2ff2fba19c144c20396f03f831b6b6a2194ffc111ad92f687ed4bdc4c7
                    • Instruction ID: 4f5e093281f5fb220c87900a891c8283b42232cbf75bb624b9c1cd9029451477
                    • Opcode Fuzzy Hash: d1c01e2ff2fba19c144c20396f03f831b6b6a2194ffc111ad92f687ed4bdc4c7
                    • Instruction Fuzzy Hash: FBA16971D0161DCFEB24CF68C844BEEBBB2BF44304F1881A9D85AA7240DB769985CF95
                    Function 03076018 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 489 3076018-30760ad 491 30760e6-3076106 489->491 492 30760af-30760b9 489->492 499 307613f-307616e 491->499 500 3076108-3076112 491->500 492->491 493 30760bb-30760bd 492->493 494 30760e0-30760e3 493->494 495 30760bf-30760c9 493->495 494->491 497 30760cd-30760dc 495->497 498 30760cb 495->498 497->497 501 30760de 497->501 498->497 506 30761a7-3076261 CreateProcessA 499->506 507 3076170-307617a 499->507 500->499 502 3076114-3076116 500->502 501->494 504 3076139-307613c 502->504 505 3076118-3076122 502->505 504->499 508 3076126-3076135 505->508 509 3076124 505->509 520 3076263-3076269 506->520 521 307626a-30762f0 506->521 507->506 510 307617c-307617e 507->510 508->508 511 3076137 508->511 509->508 512 30761a1-30761a4 510->512 513 3076180-307618a 510->513 511->504 512->506 515 307618e-307619d 513->515 516 307618c 513->516 515->515 517 307619f 515->517 516->515 517->512 520->521 531 30762f2-30762f6 521->531 532 3076300-3076304 521->532 531->532 535 30762f8 531->535 533 3076306-307630a 532->533 534 3076314-3076318 532->534 533->534 536 307630c 533->536 537 307631a-307631e 534->537 538 3076328-307632c 534->538 535->532 536->534 537->538 539 3076320 537->539 540 307633e-3076345 538->540 541 307632e-3076334 538->541 539->538 542 3076347-3076356 540->542 543 307635c 540->543 541->540 542->543 544 307635d 543->544 544->544
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0307624E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 5a3b98a066ce0bc0aa587e34801185633948197f97132f8e3d0065cbd73c3ce9
                    • Instruction ID: 69d8b77cc928b6b69722bec6e0fb4acfce873002c8df953f212b46b512afc24c
                    • Opcode Fuzzy Hash: 5a3b98a066ce0bc0aa587e34801185633948197f97132f8e3d0065cbd73c3ce9
                    • Instruction Fuzzy Hash: AF915971D0161D8FEB24CF68C844BEEBBF2BF44314F0881A9D85AA7240DB759985CF95
                    Function 0304B5BF Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 546 304b5bf-304b5c8 547 304b577-304b59d 546->547 548 304b5ca-304b5df 546->548 563 304b5ac-304b5b4 547->563 564 304b59f-304b5aa 547->564 549 304b5e1-304b5ee call 3048b1c 548->549 550 304b60b-304b60f 548->550 556 304b604 549->556 557 304b5f0 549->557 552 304b611-304b61b 550->552 553 304b623-304b664 550->553 552->553 561 304b666-304b66e 553->561 562 304b671-304b67f 553->562 556->550 608 304b5f6 call 304b8bc 557->608 609 304b5f6 call 304b858 557->609 610 304b5f6 call 304b868 557->610 561->562 566 304b681-304b686 562->566 567 304b6a3-304b6a5 562->567 565 304b5b7-304b5bc 563->565 564->565 569 304b691 566->569 570 304b688-304b68f call 304afd4 566->570 572 304b6a8-304b6af 567->572 568 304b5fc-304b5fe 568->556 571 304b740-304b800 568->571 574 304b693-304b6a1 569->574 570->574 603 304b802-304b805 571->603 604 304b808-304b833 GetModuleHandleW 571->604 575 304b6b1-304b6b9 572->575 576 304b6bc-304b6c3 572->576 574->572 575->576 578 304b6c5-304b6cd 576->578 579 304b6d0-304b6d9 call 304afe4 576->579 578->579 584 304b6e6-304b6eb 579->584 585 304b6db-304b6e3 579->585 586 304b6ed-304b6f4 584->586 587 304b709-304b70d 584->587 585->584 586->587 589 304b6f6-304b706 call 304aff4 call 304b004 586->589 611 304b710 call 304bb68 587->611 612 304b710 call 304bb59 587->612 589->587 592 304b713-304b716 594 304b718-304b736 592->594 595 304b739-304b73f 592->595 594->595 603->604 605 304b835-304b83b 604->605 606 304b83c-304b850 604->606 605->606 608->568 609->568 610->568 611->592 612->592
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0304B826
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 5cf07576e5b4690e5a9b2a5368dd4c7870ab08d74b3861416ae8f615daa55925
                    • Instruction ID: 3ecdfb80adf66783f123a8daece2296d4a2664c154916450b9efbcda69fd5661
                    • Opcode Fuzzy Hash: 5cf07576e5b4690e5a9b2a5368dd4c7870ab08d74b3861416ae8f615daa55925
                    • Instruction Fuzzy Hash: 559199B0A017058FDB64DF29D04079ABBF5FF88300F04896ED086DBA50D779EA49CB91
                    Function 03045D0D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 864 3045d0d-3045d16 865 3045d18-3045dd9 CreateActCtxA 864->865 867 3045de2-3045e3c 865->867 868 3045ddb-3045de1 865->868 875 3045e3e-3045e41 867->875 876 3045e4b-3045e4f 867->876 868->867 875->876 877 3045e60 876->877 878 3045e51-3045e5d 876->878 879 3045e61 877->879 878->877 879->879
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 03045DC9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 13d45e8c6fa5b6a3cf7140a0a82ec08fcab83870d13058041d972edeb751b125
                    • Instruction ID: 04c7c26ec39c23e8a9d63ba344a37b25ba1a4bf7ae8109579feedc6bf8c9100a
                    • Opcode Fuzzy Hash: 13d45e8c6fa5b6a3cf7140a0a82ec08fcab83870d13058041d972edeb751b125
                    • Instruction Fuzzy Hash: 1F4102B0C00619CFDB24DFA9C884BDEBBF5BF49704F20816AD408AB255DB756946CF91
                    Function 03044524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 881 3044524-3045dd9 CreateActCtxA 884 3045de2-3045e3c 881->884 885 3045ddb-3045de1 881->885 892 3045e3e-3045e41 884->892 893 3045e4b-3045e4f 884->893 885->884 892->893 894 3045e60 893->894 895 3045e51-3045e5d 893->895 896 3045e61 894->896 895->894 896->896
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 03045DC9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 7abd972e08fb4248cc6b83e39214aeed9ff7bc6995621558f84dbfd95e4d15c7
                    • Instruction ID: 1dec3e212f8a6267782817cfa9ab58a4fe1dbdf1fba7a6ac2b7d11c3a6121d71
                    • Opcode Fuzzy Hash: 7abd972e08fb4248cc6b83e39214aeed9ff7bc6995621558f84dbfd95e4d15c7
                    • Instruction Fuzzy Hash: 4741F1B0C0061DCFDB24DFA9C844B9EBBF5BF49704F20806AD418AB255DBB56946CF91
                    Function 078B6C20 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 898 78b6c20-78b6c22 899 78b6c29-78b6c74 898->899 900 78b6c24-78b6c27 898->900 901 78b6c7f-78b6c8e 899->901 902 78b6c76-78b6c7c 899->902 900->899 903 78b6c93-78b6ccc DrawTextExW 901->903 904 78b6c90 901->904 902->901 905 78b6cce-78b6cd4 903->905 906 78b6cd5-78b6cf2 903->906 904->903 905->906
                    APIs
                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,078B6C0D,?,?), ref: 078B6CBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: DrawText
                    • String ID:
                    • API String ID: 2175133113-0
                    • Opcode ID: 1778c9dd3416ad61b7b76ebbe8abfcb9b9e113bb6533c98233fd7f0729d6c387
                    • Instruction ID: 713397c0e6e379105d5e3a585f97ad8621cb4e4880d210d54bbecdf0bd2cd8cc
                    • Opcode Fuzzy Hash: 1778c9dd3416ad61b7b76ebbe8abfcb9b9e113bb6533c98233fd7f0729d6c387
                    • Instruction Fuzzy Hash: BD31F1B59002099FDB10CF9AD984AEEBBF5EB58320F14842AE919E7310D774A944CFA1
                    Function 078B660C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 909 78b660c-78b6c74 912 78b6c7f-78b6c8e 909->912 913 78b6c76-78b6c7c 909->913 914 78b6c93-78b6ccc DrawTextExW 912->914 915 78b6c90 912->915 913->912 916 78b6cce-78b6cd4 914->916 917 78b6cd5-78b6cf2 914->917 915->914 916->917
                    APIs
                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,078B6C0D,?,?), ref: 078B6CBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: DrawText
                    • String ID:
                    • API String ID: 2175133113-0
                    • Opcode ID: bb48f23e110edf62a446ef5c6f747243ed8533cd5c23549fc3d51a07da5511a1
                    • Instruction ID: 88c3cfd8739e1baf2e5a69da20066b4ba286f6f82dc93883376bab27b08629df
                    • Opcode Fuzzy Hash: bb48f23e110edf62a446ef5c6f747243ed8533cd5c23549fc3d51a07da5511a1
                    • Instruction Fuzzy Hash: AE31C3B5D002099FDB10DF9AD984AEEFBF5FB58320F14842AE919A7310D774A944CFA4
                    Function 03075D8B Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03075E20
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 7b6c546c2d9770ca9bbc34c927a4f7d6550b7c32eb21486bbde94fa0e40fd234
                    • Instruction ID: d92f076995b59d81ea095c07ed1b3627a86f0039e0079df741b0886cbb590ba7
                    • Opcode Fuzzy Hash: 7b6c546c2d9770ca9bbc34c927a4f7d6550b7c32eb21486bbde94fa0e40fd234
                    • Instruction Fuzzy Hash: 432135B1D003599FDB10CFA9C885BEEBBF5FF49310F14842AE918A7240C778A944CBA5
                    Function 03075D90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03075E20
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 1fea7df833445b49e80b4a42f9abe9575047a482f53405245a7a69f31f312517
                    • Instruction ID: a568f3b85222b49170cf425f14c1a4c1df40d571915b1710565528fe7c1e2444
                    • Opcode Fuzzy Hash: 1fea7df833445b49e80b4a42f9abe9575047a482f53405245a7a69f31f312517
                    • Instruction Fuzzy Hash: 832125B1D003499FDB10DFAAC885BEEBBF5FF48310F10842AE919A7240C7789944CBA4
                    Function 030757B8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                    Download Yara Rule
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0307583E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 891f0d5f0ae6b5e666af64f5945fab01603dd7098146c6c17e63eda1666fb353
                    • Instruction ID: 7f59db11b7f10367319b2f2785f27a4c2656768f36f348d497eb97af09cf6f19
                    • Opcode Fuzzy Hash: 891f0d5f0ae6b5e666af64f5945fab01603dd7098146c6c17e63eda1666fb353
                    • Instruction Fuzzy Hash: 212143B1D002098FDB50CFAAC4857EEBBF4EF89314F14842AD419AB240CB389985CFA4
                    Function 03075E78 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03075F00
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: ec5f91e5bdae53159ad0f32a6251e1f199239665e0c99508e9deedb69d71f541
                    • Instruction ID: 0776f984cde97c7c2e21109ca08e162c6a2a011f19b9d978c2dcb312230b34b3
                    • Opcode Fuzzy Hash: ec5f91e5bdae53159ad0f32a6251e1f199239665e0c99508e9deedb69d71f541
                    • Instruction Fuzzy Hash: 662116B1C013599FDB10DFAAC885AEEFBF5FF48310F10842AE519A7250C7389541CBA5
                    Function 030757C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                    Download Yara Rule
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0307583E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 99eff7249247f34b1b9273ce88fdbbda87e8e17c8f457653ece45be554aed791
                    • Instruction ID: 4534d540d5a6d1b2abc74882d84531cca42fc99de4cca94fff1e9fec003f5408
                    • Opcode Fuzzy Hash: 99eff7249247f34b1b9273ce88fdbbda87e8e17c8f457653ece45be554aed791
                    • Instruction Fuzzy Hash: C92115B1D002098FDB50DFAAC885BEEFBF4EF49314F14842AD519A7240DB78A945CFA5
                    Function 03075E80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03075F00
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 080ed1444854138ab3574633686da4d738dd0c7d41fd26ef5b57124f741751ef
                    • Instruction ID: cbbf08994e14e6290d9909d9e0baadb41c92dfecfbbf786cfd792492b567dd7b
                    • Opcode Fuzzy Hash: 080ed1444854138ab3574633686da4d738dd0c7d41fd26ef5b57124f741751ef
                    • Instruction Fuzzy Hash: 552137B1C003499FDB10DFAAC885AEEFBF5FF48310F10842AE519A7250C7389941CBA5
                    Function 0304DAA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0304DB27
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 67107caa3e380001916ba6441d73f86db4297dce2614155504fd8a8132e07e69
                    • Instruction ID: c24d77f7633a5d3eeb6c475f6fc57196a964180dc707e6d973c78a2faf9b1e99
                    • Opcode Fuzzy Hash: 67107caa3e380001916ba6441d73f86db4297dce2614155504fd8a8132e07e69
                    • Instruction Fuzzy Hash: 3921B3B5901248DFDB10CF9AD984ADEFBF9EB48310F14841AE918A7350D378A944CFA5
                    Function 03075CC8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03075D3E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ccd6bd962454106ffb92c6d6a3313746cb0b33398151f2b80f110fbb0abbfe11
                    • Instruction ID: 002248a5c176d38c7844dd551d57b07a7d3bd6b11eccf2aedd608031747bbcbd
                    • Opcode Fuzzy Hash: ccd6bd962454106ffb92c6d6a3313746cb0b33398151f2b80f110fbb0abbfe11
                    • Instruction Fuzzy Hash: E61159718002499FDB20DFA9C845BEEFFF5EF49314F248419E519A7250CB399944CFA0
                    Function 0304B030 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0304B8A1,00000800,00000000,00000000), ref: 0304BAB2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 0e4d2f119f42ccbfef6c5341aedc471f7b8751c033da38de5041d1391ed420ac
                    • Instruction ID: bb40f51bcd38c2c46ec34ef231ce37538019ce887861922e2b4c6dd0c0f46caf
                    • Opcode Fuzzy Hash: 0e4d2f119f42ccbfef6c5341aedc471f7b8751c033da38de5041d1391ed420ac
                    • Instruction Fuzzy Hash: 421112B6C002499FDB20CFAAC444AAEFFF4EB48310F14842EE559A7300C379A644CFA1
                    Function 0304BA41 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0304B8A1,00000800,00000000,00000000), ref: 0304BAB2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 1cb0f730f28b9a7d0a70b50fd9179978fd646de4e65bcf91e7c622894aad404b
                    • Instruction ID: 9c3dcbfe3f3576bde7c6f047e27c9dc0fe18597296b952d20eafdc3443b4acff
                    • Opcode Fuzzy Hash: 1cb0f730f28b9a7d0a70b50fd9179978fd646de4e65bcf91e7c622894aad404b
                    • Instruction Fuzzy Hash: EA2103B68002498FDB20CFAAC484ADEFFF4FF88310F14852AD559A7210C379A645CFA1
                    Function 03075CD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03075D3E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4126518478960c5a7665a1890ae63facafd60d6e6685ffd80ceb86349068433b
                    • Instruction ID: 160bc17ccdcc28c541c40fbbe6fa62725ea37301e537c2a0d4cc2e5b0116601d
                    • Opcode Fuzzy Hash: 4126518478960c5a7665a1890ae63facafd60d6e6685ffd80ceb86349068433b
                    • Instruction Fuzzy Hash: 8E1126718002499FDB20DFAAC844AEEFFF5EF49314F248419E519A7250CB79A944CBA1
                    Function 03075708 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 6fcfe41085d5e0ca80c9b1d0fc79b0ea997d4bb0ac77a5f76d2496c1aacd3ed6
                    • Instruction ID: 15e464582a5f6f8db25350625e720fc8580a75ccf45414a34af61e1b9f324279
                    • Opcode Fuzzy Hash: 6fcfe41085d5e0ca80c9b1d0fc79b0ea997d4bb0ac77a5f76d2496c1aacd3ed6
                    • Instruction Fuzzy Hash: 091146B1C002488FDB20DFAAD4857EEFBF5EF89314F248819C419A7250CB38A541CBA5
                    Function 03075710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 695dc5609dc069b521d69923794c85bb2490a494993c0d7c184bcd684f715738
                    • Instruction ID: 71f4cdb3d7e033325d1618ea1a376b37339df42e1d6cd8a81c7ede3f41e6fbcb
                    • Opcode Fuzzy Hash: 695dc5609dc069b521d69923794c85bb2490a494993c0d7c184bcd684f715738
                    • Instruction Fuzzy Hash: E71158B1C002488FDB10DFAAC4457EEFBF5EF89314F208419C419A7240CB38A540CBA4
                    Function 0307A888 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0307A8ED
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: a284a058a5ab4e55e5a05f5b89e9c8d81604fb4a05f1e889a6d65d7885640bbb
                    • Instruction ID: 6f76c2b610900a45a8af03ad516c6909a621846d1ecabdab9724ce4cdc17a14c
                    • Opcode Fuzzy Hash: a284a058a5ab4e55e5a05f5b89e9c8d81604fb4a05f1e889a6d65d7885640bbb
                    • Instruction Fuzzy Hash: 371110B58003489FDB20DF9AD485BEEBFF8EB49320F10845AE518A7200C379A944CFA5
                    Function 03077328 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0307A8ED
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: 1598c207e47b347f91f52cdb93a3274f0e4fa9ab0ffe32d6e78539a58d620283
                    • Instruction ID: 0faac6bfcc0da6eab4f64a3e108ed4a7673e2d37c6acfc52d31fe4ec4df4d575
                    • Opcode Fuzzy Hash: 1598c207e47b347f91f52cdb93a3274f0e4fa9ab0ffe32d6e78539a58d620283
                    • Instruction Fuzzy Hash: A511E0B59003499FDB10DF9AC588BEEBBF8EB48310F108459E518A7300D379A944CFA5
                    Function 0304B7C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0304B826
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 77eb5419c6a84bcf3ab754ecda536124266d262a748d3c1bbb30ebd850fe9564
                    • Instruction ID: 6e89301360c1c376fc81a5e03c7c01b33645347b4ce21b8a1796c2171fa35423
                    • Opcode Fuzzy Hash: 77eb5419c6a84bcf3ab754ecda536124266d262a748d3c1bbb30ebd850fe9564
                    • Instruction Fuzzy Hash: 5F11DFB5C002498FDB10DF9AD444A9EFBF4EF89314F14846AD859A7610C379A645CFA1
                    Function 015CD3D8 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069851602.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15cd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d98a186d5d7b20b23ea32239b96d2c185bfa45eba1a8f578d7560c2dbdc99114
                    • Instruction ID: 1ec41f37b77a1990d1e9a315d357a41671082697244ce130200f53d41e605dc9
                    • Opcode Fuzzy Hash: d98a186d5d7b20b23ea32239b96d2c185bfa45eba1a8f578d7560c2dbdc99114
                    • Instruction Fuzzy Hash: F921F171100204DFDB05DF98C9C0B6ABFB5FB88714F20857DDA098E256C37AE406C6E1
                    Function 015CD4C4 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069851602.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15cd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b1dae305e91cc633c4a22e1dbe7ecd3cc1b0460c439e5edb6e804cec72766fa9
                    • Instruction ID: 6219c2830b98758fda56b7186a0fc5d14118875c912854783ee5872d7b81b301
                    • Opcode Fuzzy Hash: b1dae305e91cc633c4a22e1dbe7ecd3cc1b0460c439e5edb6e804cec72766fa9
                    • Instruction Fuzzy Hash: D721E071500240DFDB05DF98D9C0B2ABFB5FB98718F20857DE9098E256C33AD416CAE2
                    Function 015DD01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069897590.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15dd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 298985e4b69e0ef510d93368a8c3f43a288c707a2e447aa3d0fd0616e52e9817
                    • Instruction ID: 241a84d5fb5eae767306f2fbbafe6543b8a04cc5b9ecc9e13141b7e49fb37162
                    • Opcode Fuzzy Hash: 298985e4b69e0ef510d93368a8c3f43a288c707a2e447aa3d0fd0616e52e9817
                    • Instruction Fuzzy Hash: B3210071604204DFCB25DF6CD980B26BFB5FB88314F20C969D90A4F296D33AD406CBA1
                    Function 015DD1D4 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069897590.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15dd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d13152f8ae3c7b48f38fe3a1ebbc4da3b129e80906f6be6e980c8cc40a59918c
                    • Instruction ID: e91db0b64ef1ce4082aa7ed68d72213843cf67a1ff64e615e7926dd6ca6ae79d
                    • Opcode Fuzzy Hash: d13152f8ae3c7b48f38fe3a1ebbc4da3b129e80906f6be6e980c8cc40a59918c
                    • Instruction Fuzzy Hash: 2421D371544204AFDB25DFA8D980B26BBB5FB84324F20C96DD9494F296C33AD446CB61
                    Function 015DD005 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069897590.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15dd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fcbb4407db537e072a131b90d0a7993b75b40d5ecd2861b3cf176692e8073150
                    • Instruction ID: 25cf9fa6699f64721e1dc6f9b20ff7014d3c4a0b2a1b9fb4fb2c4a8f468daa7b
                    • Opcode Fuzzy Hash: fcbb4407db537e072a131b90d0a7993b75b40d5ecd2861b3cf176692e8073150
                    • Instruction Fuzzy Hash: BB2183755083849FCB13CF68D994715BF71FB86214F28C5DAD8498F2A7D33A9806CB62
                    Function 015CD3D3 Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069851602.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15cd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                    • Instruction ID: 6ab952ccc636442c65e04d52a324e803330a1c82771b4ad062ea636bcb6326b4
                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                    • Instruction Fuzzy Hash: E311CD72404240DFDB02CF84D9C4B5ABF71FB84224F24C6ADDA094A256C37AE45ACBA2
                    Function 015CD4BF Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069851602.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15cd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                    • Instruction ID: 81bad50d29463ba13cf21e6a8e204aa1bd0531c042e4f2523b6860d510844610
                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                    • Instruction Fuzzy Hash: DD11CD76404280CFCB02CF54D9C4B1ABF71FB98614F24C6A9D9494B256C33AD45ACBA2
                    Function 015DD1CF Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069897590.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15dd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                    • Instruction ID: 6934d2350de23a538f3517ec0df803ac430453170dc98ad12f2d2d5743d83a05
                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                    • Instruction Fuzzy Hash: BA11BB75504280DFDB12CF58C5C4B19BFB1FB84224F24C6A9D8494F696C33AD40ACB62
                    Function 015CD759 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069851602.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15cd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a4010fedeb1a40646b1346ba51181f757a6ff47943bdf19cbe47f9427f2e507b
                    • Instruction ID: 5ebdcc321b43c4f1f305e3173f18b9ef24f45982f503eff251a2dea4b1476374
                    • Opcode Fuzzy Hash: a4010fedeb1a40646b1346ba51181f757a6ff47943bdf19cbe47f9427f2e507b
                    • Instruction Fuzzy Hash: FF0188710043849EE7115ED9CD84B66BFE8FF45620F18C83DED094E256C3799840C6F1
                    Function 015CD758 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2069851602.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_15cd000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 04cee32d5b51e73e9a55f5c03a094fbbcc8ac77c4c204bedab2ea45a4a071732
                    • Instruction ID: 1dbc41cda4c9b6dbe714b367ad64aefc0f9855425ada5b83b6ec42f936deb2a5
                    • Opcode Fuzzy Hash: 04cee32d5b51e73e9a55f5c03a094fbbcc8ac77c4c204bedab2ea45a4a071732
                    • Instruction Fuzzy Hash: 37F0C871004384AEE7118E4ACC84766FFE8FF41624F18C45EED084E287C3799844CAB0

                    Non-executed Functions

                    Function 03072F80 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID: D~AB
                    • API String ID: 0-451742676
                    • Opcode ID: 1c5a7fb379138eedcd1e11937cf3d5ad34603c4ae174d08e062604b797f59bfb
                    • Instruction ID: 47b7beda1c9e308b187e1ff70ed7ed3b970b670daa97b48043d48cd7d4ead2a9
                    • Opcode Fuzzy Hash: 1c5a7fb379138eedcd1e11937cf3d5ad34603c4ae174d08e062604b797f59bfb
                    • Instruction Fuzzy Hash: 78E10778E011598FDB14DFA8C5849AEFBB2FF89305F2481A9D415AB356C730A942CFA4
                    Function 078B0040 Relevance: .9, Instructions: 877COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 879487cecd95aad4dfbda0edb0884e2cec46f423b2717eff8eeaa05efac8ef72
                    • Instruction ID: 8d4661d91d2745547edb620339f3a12303820bea652dc8e7c4ed7a99e03a82c1
                    • Opcode Fuzzy Hash: 879487cecd95aad4dfbda0edb0884e2cec46f423b2717eff8eeaa05efac8ef72
                    • Instruction Fuzzy Hash: 54A2BE70D02629CFDB69DF29C8486AABBB2BF89305F5095E9D40DA7251DB319AC1CF10
                    Function 078B8648 Relevance: .8, Instructions: 812COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2f45d8d2e2922a9b32f53da83c45ac39a9f591e15d31ac3630409f7c5eb0628c
                    • Instruction ID: f04369f881ae61cf5a850a3168ca8b8ad7860d0974394b728db4ec37bff5d386
                    • Opcode Fuzzy Hash: 2f45d8d2e2922a9b32f53da83c45ac39a9f591e15d31ac3630409f7c5eb0628c
                    • Instruction Fuzzy Hash: FB928275D1162ACFCB64DF69C984ADDB7B1FF99300F1086E9D509A7260EB30AA85CF40
                    Function 078B0B00 Relevance: .7, Instructions: 658COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e8bf428144d249a05b7c22f8168d4e7ec72ac60554f617c703bf9d8acc3c9b1
                    • Instruction ID: 5577bd415ef49b4be28c1478b22da920f37d31973814ba550faf29418ed12eb4
                    • Opcode Fuzzy Hash: 5e8bf428144d249a05b7c22f8168d4e7ec72ac60554f617c703bf9d8acc3c9b1
                    • Instruction Fuzzy Hash: FF62BDB4E02229CFDB64DF24C854BA9B7B2FB8A305F5085E9D44DA7240DB359E81CF51
                    Function 078BAE07 Relevance: .5, Instructions: 532COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c82d83082d1863200ba2da1811cb59fb6a119f18ee9f7d0efc58b87edd8916d
                    • Instruction ID: 9062df539ff1754b026e6ee3f350ebff18477ab938228bb87f73c0748b91ad21
                    • Opcode Fuzzy Hash: 2c82d83082d1863200ba2da1811cb59fb6a119f18ee9f7d0efc58b87edd8916d
                    • Instruction Fuzzy Hash: 1D52B371D0162ACBCB24EF68C894ADDF7B1FF59300F1086AAD459B7250EB306A85CF91
                    Function 078BBED8 Relevance: .4, Instructions: 411COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e64845ba1a789a500914c4daedade7969ca0340741a33c477180be7c02b9769
                    • Instruction ID: a8af1b4c5b01b2084f1324b834167dfe5d62594b11800693563ec410d9d93ae0
                    • Opcode Fuzzy Hash: 2e64845ba1a789a500914c4daedade7969ca0340741a33c477180be7c02b9769
                    • Instruction Fuzzy Hash: 4C22A271D1122ACBCB65EF68C8806DDFBB1FF59310F5086AAD449B7210EB316A85CF91
                    Function 0307B5C0 Relevance: .4, Instructions: 410COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 42ab945f367ffb2627a74f2d03ae4a7d0728b130a833316dc4dabda5620b56f9
                    • Instruction ID: 3e3c36fa67816fad042435192001d571ce16cf3ae34d6efbf4f529555a1c6795
                    • Opcode Fuzzy Hash: 42ab945f367ffb2627a74f2d03ae4a7d0728b130a833316dc4dabda5620b56f9
                    • Instruction Fuzzy Hash: 3BE1BA71B027048FDB69EB75C450BAEB7FAAFC9600F18446DC1469B3A1DB34E902CB55
                    Function 078B6E10 Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07d867d4a92755c7f87db1249c951b1169bb575a037ed0625f207cfc0322973c
                    • Instruction ID: 6137b4c9d50c9360beacdbbe877c00c7732d3907a3c9a172f9ed91ce6c23a625
                    • Opcode Fuzzy Hash: 07d867d4a92755c7f87db1249c951b1169bb575a037ed0625f207cfc0322973c
                    • Instruction Fuzzy Hash: C1F1E571D1022ACFCB25DFA8C8907EDB7B1BF99300F5085AAD519B7250EB706A85CF51
                    Function 030733B8 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c4be1ca22be281fc67a88e400115b350c08ad8a439f502ef372b6a0db0066c5
                    • Instruction ID: 9daaed8950a8e5b73a6e0054a6139964a59cbc35155e075e304fc84fd4d0563b
                    • Opcode Fuzzy Hash: 3c4be1ca22be281fc67a88e400115b350c08ad8a439f502ef372b6a0db0066c5
                    • Instruction Fuzzy Hash: E6E105B8E011598FDB14DFA8C5809AEFBF2FF89305F2481A9D415AB356D731A941CFA0
                    Function 03075898 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fa6e2da2ef26c9826d58841cbd853ad6ac2648490ef07855665a0e7d706d0e44
                    • Instruction ID: 44ec7c8bd0409c6bbe461bad85bdc7760dd5f3771aa6ee889967b988befa6b12
                    • Opcode Fuzzy Hash: fa6e2da2ef26c9826d58841cbd853ad6ac2648490ef07855665a0e7d706d0e44
                    • Instruction Fuzzy Hash: 5BE1F574E012598FCB14DFA9C9809AEFBF2FF89305F248169E415AB356D730A941CFA0
                    Function 030737F0 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c65ea4f5b6b1608761ed7c2d820eaf74ad216ba0204408f58e050abf09c17ea
                    • Instruction ID: 5fb0080f034493069728345a019f2d77a3806c29370444a16a4d4cc3f797b9bc
                    • Opcode Fuzzy Hash: 9c65ea4f5b6b1608761ed7c2d820eaf74ad216ba0204408f58e050abf09c17ea
                    • Instruction Fuzzy Hash: BCE10678E012598FDB14DFA8C5849AEFBB2FF89305F2481A9D415AB356D730A941CFA0
                    Function 03074E98 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: da4c15c5ff21f5c12053d53b1255496efa4b04c9a3373ee0c1ad856a8cca1f1e
                    • Instruction ID: 23c77e7bcab9c2d754b0d0fadaf6a85318ff9e8ab2e8335a5c14e9c39896ef85
                    • Opcode Fuzzy Hash: da4c15c5ff21f5c12053d53b1255496efa4b04c9a3373ee0c1ad856a8cca1f1e
                    • Instruction Fuzzy Hash: 82E10774E012598FCB14DFA9C5809AEFBF2FF8A305F248169D414AB356D731A942CFA1
                    Function 0304E3A4 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070255280.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3040000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 01760a0154dd534a24d4bf93bdeb7e7fbe3dd3902f6f320930e7f1c8d77b8234
                    • Instruction ID: 3cb370b948a3f7608e3cc9714c4c0431eaa5a9d247496ae7262f307d65a14c98
                    • Opcode Fuzzy Hash: 01760a0154dd534a24d4bf93bdeb7e7fbe3dd3902f6f320930e7f1c8d77b8234
                    • Instruction Fuzzy Hash: 33A17D76E012068FCF09DFB4D4845DEB7B2FF88300B1585BAE805AB255DB31EA55CB80
                    Function 078BA510 Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fa3cd1dee6dccc8939c61ce8a0e3775b20fbc310e2ea58688c28ceeefd3152d9
                    • Instruction ID: fcbeca50cf94cfb349e8e72281b6f9773fe0800c02ae2272539990f3a634cc3c
                    • Opcode Fuzzy Hash: fa3cd1dee6dccc8939c61ce8a0e3775b20fbc310e2ea58688c28ceeefd3152d9
                    • Instruction Fuzzy Hash: A9A19FB5D112298FDB24CF69C880BDDF7B2BF99300F1086AAD449B7250EB706A85CF51
                    Function 078B0006 Relevance: .2, Instructions: 165COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dedb93295b5c2935016ba0bf59e39d127017b620b4211c23ccdef7a2e9096fcb
                    • Instruction ID: faaccdbdb6ad85f08517f224a32c519b88387c15184d1377e8e092c5d78c6381
                    • Opcode Fuzzy Hash: dedb93295b5c2935016ba0bf59e39d127017b620b4211c23ccdef7a2e9096fcb
                    • Instruction Fuzzy Hash: F57171B1E056588FE769CF278D44299FBF3AFC9200F14C1FA844CAA265DB340A85CF51
                    Function 030733A8 Relevance: .1, Instructions: 135COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5c3c7e733b387aee929e60320471815bb74281db0dbc049b8691da17c89eddc5
                    • Instruction ID: a36be1d2d3a7679a4f11ba877fbcefcf5cfff952f6f1cf292eda62c7e09cb929
                    • Opcode Fuzzy Hash: 5c3c7e733b387aee929e60320471815bb74281db0dbc049b8691da17c89eddc5
                    • Instruction Fuzzy Hash: 89513974E012198FDB14CFA9C5805AEFBF2FF89305F2481A9D418A7356D731AA41CFA1
                    Function 03075888 Relevance: .1, Instructions: 135COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2070383145.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3070000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e0adcd53a8af9bee475541137bc9fde414a9f158279db30210bf003766c18aa5
                    • Instruction ID: 2204166e3bf5186b0f32691a9fc88640dd56b3ddfb88d073ca153ceabf61d64a
                    • Opcode Fuzzy Hash: e0adcd53a8af9bee475541137bc9fde414a9f158279db30210bf003766c18aa5
                    • Instruction Fuzzy Hash: 82512B74E012198FDB14CFA9C9805AEFBF2FF8A305F24C169D418AB256D7309A41CFA1
                    Function 078B863B Relevance: .1, Instructions: 66COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2076818483.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_78b0000_Payment Advice__Swift-MT103.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a69a8eacf836564f259746956e717edfaac11cdac737e299ab20d0d22eadaf2
                    • Instruction ID: 8985a517c51bac93581d4fadb753625246a7151260e1033309bd51b7034b075d
                    • Opcode Fuzzy Hash: 7a69a8eacf836564f259746956e717edfaac11cdac737e299ab20d0d22eadaf2
                    • Instruction Fuzzy Hash: D021CAB1D016188BDB28DF6BD8482DDBBB3EFC9311F14C1BAC508A6264DB340985CF45

                    Execution Graph

                    Execution Coverage:10.5%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:314
                    Total number of Limit Nodes:15
                    execution_graph 51669 282daa0 DuplicateHandle 51670 282db36 51669->51670 51794 282d740 51795 282d74d 51794->51795 51796 282d787 51795->51796 51798 282d098 51795->51798 51799 282d09d 51798->51799 51801 282e098 51799->51801 51802 282d1c4 51799->51802 51801->51801 51803 282d1cf 51802->51803 51804 28277e0 2 API calls 51803->51804 51805 282e507 51804->51805 51805->51801 51806 2a44770 51807 2a447e2 51806->51807 51808 2a4488c 51806->51808 51810 2a4483a CallWindowProcW 51807->51810 51811 2a447e9 51807->51811 51809 2a4055c CallWindowProcW 51808->51809 51809->51811 51810->51811 52066 2a421d0 52067 2a42238 CreateWindowExW 52066->52067 52069 2a422f4 52067->52069 52069->52069 51812 f166a4 51813 f164a1 51812->51813 51814 f166ae 51812->51814 51818 f18590 51814->51818 51836 f184d8 51814->51836 51815 f16841 51819 f185aa 51818->51819 51856 f19492 51819->51856 51862 f18b4e 51819->51862 51866 f18cae 51819->51866 51875 f18a6d 51819->51875 51880 f18c6b 51819->51880 51884 f18d86 51819->51884 51889 f18c23 51819->51889 51894 f1905a 51819->51894 51904 f189d8 51819->51904 51909 f18af6 51819->51909 51914 f18d16 51819->51914 51919 f19314 51819->51919 51924 f18df4 51819->51924 51932 f18bb5 51819->51932 51941 f18ad2 51819->51941 51820 f185ce 51820->51815 51837 f18554 51836->51837 51838 f184fd 51836->51838 51839 f184cb 51837->51839 51841 f19492 2 API calls 51837->51841 51842 f18ad2 2 API calls 51837->51842 51843 f18bb5 4 API calls 51837->51843 51844 f18df4 2 API calls 51837->51844 51845 f19314 2 API calls 51837->51845 51846 f18d16 2 API calls 51837->51846 51847 f18af6 2 API calls 51837->51847 51848 f189d8 2 API calls 51837->51848 51849 f1905a 4 API calls 51837->51849 51850 f18c23 2 API calls 51837->51850 51851 f18d86 2 API calls 51837->51851 51852 f18c6b 2 API calls 51837->51852 51853 f18a6d 2 API calls 51837->51853 51854 f18cae 4 API calls 51837->51854 51855 f18b4e 2 API calls 51837->51855 51838->51815 51839->51815 51840 f185ce 51840->51815 51841->51840 51842->51840 51843->51840 51844->51840 51845->51840 51846->51840 51847->51840 51848->51840 51849->51840 51850->51840 51851->51840 51852->51840 51853->51840 51854->51840 51855->51840 51857 f19427 51856->51857 51858 f19497 51856->51858 51946 f157c0 51857->51946 51950 f157b8 51857->51950 51859 f19435 51954 f19677 51862->51954 51959 f19688 51862->51959 51863 f18b66 51863->51820 51867 f18bd3 51866->51867 51868 f193c6 51867->51868 51869 f18ade 51867->51869 51972 f196c1 51867->51972 51977 f196d0 51867->51977 51870 f18b2e 51869->51870 51964 f15d90 51869->51964 51968 f15d89 51869->51968 51870->51820 51876 f18a73 51875->51876 51990 f16018 51876->51990 51994 f1600c 51876->51994 51882 f15d90 WriteProcessMemory 51880->51882 51883 f15d89 WriteProcessMemory 51880->51883 51881 f18c8f 51881->51820 51882->51881 51883->51881 51885 f18ade 51884->51885 51886 f18b2e 51885->51886 51887 f15d90 WriteProcessMemory 51885->51887 51888 f15d89 WriteProcessMemory 51885->51888 51886->51820 51887->51886 51888->51886 51890 f18c29 51889->51890 51998 f15710 51890->51998 52002 f15708 51890->52002 51891 f18c4f 51891->51820 51895 f1905f 51894->51895 51896 f190d8 51895->51896 51898 f18c3a 51895->51898 51902 f157c0 Wow64SetThreadContext 51896->51902 51903 f157b8 Wow64SetThreadContext 51896->51903 51897 f18c4f 51897->51820 51898->51897 51900 f15710 ResumeThread 51898->51900 51901 f15708 ResumeThread 51898->51901 51899 f19435 51900->51897 51901->51897 51902->51899 51903->51899 51905 f189e2 51904->51905 51907 f16018 CreateProcessA 51905->51907 51908 f1600c CreateProcessA 51905->51908 51906 f18ab3 51907->51906 51908->51906 51910 f18afc 51909->51910 51912 f15d90 WriteProcessMemory 51910->51912 51913 f15d89 WriteProcessMemory 51910->51913 51911 f18b2e 51911->51820 51912->51911 51913->51911 51915 f1924f 51914->51915 52006 f15e80 51915->52006 52010 f15e78 51915->52010 51916 f190b3 51916->51820 51920 f18ade 51919->51920 51921 f18b2e 51920->51921 51922 f15d90 WriteProcessMemory 51920->51922 51923 f15d89 WriteProcessMemory 51920->51923 51921->51820 51922->51921 51923->51921 51925 f18e17 51924->51925 51930 f15d90 WriteProcessMemory 51925->51930 51931 f15d89 WriteProcessMemory 51925->51931 51926 f18ade 51927 f18b2e 51926->51927 51928 f15d90 WriteProcessMemory 51926->51928 51929 f15d89 WriteProcessMemory 51926->51929 51927->51820 51928->51927 51929->51927 51930->51926 51931->51926 51933 f18bbb 51932->51933 51934 f18ade 51933->51934 51935 f193c6 51933->51935 51939 f196c1 2 API calls 51933->51939 51940 f196d0 2 API calls 51933->51940 51936 f18b2e 51934->51936 51937 f15d90 WriteProcessMemory 51934->51937 51938 f15d89 WriteProcessMemory 51934->51938 51936->51820 51937->51936 51938->51936 51939->51933 51940->51933 51942 f18ade 51941->51942 51943 f18b2e 51942->51943 51944 f15d90 WriteProcessMemory 51942->51944 51945 f15d89 WriteProcessMemory 51942->51945 51943->51820 51944->51943 51945->51943 51947 f15805 Wow64SetThreadContext 51946->51947 51949 f1584d 51947->51949 51949->51859 51951 f15805 Wow64SetThreadContext 51950->51951 51953 f1584d 51951->51953 51953->51859 51955 f1969d 51954->51955 51957 f157c0 Wow64SetThreadContext 51955->51957 51958 f157b8 Wow64SetThreadContext 51955->51958 51956 f196b3 51956->51863 51957->51956 51958->51956 51960 f1969d 51959->51960 51962 f157c0 Wow64SetThreadContext 51960->51962 51963 f157b8 Wow64SetThreadContext 51960->51963 51961 f196b3 51961->51863 51962->51961 51963->51961 51965 f15dd8 WriteProcessMemory 51964->51965 51967 f15e2f 51965->51967 51967->51870 51969 f15dd8 WriteProcessMemory 51968->51969 51971 f15e2f 51969->51971 51971->51870 51973 f196ca 51972->51973 51982 f15cd0 51973->51982 51986 f15cc8 51973->51986 51974 f19704 51974->51867 51978 f196e5 51977->51978 51980 f15cd0 VirtualAllocEx 51978->51980 51981 f15cc8 VirtualAllocEx 51978->51981 51979 f19704 51979->51867 51980->51979 51981->51979 51983 f15d10 VirtualAllocEx 51982->51983 51985 f15d4d 51983->51985 51985->51974 51987 f15d10 VirtualAllocEx 51986->51987 51989 f15d4d 51987->51989 51989->51974 51991 f160a1 CreateProcessA 51990->51991 51993 f16263 51991->51993 51995 f160a1 CreateProcessA 51994->51995 51997 f16263 51995->51997 51999 f15750 ResumeThread 51998->51999 52001 f15781 51999->52001 52001->51891 52003 f15750 ResumeThread 52002->52003 52005 f15781 52003->52005 52005->51891 52007 f15ecb ReadProcessMemory 52006->52007 52009 f15f0f 52007->52009 52009->51916 52011 f15e80 ReadProcessMemory 52010->52011 52013 f15f0f 52011->52013 52013->51916 52014 f19828 52015 f19841 52014->52015 52016 f199b3 52015->52016 52018 f172f4 52015->52018 52019 f19aa8 PostMessageW 52018->52019 52020 f19b14 52019->52020 52020->52015 51671 70b6d21 51672 70b6cbc DrawTextExW 51671->51672 51674 70b6d2a 51671->51674 51673 70b6cce 51672->51673 52021 282d858 52022 282d89e GetCurrentProcess 52021->52022 52024 282d8f0 GetCurrentThread 52022->52024 52025 282d8e9 52022->52025 52026 282d926 52024->52026 52027 282d92d GetCurrentProcess 52024->52027 52025->52024 52026->52027 52028 282d963 GetCurrentThreadId 52027->52028 52030 282d9bc 52028->52030 52031 2824668 52032 282467a 52031->52032 52033 2824686 52032->52033 52037 2824779 52032->52037 52042 2823e24 52033->52042 52035 28246a5 52038 282479d 52037->52038 52046 2824877 52038->52046 52050 2824888 52038->52050 52043 2823e2f 52042->52043 52058 282756c 52043->52058 52045 2827b8d 52045->52035 52048 28248af 52046->52048 52047 282498c 52047->52047 52048->52047 52054 2824524 52048->52054 52052 28248af 52050->52052 52051 282498c 52051->52051 52052->52051 52053 2824524 CreateActCtxA 52052->52053 52053->52051 52055 2825d18 CreateActCtxA 52054->52055 52057 2825ddb 52055->52057 52059 2827577 52058->52059 52062 2827780 52059->52062 52061 2827dbd 52061->52045 52063 282778b 52062->52063 52064 28277b0 2 API calls 52063->52064 52065 2827e9a 52064->52065 52065->52061 51675 b0d01c 51676 b0d034 51675->51676 51677 b0d08e 51676->51677 51683 2a430e8 51676->51683 51687 2a404e8 51676->51687 51691 2a4055c 51676->51691 51695 2a42378 51676->51695 51699 2a42388 51676->51699 51686 2a43125 51683->51686 51685 2a43149 51686->51685 51703 2a40684 CallWindowProcW 51686->51703 51688 2a404ed 51687->51688 51690 2a43149 51688->51690 51704 2a40684 CallWindowProcW 51688->51704 51690->51690 51692 2a40567 51691->51692 51694 2a43149 51692->51694 51705 2a40684 CallWindowProcW 51692->51705 51694->51694 51696 2a42388 51695->51696 51697 2a4055c CallWindowProcW 51696->51697 51698 2a423cf 51697->51698 51698->51677 51700 2a423ae 51699->51700 51701 2a4055c CallWindowProcW 51700->51701 51702 2a423cf 51701->51702 51702->51677 51703->51685 51704->51690 51705->51694 51706 2a48418 51707 2a48445 51706->51707 51710 2a47e08 51707->51710 51709 2a48566 51711 2a47e13 51710->51711 51714 2a4ba50 51711->51714 51717 2a480e8 51711->51717 51713 2a4ba54 51713->51709 51714->51713 51721 2a480f8 51714->51721 51716 2a4bc4d 51716->51709 51718 2a480f3 51717->51718 51719 2a480f8 2 API calls 51718->51719 51720 2a4bc4d 51719->51720 51720->51714 51722 2a48103 51721->51722 51725 2a48108 51722->51725 51724 2a4bf0b 51724->51716 51726 2a48113 51725->51726 51730 28277b0 51726->51730 51734 2827ed7 51726->51734 51727 2a4c244 51727->51724 51731 28277bb 51730->51731 51742 28277e0 51731->51742 51733 2827f8d 51733->51727 51735 2827e65 51734->51735 51736 2827edb 51734->51736 51738 28277b0 2 API calls 51735->51738 51739 2827e9a 51735->51739 51736->51735 51737 2827ee3 51736->51737 51740 28277e0 2 API calls 51737->51740 51738->51739 51739->51727 51741 2827f8d 51740->51741 51741->51727 51743 28277eb 51742->51743 51744 2828deb 51743->51744 51748 282b4a0 51743->51748 51752 2a4ceb8 51743->51752 51756 2a4cea8 51743->51756 51744->51733 51760 282b4c7 51748->51760 51764 282b4d8 51748->51764 51749 282b4b6 51749->51744 51753 2a4cec6 51752->51753 51754 282b4c7 2 API calls 51752->51754 51755 282b4d8 2 API calls 51752->51755 51753->51744 51754->51753 51755->51753 51758 282b4c7 2 API calls 51756->51758 51759 282b4d8 2 API calls 51756->51759 51757 2a4cec6 51757->51744 51758->51757 51759->51757 51761 282b4d8 51760->51761 51767 282b5bf 51761->51767 51762 282b4e7 51762->51749 51766 282b5bf 2 API calls 51764->51766 51765 282b4e7 51765->51749 51766->51765 51768 282b5ca 51767->51768 51769 282b577 51767->51769 51770 282b604 51768->51770 51777 282b8bc 51768->51777 51782 282b868 51768->51782 51786 282b858 51768->51786 51769->51762 51770->51762 51771 282b5fc 51771->51770 51772 282b808 GetModuleHandleW 51771->51772 51773 282b835 51772->51773 51773->51762 51778 282b870 51777->51778 51781 282b8c2 51777->51781 51780 282b8a1 51778->51780 51790 282b030 51778->51790 51780->51771 51783 282b87c 51782->51783 51784 282b8a1 51783->51784 51785 282b030 LoadLibraryExW 51783->51785 51784->51771 51785->51784 51787 282b868 51786->51787 51788 282b8a1 51787->51788 51789 282b030 LoadLibraryExW 51787->51789 51788->51771 51789->51788 51792 282ba48 LoadLibraryExW 51790->51792 51793 282bac1 51792->51793 51793->51780

                    Executed Functions

                    Function 02A7BB88 Relevance: .3, Instructions: 300COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2383bb342e92cdc5701837c5b48f3b2ffd25eb4a4bdc7fb315d7780927096495
                    • Instruction ID: 5c4402c6dd8a9792532ae870a33786aa0a2e0e27f80701958dabb95d1af56fce
                    • Opcode Fuzzy Hash: 2383bb342e92cdc5701837c5b48f3b2ffd25eb4a4bdc7fb315d7780927096495
                    • Instruction Fuzzy Hash: E2D13734E502198FDB24EBB4C844BDDB771FF8A300F50866AE5487B295EF706989CB91
                    Function 02A7BB98 Relevance: .3, Instructions: 297COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6f4b198924a789d2db2d90fb75ce02ea2122a007f1b2cfaa9bb7ff7beae3e8bc
                    • Instruction ID: 89405cd827442d566713fef31123c8b006e5143a2afcaed506d8eba627149b57
                    • Opcode Fuzzy Hash: 6f4b198924a789d2db2d90fb75ce02ea2122a007f1b2cfaa9bb7ff7beae3e8bc
                    • Instruction Fuzzy Hash: 09D13834E502198FDB24EBB4C844BDDB771FF89300F50866AE5487B295EF706989CB91
                    Function 0282D858 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 294 282d858-282d8e7 GetCurrentProcess 298 282d8f0-282d924 GetCurrentThread 294->298 299 282d8e9-282d8ef 294->299 300 282d926-282d92c 298->300 301 282d92d-282d961 GetCurrentProcess 298->301 299->298 300->301 303 282d963-282d969 301->303 304 282d96a-282d982 301->304 303->304 307 282d98b-282d9ba GetCurrentThreadId 304->307 308 282d9c3-282da25 307->308 309 282d9bc-282d9c2 307->309 309->308
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0282D8D6
                    • GetCurrentThread.KERNEL32 ref: 0282D913
                    • GetCurrentProcess.KERNEL32 ref: 0282D950
                    • GetCurrentThreadId.KERNEL32 ref: 0282D9A9
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 047067b83ab9d785c7144081fea2db5d56f1a714146abb38d3f7b39c8a350a91
                    • Instruction ID: c4f80f47024b21dbf97f9c9062f804e375976860166a351cc71ea864f9f8d304
                    • Opcode Fuzzy Hash: 047067b83ab9d785c7144081fea2db5d56f1a714146abb38d3f7b39c8a350a91
                    • Instruction Fuzzy Hash: 1C5137B89003098FDB14DFA9D648BAEBBF5EF48314F208459E119A7390D7789988CF65
                    Function 02A74AE0 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1690 2a74ae0-2a74b52 call 2a73ebc 1696 2a74b54-2a74b56 1690->1696 1697 2a74bb8-2a74be4 1690->1697 1698 2a74b5c-2a74b68 1696->1698 1699 2a74beb-2a74bf3 1696->1699 1697->1699 1704 2a74b6e-2a74ba9 call 2a74930 1698->1704 1705 2a74bfa-2a74d35 1698->1705 1699->1705 1715 2a74bae-2a74bb7 1704->1715 1722 2a74d3b-2a74d49 1705->1722 1723 2a74d52-2a74d98 1722->1723 1724 2a74d4b-2a74d51 1722->1724 1729 2a74da5 1723->1729 1730 2a74d9a-2a74d9d 1723->1730 1724->1723 1731 2a74da6 1729->1731 1730->1729 1731->1731
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: Haq$Haq
                    • API String ID: 0-4016896955
                    • Opcode ID: cb197e152904bc1c5618f71b52d8a8ea71a56456ae4b54f9024c75c6e69b961f
                    • Instruction ID: efc4c96e3742c6e4018c246125cf18b8c1ae3ffd2596af1a6e117270658ed838
                    • Opcode Fuzzy Hash: cb197e152904bc1c5618f71b52d8a8ea71a56456ae4b54f9024c75c6e69b961f
                    • Instruction Fuzzy Hash: 4B819B74E003198FCB04DFA9C8946EEBBF6BF89300F14856AE409EB351DB349906CB91
                    Function 02A70638 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1771 2a70638-2a7076b call 2a7115f 1780 2a707cd-2a70865 call 2a70044 1771->1780 1781 2a7076d-2a707c5 1771->1781 1786 2a7086b-2a708b3 call 2a70054 1780->1786 1781->1780
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: $
                    • API String ID: 0-227171996
                    • Opcode ID: a4b5ef0fb51665b7c8aa12b2a91b7da552b3bb50ec214944d995272c20ce028d
                    • Instruction ID: 416ad3814e72dfb2895aeb9408fffff623e9cff03a2b3ca91e1bbeff27cce0aa
                    • Opcode Fuzzy Hash: a4b5ef0fb51665b7c8aa12b2a91b7da552b3bb50ec214944d995272c20ce028d
                    • Instruction Fuzzy Hash: 2171C039910701CFDB01EF2CD885A54B7B1FF85304B458AA9D949AF366EB71E899CF80
                    Function 02A70648 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1794 2a70648-2a7076b call 2a7115f 1803 2a707cd-2a70865 call 2a70044 1794->1803 1804 2a7076d-2a707c5 1794->1804 1809 2a7086b-2a708b3 call 2a70054 1803->1809 1804->1803
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: $
                    • API String ID: 0-227171996
                    • Opcode ID: 2b463351aab23504749c5e347ae77794558514dfe0f97b82a54533dc01809fff
                    • Instruction ID: 7f153b7f631eacd22937cd533d7212b5768a5eace4364c5a17f556c5621ee34b
                    • Opcode Fuzzy Hash: 2b463351aab23504749c5e347ae77794558514dfe0f97b82a54533dc01809fff
                    • Instruction Fuzzy Hash: 9561B139910701CFDB00EF2CD884655B7B5FF85304B458AA9D949AF366EB71E899CF80
                    Function 02A79E31 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1817 2a79e31-2a79e53 1818 2a79e5d-2a79e60 1817->1818 1819 2a79e69-2a79fa5 1818->1819
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: 322140a84288723f24f0cfc4f80914eb489718809786f322b79524a1cd40b87c
                    • Instruction ID: 94d20ecdee25ce87f3c9804204a3d896ee534b76438b8469b5bcba4972ee9a8e
                    • Opcode Fuzzy Hash: 322140a84288723f24f0cfc4f80914eb489718809786f322b79524a1cd40b87c
                    • Instruction Fuzzy Hash: 81419132D1071A9BCB04EFB9DC406DDB776FF94300F618A25E554B7251EBB0A586CB80
                    Function 02A79E40 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1833 2a79e40-2a79e60 1835 2a79e69-2a79fa5 1833->1835
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: 1b234d7e09e20c5f8e0d62d2c0890aeb7cbdd42bfbf6986c9c254cfc0e0fe292
                    • Instruction ID: 30fdc2ae20438bb3657b7727e69db7160edd40a191622eb50932cfaa4c5c2d49
                    • Opcode Fuzzy Hash: 1b234d7e09e20c5f8e0d62d2c0890aeb7cbdd42bfbf6986c9c254cfc0e0fe292
                    • Instruction Fuzzy Hash: F0416D32D1071A9BCB04EFB9D8406DDF7B6FF94300F618A25E554B7251EBB0A586CB80
                    Function 02A7D123 Relevance: 1.8, Strings: 1, Instructions: 536COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1849 2a7d123-2a7d128 1850 2a7d15d 1849->1850 1851 2a7d12a-2a7d15b 1849->1851 1852 2a7d162-2a7d4fb call 2a7dc83 1850->1852 1851->1850 1851->1852 1888 2a7d507-2a7da48 1852->1888
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: 2
                    • API String ID: 0-450215437
                    • Opcode ID: 02826556597ea191c235ac07d3f47a079b243e23472390f365ceba3404abc0cf
                    • Instruction ID: 87749b2ab394a35681203c1abfceaf78e275521692bfb361584c639b4cde4c52
                    • Opcode Fuzzy Hash: 02826556597ea191c235ac07d3f47a079b243e23472390f365ceba3404abc0cf
                    • Instruction Fuzzy Hash: 0342F83594156ACFCF12CF24D958AE9BBB6AF06304F0544E5E84DBB221CB716B86CF80
                    Function 00F1600C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1938 f1600c-f160ad 1940 f160e6-f16106 1938->1940 1941 f160af-f160b9 1938->1941 1948 f16108-f16112 1940->1948 1949 f1613f-f1616e 1940->1949 1941->1940 1942 f160bb-f160bd 1941->1942 1943 f160e0-f160e3 1942->1943 1944 f160bf-f160c9 1942->1944 1943->1940 1946 f160cb 1944->1946 1947 f160cd-f160dc 1944->1947 1946->1947 1947->1947 1950 f160de 1947->1950 1948->1949 1951 f16114-f16116 1948->1951 1957 f16170-f1617a 1949->1957 1958 f161a7-f16261 CreateProcessA 1949->1958 1950->1943 1953 f16139-f1613c 1951->1953 1954 f16118-f16122 1951->1954 1953->1949 1955 f16124 1954->1955 1956 f16126-f16135 1954->1956 1955->1956 1956->1956 1959 f16137 1956->1959 1957->1958 1960 f1617c-f1617e 1957->1960 1969 f16263-f16269 1958->1969 1970 f1626a-f162f0 1958->1970 1959->1953 1962 f161a1-f161a4 1960->1962 1963 f16180-f1618a 1960->1963 1962->1958 1964 f1618c 1963->1964 1965 f1618e-f1619d 1963->1965 1964->1965 1965->1965 1967 f1619f 1965->1967 1967->1962 1969->1970 1980 f16300-f16304 1970->1980 1981 f162f2-f162f6 1970->1981 1983 f16314-f16318 1980->1983 1984 f16306-f1630a 1980->1984 1981->1980 1982 f162f8 1981->1982 1982->1980 1985 f16328-f1632c 1983->1985 1986 f1631a-f1631e 1983->1986 1984->1983 1987 f1630c 1984->1987 1989 f1633e-f16345 1985->1989 1990 f1632e-f16334 1985->1990 1986->1985 1988 f16320 1986->1988 1987->1983 1988->1985 1991 f16347-f16356 1989->1991 1992 f1635c 1989->1992 1990->1989 1991->1992 1994 f1635d 1992->1994 1994->1994
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00F1624E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 6a372827d6e54134cba58b316e5d0c928325c4a4f3226987013981eff62e1e9a
                    • Instruction ID: 2f61a105934719db0b1b0302761adfd1d95ba06d471bb1d926e01c3b2c0b9e80
                    • Opcode Fuzzy Hash: 6a372827d6e54134cba58b316e5d0c928325c4a4f3226987013981eff62e1e9a
                    • Instruction Fuzzy Hash: FCA14871D002699FDF24CF68C841BEDBBB2BF48314F1481AAE819E7280DB759985DF91
                    Function 00F16018 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1995 f16018-f160ad 1997 f160e6-f16106 1995->1997 1998 f160af-f160b9 1995->1998 2005 f16108-f16112 1997->2005 2006 f1613f-f1616e 1997->2006 1998->1997 1999 f160bb-f160bd 1998->1999 2000 f160e0-f160e3 1999->2000 2001 f160bf-f160c9 1999->2001 2000->1997 2003 f160cb 2001->2003 2004 f160cd-f160dc 2001->2004 2003->2004 2004->2004 2007 f160de 2004->2007 2005->2006 2008 f16114-f16116 2005->2008 2014 f16170-f1617a 2006->2014 2015 f161a7-f16261 CreateProcessA 2006->2015 2007->2000 2010 f16139-f1613c 2008->2010 2011 f16118-f16122 2008->2011 2010->2006 2012 f16124 2011->2012 2013 f16126-f16135 2011->2013 2012->2013 2013->2013 2016 f16137 2013->2016 2014->2015 2017 f1617c-f1617e 2014->2017 2026 f16263-f16269 2015->2026 2027 f1626a-f162f0 2015->2027 2016->2010 2019 f161a1-f161a4 2017->2019 2020 f16180-f1618a 2017->2020 2019->2015 2021 f1618c 2020->2021 2022 f1618e-f1619d 2020->2022 2021->2022 2022->2022 2024 f1619f 2022->2024 2024->2019 2026->2027 2037 f16300-f16304 2027->2037 2038 f162f2-f162f6 2027->2038 2040 f16314-f16318 2037->2040 2041 f16306-f1630a 2037->2041 2038->2037 2039 f162f8 2038->2039 2039->2037 2042 f16328-f1632c 2040->2042 2043 f1631a-f1631e 2040->2043 2041->2040 2044 f1630c 2041->2044 2046 f1633e-f16345 2042->2046 2047 f1632e-f16334 2042->2047 2043->2042 2045 f16320 2043->2045 2044->2040 2045->2042 2048 f16347-f16356 2046->2048 2049 f1635c 2046->2049 2047->2046 2048->2049 2051 f1635d 2049->2051 2051->2051
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00F1624E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 4f59c9127f901849432078f7ea662c3594e1e209e86ea9182e654e0257cc70b9
                    • Instruction ID: ba2268d3bf3497964a6e1b0d2e6625865d03b711ce3a9244f19b51868327f39c
                    • Opcode Fuzzy Hash: 4f59c9127f901849432078f7ea662c3594e1e209e86ea9182e654e0257cc70b9
                    • Instruction Fuzzy Hash: EE913871D002199FDF24DF68C841BEDBBB2BF48314F1481AAE819E7280DB759985DF91
                    Function 0282B5BF Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0282B826
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 7d066c57ed0cdbd2c40d8e871e780902ca655b19634de98e6774fc18d85beb3e
                    • Instruction ID: 17f65b5778f906cd1dc5420d082c721809b800a6263d17f1dbcb332abb8da60b
                    • Opcode Fuzzy Hash: 7d066c57ed0cdbd2c40d8e871e780902ca655b19634de98e6774fc18d85beb3e
                    • Instruction Fuzzy Hash: 4E9188B8A00B558FD724DF69D44075ABBF5FF88308F04896ED08ACBA51D775E889CB90
                    Function 02A421C5 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A422E2
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111492148.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a40000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 245492d27974df58445cf7470cdc44bdaf0500a35ea0711b7cccbbad67b19565
                    • Instruction ID: e0bdecf23c4c7d5fb2e290982b3100b08caf380045bdb22af24463b7ed9d75cc
                    • Opcode Fuzzy Hash: 245492d27974df58445cf7470cdc44bdaf0500a35ea0711b7cccbbad67b19565
                    • Instruction Fuzzy Hash: 2051C5B1D003499FDB14CF99C984ADDFFB5BF88314F64816AE819AB210DB75A845CF90
                    Function 02A421D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A422E2
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111492148.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a40000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: c88e1d391b19d5de8f0d0c47224e64648e3b714cab03f80f1b2cf271c142c474
                    • Instruction ID: a22bbb9ac81bb71c485442dfa1543153246e0deca81a9ab17eb55a145f5059b8
                    • Opcode Fuzzy Hash: c88e1d391b19d5de8f0d0c47224e64648e3b714cab03f80f1b2cf271c142c474
                    • Instruction Fuzzy Hash: 3A41B3B1D00349DFDB14CF99C984ADEFBB5BF88314F24812AE819AB210DB75A845CF90
                    Function 02825D0D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 02825DC9
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 73e2b6522088fc12364a0736dedf150c8a360e14701b4d659c2aac52e946a159
                    • Instruction ID: 25747cccc6740c4dbf89a594597fbc0d04139a39f4b3bdb14f4a9ab09ac08715
                    • Opcode Fuzzy Hash: 73e2b6522088fc12364a0736dedf150c8a360e14701b4d659c2aac52e946a159
                    • Instruction Fuzzy Hash: 7441F4B8C00319CADB24CFA9C8447DEFBF5BF49304F20805AD408AB255DB75694ACF91
                    Function 02A40684 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 02A44861
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111492148.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a40000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: CallProcWindow
                    • String ID:
                    • API String ID: 2714655100-0
                    • Opcode ID: d8e00fd6a0ee71c6d9391414686115eb6984122eb4501e4c4c6e41726958efc8
                    • Instruction ID: 59aa0f47103de33de2a3f51a48bdff4bc1e5d358bbab1b6b2a6f339f361754a7
                    • Opcode Fuzzy Hash: d8e00fd6a0ee71c6d9391414686115eb6984122eb4501e4c4c6e41726958efc8
                    • Instruction Fuzzy Hash: C54118B8A002458FCB14CF99C488BAABBF5FF88314F248499D519A7321DB75E845CBA0
                    Function 02824524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 02825DC9
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: da095c6d312aac1794e2ffcd03978c8f6bbdefdd658bd1b31eba46ea79e728d2
                    • Instruction ID: cf520a932d1d8611bddbaefeddd18d9c0e873ac4b4343f1c560018d11767a73c
                    • Opcode Fuzzy Hash: da095c6d312aac1794e2ffcd03978c8f6bbdefdd658bd1b31eba46ea79e728d2
                    • Instruction Fuzzy Hash: 2E41F4B8C0071DCBDB24CFA9C84479EBBF5BF48304F60806AD408AB255DB79694ACF91
                    Function 070B6C20 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 070B6CBF
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2122377839.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_70b0000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: DrawText
                    • String ID:
                    • API String ID: 2175133113-0
                    • Opcode ID: a4c0457e80e5870de6ab35d8e2f449e761691ebf16408a20793ed5296ac6cc7f
                    • Instruction ID: 2a26b8acd460cf8d8b2b881a9272b642b2cb14c250a776af03c372f01cb1e18c
                    • Opcode Fuzzy Hash: a4c0457e80e5870de6ab35d8e2f449e761691ebf16408a20793ed5296ac6cc7f
                    • Instruction Fuzzy Hash: F931C0B5D002499FDB10CF9AD884AEEFBF5FB48320F14842AE919A7310D775A944CFA0
                    Function 070B6D21 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 070B6CBF
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2122377839.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_70b0000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: DrawText
                    • String ID:
                    • API String ID: 2175133113-0
                    • Opcode ID: cd129ad8beab73cbf38924ae81b8f0a9ea5d063902ac95e813019e44d0c13ac1
                    • Instruction ID: 86255ac5bf8eda434d52733e78a4de2cb39434d55cbd8a96a6873f3e6d89329c
                    • Opcode Fuzzy Hash: cd129ad8beab73cbf38924ae81b8f0a9ea5d063902ac95e813019e44d0c13ac1
                    • Instruction Fuzzy Hash: D0213AF2E007421FE7309B2AD8087F6FBE59F80324F48863AD049C7551CA39D659CB90
                    Function 00F15D89 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00F15E20
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: ba0e60d635b6970ae6b136bf87b5df2811e8dd01c48d518dc70c598352584dcf
                    • Instruction ID: 465ef2da157c5c2b371d1fa9a0cb1ffc4b1568d7638e63d29c1aa2313ec2039e
                    • Opcode Fuzzy Hash: ba0e60d635b6970ae6b136bf87b5df2811e8dd01c48d518dc70c598352584dcf
                    • Instruction Fuzzy Hash: 2F2104B5D003599FCB10CFA9C885BEEBBF1FF88310F14842AE959A7251C7789944DBA0
                    Function 070B6C28 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 070B6CBF
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2122377839.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_70b0000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: DrawText
                    • String ID:
                    • API String ID: 2175133113-0
                    • Opcode ID: b9c41502ae7a17d493866cca6144e02f49decda0e4c258a535d662e0a7404c13
                    • Instruction ID: 8a0533e289211404800e9a267ab7bbf7ad8efcc19ad4b306a5f5e74959f7c48a
                    • Opcode Fuzzy Hash: b9c41502ae7a17d493866cca6144e02f49decda0e4c258a535d662e0a7404c13
                    • Instruction Fuzzy Hash: 6B21A0B59002099FDB10CF9AD984AEEFBF5FB48320F14842AE919A7310D775A944CFA4
                    Function 00F15D90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00F15E20
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 8bc605bf592e89a062d1cd81f957248faa10cedc864e0c8961bc07af279ff9e5
                    • Instruction ID: 233e6fe27e2db92080d90f10bf6252b8e70b667433c9d4b65b23fd49b94f5469
                    • Opcode Fuzzy Hash: 8bc605bf592e89a062d1cd81f957248faa10cedc864e0c8961bc07af279ff9e5
                    • Instruction Fuzzy Hash: 4321F5B5D002599FCB10DFAAC885BEEBBF5FF48310F108429E919A7240C7789944DBA4
                    Function 00F15E78 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F15F00
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 0cc6248811e2d8b8f516dc2a7020fe4969343c41f574a8d8ed9cf5dae3fd9f68
                    • Instruction ID: a00895d2b310e70bd8380a367c2a0a2ea1437b379d7d1fbb5e36792b9329021c
                    • Opcode Fuzzy Hash: 0cc6248811e2d8b8f516dc2a7020fe4969343c41f574a8d8ed9cf5dae3fd9f68
                    • Instruction Fuzzy Hash: B62136B1C002099FCB10DFAAC880AEEFBF5FF48310F50842AE518A7240CB789945CBA0
                    Function 00F157B8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                    Download Yara Rule
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00F1583E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 83068e35b323f7a1d0547d6536f9b36b23395b0e49ed5f5967a3e6d4f1ff4b91
                    • Instruction ID: 75dac905a3a5407f61f2f2c7b37249f9632c3e60920f564bfc0462bb0c7f1688
                    • Opcode Fuzzy Hash: 83068e35b323f7a1d0547d6536f9b36b23395b0e49ed5f5967a3e6d4f1ff4b91
                    • Instruction Fuzzy Hash: 1B2135B1D00209CFDB10DFAAC4857EEBBF5EF88324F14842AD519A7250CB789985CFA0
                    Function 00F15E80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F15F00
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: ba780c6893fa479aedcb7d55067a06064ce3792f39147325c45627d954941753
                    • Instruction ID: 33656c5584e5f06e1f3d36d43528d74e3b959f41bcb899113a5f7be6a11a8fcf
                    • Opcode Fuzzy Hash: ba780c6893fa479aedcb7d55067a06064ce3792f39147325c45627d954941753
                    • Instruction Fuzzy Hash: 832137B1C003499FCB10DFAAC881AEEFBF5FF48310F10842AE519A7240C7799945DBA0
                    Function 00F157C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                    Download Yara Rule
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00F1583E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 219a7ed036ae43540a2ea0c1645360c67e6ecbc29915e721beee930fdd861bda
                    • Instruction ID: 493ea0ec6f60ac1c3f1c49497044583d42c8e5bcf5002a75858a80c8f705825c
                    • Opcode Fuzzy Hash: 219a7ed036ae43540a2ea0c1645360c67e6ecbc29915e721beee930fdd861bda
                    • Instruction Fuzzy Hash: 93211871D006098FDB10DFAAC4857EEBBF5EF88324F148429D519A7240DB789985CFA5
                    Function 0282DAA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0282DB27
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 5fbbe5c602e6f668808533f0baa0f7c47b9860d1e40937bb9933c822154549a9
                    • Instruction ID: 8ac2f4ec1bd660c5298a02ebb48de658b8d3bb5f697dca727e5a1943ff8d1371
                    • Opcode Fuzzy Hash: 5fbbe5c602e6f668808533f0baa0f7c47b9860d1e40937bb9933c822154549a9
                    • Instruction Fuzzy Hash: 6921C2B59002589FDB10CFAAD984ADEFFF9FB48310F14845AE918A3350D379A944CFA5
                    Function 0282B030 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0282B8A1,00000800,00000000,00000000), ref: 0282BAB2
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: d192e1acf15f3256a21706bf3115f4ab46399ce86b421ec474527aab83c421fb
                    • Instruction ID: f7a535f7d4b6ad9877f99f656390b0b59c58e3a37f081360fb8e9f37b1c2498b
                    • Opcode Fuzzy Hash: d192e1acf15f3256a21706bf3115f4ab46399ce86b421ec474527aab83c421fb
                    • Instruction Fuzzy Hash: 131103BA9012599FCB20CF9AC444A9EFBF5EB48314F14842EE519A7300C379A549CFA4
                    Function 0282BA41 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0282B8A1,00000800,00000000,00000000), ref: 0282BAB2
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 9d524e98bc41453976603f879863fe1cfab8a79668a8dc5ad15a2c09f9bbbdcc
                    • Instruction ID: fc7fa8489bae8d7f4bcf27a5e5f2abded82c05cd09f01e070f2def762b559467
                    • Opcode Fuzzy Hash: 9d524e98bc41453976603f879863fe1cfab8a79668a8dc5ad15a2c09f9bbbdcc
                    • Instruction Fuzzy Hash: 6E2103BAD012498FDB20CFAAC544AEEFFF5AF48314F14845ED859A7200C379A549CFA4
                    Function 00F15CC8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F15D3E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 66ebf410b27c31bbe93d9aa2102e80c467524512ebd97b6f21ef09d2e95d2146
                    • Instruction ID: 72f7c099ff3eb94647165e0f6f8387a9fea113ae80a13ff17a4c595985452ec4
                    • Opcode Fuzzy Hash: 66ebf410b27c31bbe93d9aa2102e80c467524512ebd97b6f21ef09d2e95d2146
                    • Instruction Fuzzy Hash: C3116A719002498FDB10DFAAD844AEEFFF5EF88310F14841EE519A7250C7799944CFA0
                    Function 00F15CD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F15D3E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 1c5b6043059ad273757814e438d8c6890d15fb701e0066675523f0bcd8cc9225
                    • Instruction ID: 4a5f45cb6402fb43424649ee53b1ab5fa51e41e3b146b53d1f7d3d126b6dc3bd
                    • Opcode Fuzzy Hash: 1c5b6043059ad273757814e438d8c6890d15fb701e0066675523f0bcd8cc9225
                    • Instruction Fuzzy Hash: 6D1137759002499FCB10DFAAC844AEEFFF5EF88324F248419E519A7250CB79A944CFA1
                    Function 00F15708 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 1b211907745f88b2803bb87c3fe15aaf388b1d0b91f0e2cd6c5291ee2a8e9f53
                    • Instruction ID: 972de677ed073bff00163e2790f074c5de7561477e40367720e380ea2e930cde
                    • Opcode Fuzzy Hash: 1b211907745f88b2803bb87c3fe15aaf388b1d0b91f0e2cd6c5291ee2a8e9f53
                    • Instruction Fuzzy Hash: 2E1146B5D002488ECB20DFAAD4456EEFFF5AF88324F24841ED419A7240CB799944CFA0
                    Function 00F15710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: c31ff97061a1751e39910c667f5c314cce5a08821f6904b5b30d91db02c5a878
                    • Instruction ID: 7d5dfb1b7919d59f54c22d9fd0205069aad0653a5c63596b5d8baf9fa8e267b8
                    • Opcode Fuzzy Hash: c31ff97061a1751e39910c667f5c314cce5a08821f6904b5b30d91db02c5a878
                    • Instruction Fuzzy Hash: EC1125B5D002488FCB20DFAAC4457EEFBF5EF88724F248419D519A7240CB79A944CFA4
                    Function 0282B7C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0282B826
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110646965.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2820000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 0880f50717b79380a0dc90199f262cbb0b91679e1e29b6b0ac720323be05ae5b
                    • Instruction ID: 0cff407a1c8d26dc1bb63c1946e46cceb144f4a34c8b389311af0a9e4c0df314
                    • Opcode Fuzzy Hash: 0880f50717b79380a0dc90199f262cbb0b91679e1e29b6b0ac720323be05ae5b
                    • Instruction Fuzzy Hash: 68110FB9C002598FCB10DF9AD444B9EFBF4EF88314F10846AD518A7200C379A589CFA1
                    Function 00F172F4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 00F19B05
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: 7f3902c79d16fabf638f8549b11e2cd0c4cba6759be51f3cc6880edc12f0d627
                    • Instruction ID: aa953861600d87edeeda9bf23ee1d5a8cd90d3441172bb294922f72916b549e0
                    • Opcode Fuzzy Hash: 7f3902c79d16fabf638f8549b11e2cd0c4cba6759be51f3cc6880edc12f0d627
                    • Instruction Fuzzy Hash: F711F5B59043489FCB10DF9AD884BDEFBF8EB48314F108459E518A7600C3B9A984CFE5
                    Function 00F19AA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 00F19B05
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2110348369.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_f10000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: d2b78a1b8771f0452e0dc7c678a74f672b52161977e76684b78e4a511a2fda8d
                    • Instruction ID: 35e07a263e5966b174d822ed5c6013402e8474551d50a0cdeba69a033a406e65
                    • Opcode Fuzzy Hash: d2b78a1b8771f0452e0dc7c678a74f672b52161977e76684b78e4a511a2fda8d
                    • Instruction Fuzzy Hash: E71106B58043499FCB10CF99D885BDEFBF4FB48314F148459E558A7600C3B96944CFA1
                    Function 02A76500 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: (aq
                    • API String ID: 0-600464949
                    • Opcode ID: 711c1bf4928d5261c8c82bf22c2820163219eb0f4d9a9bfe6f278229d8220128
                    • Instruction ID: 485c63917fd786cab466f22b4e13fe586323b48c844241f7b40577c9653e4ff7
                    • Opcode Fuzzy Hash: 711c1bf4928d5261c8c82bf22c2820163219eb0f4d9a9bfe6f278229d8220128
                    • Instruction Fuzzy Hash: 3151CE71A042888FCB18DFB988547AFBFFAEF85710F14846ED849E7641DB349806CB61
                    Function 02A71BC0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: Haq
                    • API String ID: 0-725504367
                    • Opcode ID: 26be5b785cb6260ec1f18750c82df8ac3595e635bab57a28d9905d30987e282b
                    • Instruction ID: 8b6e5a1ba337459c6b1a0b642878702786c2583bcd7a6e9f52cd167bc829faa0
                    • Opcode Fuzzy Hash: 26be5b785cb6260ec1f18750c82df8ac3595e635bab57a28d9905d30987e282b
                    • Instruction Fuzzy Hash: 88412635A0010A9FCB04EFA8D9559AEBBF6FF88300F044469F605AB355DF349E06CBA5
                    Function 02A7ABB0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: Haq
                    • API String ID: 0-725504367
                    • Opcode ID: 8f7406c27d02e18a3a66af2eedf9d6f13e39bbefb0c81809ccc4f50922cd594b
                    • Instruction ID: 9b51774baa4135e988adb123a1235f450afe8c0be770542d814a7b50ff72ac9c
                    • Opcode Fuzzy Hash: 8f7406c27d02e18a3a66af2eedf9d6f13e39bbefb0c81809ccc4f50922cd594b
                    • Instruction Fuzzy Hash: 53411635B006159FC714DFA8D8849AFBBB2FF89314B14456AD616C7391CF319C42CB85
                    Function 02A7CED0 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: Haq
                    • API String ID: 0-725504367
                    • Opcode ID: ff8778e125bec62832e69b19d64faf44a9b94872f0b5e1c96b879a7b2d3237bc
                    • Instruction ID: e1f436e13faef09be4c3110806dc125426e99238954c59d85ad9a795ebd45451
                    • Opcode Fuzzy Hash: ff8778e125bec62832e69b19d64faf44a9b94872f0b5e1c96b879a7b2d3237bc
                    • Instruction Fuzzy Hash: 0931E474E002089FD708EFA9D81467EBBBAEF81300F1085AAE94997392CF349D05CB94
                    Function 02A7DD58 Relevance: .8, Instructions: 755COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6ae44b5754e730adccceda14946be777e6ff6e15d14f574d6eba194ee3057c2
                    • Instruction ID: 3dc845cebd4a02c172fdf75d79e63417397560b7bc15dd46410158753719f827
                    • Opcode Fuzzy Hash: f6ae44b5754e730adccceda14946be777e6ff6e15d14f574d6eba194ee3057c2
                    • Instruction Fuzzy Hash: 7662BCF0E41B458BDB749F748EC83AEBAA1AB45304F104D6FC0BECA654DF3594818B99
                    Function 02A7C12F Relevance: .6, Instructions: 602COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b0bb568131cc5465a6001f672a046d57576d827265e4ef155e77416e0b41ab87
                    • Instruction ID: 0ed26d3a6f6f21264633cb6ed877632af529652eda24ea48c6833d692695a898
                    • Opcode Fuzzy Hash: b0bb568131cc5465a6001f672a046d57576d827265e4ef155e77416e0b41ab87
                    • Instruction Fuzzy Hash: AB52263594055ACFCB12DF20D998AEABBB6EF06700F1545E5E8496B266CF306E87CF40
                    Function 02A7DCF8 Relevance: .5, Instructions: 484COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 83bf02891a120e177b02882caefa59bcec5d43cad324d769bce4b7f330272739
                    • Instruction ID: 7ba365e44e7e4ecb1cc9994afb6bc8c0565fcd0cdcd2ba1b9338b8ba41f6a1a0
                    • Opcode Fuzzy Hash: 83bf02891a120e177b02882caefa59bcec5d43cad324d769bce4b7f330272739
                    • Instruction Fuzzy Hash: FC2275F0D05F428AD7745F649EC439EB690AB06350F204DAFC1FECA259DF3690869B89
                    Function 02A7FD90 Relevance: .2, Instructions: 176COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bdbe853bdb2cf0e8cb7836518f791ed4b92284309af751c2cfb1393fd1483e9b
                    • Instruction ID: 5b9237fa424e7ab35f8fada77a14bc1eaa24245a57c4315d16cb4b505632ddca
                    • Opcode Fuzzy Hash: bdbe853bdb2cf0e8cb7836518f791ed4b92284309af751c2cfb1393fd1483e9b
                    • Instruction Fuzzy Hash: D971CA79700A008FCB18DF29C988959BBF2BF8971471589A9E54ACB772DB32ED41CF50
                    Function 02A7B2AB Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c7d2f91ec5a1cc981c19d079cd82decd6130237b4f69eaf77b2f68765a5be0ca
                    • Instruction ID: 86969b5e833dc69d717aec772332f47da364b526e817191154895447b1c39439
                    • Opcode Fuzzy Hash: c7d2f91ec5a1cc981c19d079cd82decd6130237b4f69eaf77b2f68765a5be0ca
                    • Instruction Fuzzy Hash: 3D718F78A01208EFCB15DF59D884DAEBBB6BF48714B1544A8F901AB361DB31EC81CF54
                    Function 02A7FD80 Relevance: .2, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a17ba503a221cb07486672d8d025b0e604065a3de3b47a70ea334c5a88a1c261
                    • Instruction ID: 7a365ba4b4646912914402016c55abb682618c7413170410846e899f3430d519
                    • Opcode Fuzzy Hash: a17ba503a221cb07486672d8d025b0e604065a3de3b47a70ea334c5a88a1c261
                    • Instruction Fuzzy Hash: 5F71DC75600A008FC718DF29C988A69BBF2FF89314B1589A9E54ACB772DB31ED41CF50
                    Function 02A7AD40 Relevance: .2, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b1f54895d0d6e9daae65e5d6f891314a592f1add7b094939b32df08dc0effca9
                    • Instruction ID: b7d66431f7b4042e27c8cd9f1907d14c2d2c30242a0524bcabdbdb78e1e5da27
                    • Opcode Fuzzy Hash: b1f54895d0d6e9daae65e5d6f891314a592f1add7b094939b32df08dc0effca9
                    • Instruction Fuzzy Hash: 4B51D531A00219DFCB15EBA8C9947BEBBF6EF84300F14856AE406E7351DF74998ACB45
                    Function 02A7115F Relevance: .1, Instructions: 118COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c9d80614094d2ea163ce9ae098cd84f74a40c64df34a4051ad7994c58a3f348
                    • Instruction ID: bd50bc03aafb7e84cc266bf41d7f26f4769c892a9c1ff1559f3f785d8e612411
                    • Opcode Fuzzy Hash: 8c9d80614094d2ea163ce9ae098cd84f74a40c64df34a4051ad7994c58a3f348
                    • Instruction Fuzzy Hash: 75416935E0061A8BCB15DFA9E8946ADBBF5FB8C314F044129E809E7354DF709806CF98
                    Function 02A78880 Relevance: .1, Instructions: 118COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf01e24a506abbce8c3798c51a9d2f5d927b34c7afd22359d4932b9fadf655d8
                    • Instruction ID: 439db0525da36aa4600e286d7b8dbab5912e01fe8ff4ec8269dff5a8293b88f9
                    • Opcode Fuzzy Hash: cf01e24a506abbce8c3798c51a9d2f5d927b34c7afd22359d4932b9fadf655d8
                    • Instruction Fuzzy Hash: 2B410934A002288FDB44DBA8C988BDEB7B2BF48304F114069D505EB3A1DB78E845DFA5
                    Function 02A7AD30 Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8b29ddc36798e541128ce596b41352af6a74a2d8f8cf4c7634fe8e5ec2dd1cb
                    • Instruction ID: ed71d9e123c111bf7c5d0d5ce5cad69b9d9110eebee6611b94985b06ef2cbaf3
                    • Opcode Fuzzy Hash: d8b29ddc36798e541128ce596b41352af6a74a2d8f8cf4c7634fe8e5ec2dd1cb
                    • Instruction Fuzzy Hash: EF41C034A00309DFCB18EBA8C984ABEBBB2EF84301F54892DD44697355DF74998ACB45
                    Function 02A70438 Relevance: .1, Instructions: 105COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8d882613a75af01256632274b5cedb4612b5df1fe433b61c219d3b09d2d94b8
                    • Instruction ID: afaf8fbb88e2ab7a121ab0e75120e7da89238ec86bdb84c726fb2d9822b1d904
                    • Opcode Fuzzy Hash: d8d882613a75af01256632274b5cedb4612b5df1fe433b61c219d3b09d2d94b8
                    • Instruction Fuzzy Hash: BE41F535D043508BDB01EF7CDC942657B71FF88214F0989BAD849AB386EF349454CB60
                    Function 02A750D0 Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d9f192124a057a5019d82f355b943981dc52c6e7a5678f41a9cc67084b799e71
                    • Instruction ID: 7a0bab5414e4d17754452acdf3ce312b70b6e34b1d668c2d67942269b402a4e5
                    • Opcode Fuzzy Hash: d9f192124a057a5019d82f355b943981dc52c6e7a5678f41a9cc67084b799e71
                    • Instruction Fuzzy Hash: 42318671F501559BCF04ABB98D14ABFBFFA9FC9301B50842A9956D3250EF3089058B94
                    Function 02A74F3C Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 217ce279f0cda97e315a9109e9b412b849ae610650ca3b48e76cab714a149524
                    • Instruction ID: 93f675aec4dc5265bec55f2b2cadcdebe2f3e9a449f635898c42d61e2b36d696
                    • Opcode Fuzzy Hash: 217ce279f0cda97e315a9109e9b412b849ae610650ca3b48e76cab714a149524
                    • Instruction Fuzzy Hash: 5941E1B1D00309DFDB20DFA9C984ADDBBB1FF48304F64812AD419AB250DB756A4ACF91
                    Function 02A7496C Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a6832a37e67731206528193457c6906766c701f67c57da7e6bdb2cacabdcf727
                    • Instruction ID: db3e880a7a9c269451c6dd986e743b3855417e3bf0d076cdb9e35705ecf204da
                    • Opcode Fuzzy Hash: a6832a37e67731206528193457c6906766c701f67c57da7e6bdb2cacabdcf727
                    • Instruction Fuzzy Hash: 0641E4B1D00309DFDB20DF99C984ADDBBB5FF48304F64802AD409AB254DB75694ACF95
                    Function 02A77077 Relevance: .1, Instructions: 97COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f9983e38934daa3b6e57413dcfa27a51264579010daef38e1a29f01938726df3
                    • Instruction ID: 06cc1f4b90a5a99b4717361b219378dcd1404551f8464bbfcff9b123dc62db49
                    • Opcode Fuzzy Hash: f9983e38934daa3b6e57413dcfa27a51264579010daef38e1a29f01938726df3
                    • Instruction Fuzzy Hash: A5411C75A0024A9FCB40DF68D98499DFBB5FF49314B14C699E818AB315E730E985CF90
                    Function 02A77088 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16283908a0e411290122f992d585b638faa2d09088a67093ed87e62be67f981e
                    • Instruction ID: a5c031982f82beb11844f8520cb68a18387b28b35c12ab2c4a7f86b8c7f98aa5
                    • Opcode Fuzzy Hash: 16283908a0e411290122f992d585b638faa2d09088a67093ed87e62be67f981e
                    • Instruction Fuzzy Hash: 35411775A0020ADFCB40DF68D88499EFBB5FF89310B14C659E818AB325E730E985CF90
                    Function 02A74C68 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c0aee8f2dcfd851479dec791ce66fc59f9d107683d62ef792714310be948a9
                    • Instruction ID: 1873c387f0742ef5d679642b84662c6ebe640a431c5c84bbe716af3d7f4b495c
                    • Opcode Fuzzy Hash: d6c0aee8f2dcfd851479dec791ce66fc59f9d107683d62ef792714310be948a9
                    • Instruction Fuzzy Hash: EC41CFB0D00358DFDB14CF9AC884ADEFBB5BF48314F20812AE418AB254DB756845CF94
                    Function 02A70448 Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14b83ea2039bad7c429146f315a78b90b1496c7e0c952f07b0daf073a4cf4ff4
                    • Instruction ID: 9bbce967690926887994b27b6325cbdc55301b51448eff759e43c16a860713f8
                    • Opcode Fuzzy Hash: 14b83ea2039bad7c429146f315a78b90b1496c7e0c952f07b0daf073a4cf4ff4
                    • Instruction Fuzzy Hash: 7A316E39E006118BEB05EF69DC84655B7A6FF88314F088A79E809AB345EF70A494CB64
                    Function 02A74E40 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37be3e3f30ebcadea7216e472ade4b872193cec8e87cb2ccb229e54dad868d6f
                    • Instruction ID: 7a234d0695800722cc43f6c0094bbcf228a24a8d0a5fecff94bf309b4a9e6a23
                    • Opcode Fuzzy Hash: 37be3e3f30ebcadea7216e472ade4b872193cec8e87cb2ccb229e54dad868d6f
                    • Instruction Fuzzy Hash: 0F2126356002048FCB11EB78C8948ABBBF6FF85300B05C8AAE545DB751EF71E80ACB91
                    Function 00AFD3D8 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109083648.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_afd000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 484482a787d46f1d9cada3d909112e22a84e3bf39d0ba46897e10f7c444d3344
                    • Instruction ID: 07430492ab13002f14761e7412ce18f1ff14117433986129bdb1795464ad2185
                    • Opcode Fuzzy Hash: 484482a787d46f1d9cada3d909112e22a84e3bf39d0ba46897e10f7c444d3344
                    • Instruction Fuzzy Hash: F7212871500208DFDB06DF54D9C0F26BF66FB98315F20C569EA090B256C33AE856D7A2
                    Function 02A7F4E1 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 95bb3a5edb8042f3f2136d9c94fefac24b774dc3e8c52171df908fd772f671b2
                    • Instruction ID: 4e8e93378e7ac43f8d52a85ef9573677eb4a6621d450e5f054bfce4cd7b4606c
                    • Opcode Fuzzy Hash: 95bb3a5edb8042f3f2136d9c94fefac24b774dc3e8c52171df908fd772f671b2
                    • Instruction Fuzzy Hash: B3212671D512099FCB04EFB8D880AEEBBB2FF49304F109629E514B7250EB306A49CF64
                    Function 02A7B934 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b41bb9510231cd1c1c301b2ff51bded78f08dbd69e4d941fa9231c1f99e9484e
                    • Instruction ID: c11deca6678afe8fbc000d8165620fb589982e921ced26a90d2038d3e1c63ce1
                    • Opcode Fuzzy Hash: b41bb9510231cd1c1c301b2ff51bded78f08dbd69e4d941fa9231c1f99e9484e
                    • Instruction Fuzzy Hash: 2021F371D512099FCB04EFB8D8909EEBBB2FF89304F109929E515B7250EB306A49CF64
                    Function 02A7059F Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07322b3586f0dfa3d505785377d2f92e37546d9cdd681874cde93e7ad8c75d39
                    • Instruction ID: 5b51d7929fc83c6c24c3c3427da9714c8c5a0f9a4daf56caf67eb076fbdec293
                    • Opcode Fuzzy Hash: 07322b3586f0dfa3d505785377d2f92e37546d9cdd681874cde93e7ad8c75d39
                    • Instruction Fuzzy Hash: 86215B36D007418BD711DF79DC401A6FB32EFD6214F15C67AD849A7201EB71A45BCB90
                    Function 02A78E94 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d583e4d2cb6a2164363e96ce8654abb7fac8fc0c1b9fccefe606792695906a55
                    • Instruction ID: af8bf490835bcb3a932052a3b2b671cdbf3db0542681f923908a1425f2b36880
                    • Opcode Fuzzy Hash: d583e4d2cb6a2164363e96ce8654abb7fac8fc0c1b9fccefe606792695906a55
                    • Instruction Fuzzy Hash: B8214DB57006149FCB24DF19D9C4A6BB7AAEF88725F10882EEA0787751CF71E841CB64
                    Function 00B0D1D4 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109216286.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_b0d000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a585199f1eb0f0521e983aabc6429edef56399b1bb0a5c9193fc5803958ab365
                    • Instruction ID: 309e16eec22965918ca53503f6cba4e50dc238b0bed117d51dfa923b30036867
                    • Opcode Fuzzy Hash: a585199f1eb0f0521e983aabc6429edef56399b1bb0a5c9193fc5803958ab365
                    • Instruction Fuzzy Hash: 5D21C271604204EFDB05DFA4D9C0B26BFA5FB88314F24C5ADE9494B2D6C33AD856CA61
                    Function 00B0D01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109216286.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_b0d000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8686021a57d32f4a25ac9c7353730787b70640f1a57970397d789f6888ffc2c5
                    • Instruction ID: 482b8193c0b8e1f2858db921619f446221ef8d6f74f24a559ba0e76b60d0b2f0
                    • Opcode Fuzzy Hash: 8686021a57d32f4a25ac9c7353730787b70640f1a57970397d789f6888ffc2c5
                    • Instruction Fuzzy Hash: 7F21D071604204DFDB14DF64D9D4B26BFA5FB88314F20C5A9D94E4B2D6D33AD806CA62
                    Function 02A7A157 Relevance: .1, Instructions: 65COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 966b1ffdf0fad72a7b546f15af5f89d6b2ea9f42f24f052f8b24d55e422fa393
                    • Instruction ID: 3d1eafd8e116c5c85f0dcbce1d893a309d0457f2a6ecb33c248b2d2a3ba8456b
                    • Opcode Fuzzy Hash: 966b1ffdf0fad72a7b546f15af5f89d6b2ea9f42f24f052f8b24d55e422fa393
                    • Instruction Fuzzy Hash: 0021A231B04605AFDB14DB78CC446AE77B6EF84311F008A6AD946972A5EF34D989CB80
                    Function 02A7B547 Relevance: .1, Instructions: 65COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 63e4faab546ed7d5d9ad3a6ae612c3911712417a2664feffab9cf61ec33b2ce1
                    • Instruction ID: f0389fc5d2fcf6a7197a91ebdd57e013749a8f05d7492ce1bcf8d1ac3060f5d5
                    • Opcode Fuzzy Hash: 63e4faab546ed7d5d9ad3a6ae612c3911712417a2664feffab9cf61ec33b2ce1
                    • Instruction Fuzzy Hash: F2218CB97006109FCB24DF19C9C4B6AB7B6EF89714F00482DE90687750DB71E841CB64
                    Function 02A7F301 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 459e21a9e43715cfe0035f78fddfa16f5f7e54ea75987adb550701020cc03bd9
                    • Instruction ID: b9e980ec3f401c6157613612c9376058a27437d58972f3b373770e18dfc4a426
                    • Opcode Fuzzy Hash: 459e21a9e43715cfe0035f78fddfa16f5f7e54ea75987adb550701020cc03bd9
                    • Instruction Fuzzy Hash: A42156B0C46209DFCB05DFB8D9417AEBBF0AB05305F1481AAD414E3262EB784A48CB95
                    Function 02A74E30 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b62f72f0a498fe608a5614b19ec7897e528f4efd2c598a80a31444eb996aceef
                    • Instruction ID: ddcf8ffd01f934764f23a241750733d0d7c70fb155b906a7d3de2ef1e8a50b36
                    • Opcode Fuzzy Hash: b62f72f0a498fe608a5614b19ec7897e528f4efd2c598a80a31444eb996aceef
                    • Instruction Fuzzy Hash: 4C21C0356002058FCB11EB68C9949ABBBF6EFC4310B0489AAE556DB351DF70EC0A8B91
                    Function 00B0D006 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109216286.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_b0d000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bb8aeb605a391f26e439954aec2c3b1cba5b28b04ec25ab15d200bf674e6595
                    • Instruction ID: 52d3f4bb649e1a86de0075c2815c593dc2322a6caf850028a8294fa617e695b3
                    • Opcode Fuzzy Hash: 4bb8aeb605a391f26e439954aec2c3b1cba5b28b04ec25ab15d200bf674e6595
                    • Instruction Fuzzy Hash: 0F2192755083809FCB02CF54D994B11BFB1FB46314F28C5DAD8498F2A7D33A980ACB62
                    Function 02A7A168 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 29393acec4dc0c3bc5b85535a2ffa8b7483c605e882c899bc254c67cdd685061
                    • Instruction ID: 72d0e2a59895ded61a22edf0e73ba0ff6ee24c5f11d5a2fcfe2c876b7c33f6d2
                    • Opcode Fuzzy Hash: 29393acec4dc0c3bc5b85535a2ffa8b7483c605e882c899bc254c67cdd685061
                    • Instruction Fuzzy Hash: FD11D330B04205AFDB14DB78CC445AFB7B6EF84301F00CA2AD906972A5EF30E949CB91
                    Function 00AFD3D3 Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109083648.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_afd000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                    • Instruction ID: 8f76cfaec6b85c7fda3b79b5513c4549dcb333564aec678755d07a6610038d0f
                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                    • Instruction Fuzzy Hash: FB112672404244CFCB02CF40D5C4B26BF72FB94324F24C6A9E9090B656C33AE85ACBA2
                    Function 02A75FB2 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5eef7b729d0f2730cc6aaba12624470a50cc8f81cf4ace7090e12e4d9b4dd247
                    • Instruction ID: 8ca117b706e82a6a2057367090391b93cf6adb74dece26f78c39dc95c5352a7c
                    • Opcode Fuzzy Hash: 5eef7b729d0f2730cc6aaba12624470a50cc8f81cf4ace7090e12e4d9b4dd247
                    • Instruction Fuzzy Hash: 9F214A70D02218EFCB18EFA0EA946DDBBB2FF44705F208599E48172294CF319966CF58
                    Function 02A71328 Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: decbf32e9b908d190f3bfc46a001d27b5919c72210bf9f60d6b38aeec7a15f91
                    • Instruction ID: 60146614df5a3b2c0893ee451a81143cc0c7c6487926dab41e67ea3772537289
                    • Opcode Fuzzy Hash: decbf32e9b908d190f3bfc46a001d27b5919c72210bf9f60d6b38aeec7a15f91
                    • Instruction Fuzzy Hash: 29118F31A002099FDB14EFA5D9147AEB7F6EF88304F104868E109A7684CF759D05CB95
                    Function 00B0D1CF Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109216286.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_b0d000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                    • Instruction ID: 5106b3fc520553736751aa052618735168d6387efff3526e5fa0125fd7b23c5c
                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                    • Instruction Fuzzy Hash: 4C11BB75504280DFCB02CF54C5C4B15BFA1FB84314F24C6A9D8494B696C33AD80ACB62
                    Function 02A74A34 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d30070f9b745ad3f7f29f29af1e6bbdcba741ea97a7abd8d3e3f0974b9772176
                    • Instruction ID: 5e197f26b116472cd21eb267131b3e5f45dcd13e5eb2c105bae29624f32b84b0
                    • Opcode Fuzzy Hash: d30070f9b745ad3f7f29f29af1e6bbdcba741ea97a7abd8d3e3f0974b9772176
                    • Instruction Fuzzy Hash: 821146B1D006088FCB10DF9AC844A9EFBF5EF48310F10802AE819B3310D778A944CFA5
                    Function 02A753E3 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b726d99b2b51ae7ff7d28d5e1416972129dbeb70ede8d5d6041f967649fff6d
                    • Instruction ID: dcba52cbac4400af89a28e3516060ef63b0ff8b4a959c66aaf005f6acb5073df
                    • Opcode Fuzzy Hash: 0b726d99b2b51ae7ff7d28d5e1416972129dbeb70ede8d5d6041f967649fff6d
                    • Instruction Fuzzy Hash: A01132B5D006488FCB10DF9AC844A9EFBF5EF48320F14842AD819A3310C778A545CFA1
                    Function 02A7131B Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc651d19d07ee511e470f30e06d514c4d38bce046984f88df02d665fbea4a6a3
                    • Instruction ID: 60cd8a95aac39c3948b6f78262e3315dfad0e6555a93ea5c31c93ea35ee508cd
                    • Opcode Fuzzy Hash: fc651d19d07ee511e470f30e06d514c4d38bce046984f88df02d665fbea4a6a3
                    • Instruction Fuzzy Hash: A111E131A002059FD715AFB5C9697AFBBF2DF88304F004868E14AAB295CF744D06CF99
                    Function 02A76328 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed784e460a4db7df4cf601b8dad8e5c48ae562310412b60a8e8bfadef9937724
                    • Instruction ID: c5fa692c2203e5a09bdd30bd4a084616aa82259193d9aa334217a730bde5f5a2
                    • Opcode Fuzzy Hash: ed784e460a4db7df4cf601b8dad8e5c48ae562310412b60a8e8bfadef9937724
                    • Instruction Fuzzy Hash: C51133B59007488FCB20DF9AC944BDEFBF8EB48320F20845AE518A7300D778A944CFA5
                    Function 02A76B01 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3e4c1ca4d58a058149ca71a78ab917c9fcab73e20a9f93b24a17434f8efd066c
                    • Instruction ID: daeb4b42f9080166fa3d81740cbadeef32d2d8e875c0548941be3c92f1f361de
                    • Opcode Fuzzy Hash: 3e4c1ca4d58a058149ca71a78ab917c9fcab73e20a9f93b24a17434f8efd066c
                    • Instruction Fuzzy Hash: 8E1125B59002488FDB20DFAAD584BDEFFF4EB49314F24845AD558A3300C779A944CFA4
                    Function 02A7CBEF Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97670ee9abccfcce2d26eeb740820de5fef61f4c303f23632d0e288290d03cf2
                    • Instruction ID: 87e1c57e9bdab4432e18fa9700629c63756345417c6e9f6d89218faecc6cf37f
                    • Opcode Fuzzy Hash: 97670ee9abccfcce2d26eeb740820de5fef61f4c303f23632d0e288290d03cf2
                    • Instruction Fuzzy Hash: E0016272D10219DBDB05CFA4E8045EEBBB6EF4A335F04846AE94077210DB716555CB94
                    Function 02A75D38 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b93df0ed280800f6b6963c69744ad7e5bcdfc0c88dfe6078af0f196658d0bc5
                    • Instruction ID: 138b9162a23cb8319d3966d27255f4c1bd178c0ad209f67554c4a825e763deab
                    • Opcode Fuzzy Hash: 5b93df0ed280800f6b6963c69744ad7e5bcdfc0c88dfe6078af0f196658d0bc5
                    • Instruction Fuzzy Hash: 9A01D175F402155FCB16B7B859914FE7FB7AF89310B040468D905A7341CE2109069BD9
                    Function 02A76928 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 79deb697201f41f390abcdee8d0529165eaf054a2f14cd1af989e0a14a078474
                    • Instruction ID: bd22c745e60b0aa5c377d9823c0418b6133c4eeec120729346ea926229b52b8e
                    • Opcode Fuzzy Hash: 79deb697201f41f390abcdee8d0529165eaf054a2f14cd1af989e0a14a078474
                    • Instruction Fuzzy Hash: B8F0A431B083546FCB09D7B99C18AAF7FEE8F86610B0480BBD84DC7242EE709C4247A5
                    Function 00AFD759 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109083648.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_afd000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c9144672be32f908c89c305a787dbbc0166750620273106c7e1c17a20650467b
                    • Instruction ID: abb759468b185e015af383adcc46adbfef1531ab6dd42a52b1629bb5774a00a9
                    • Opcode Fuzzy Hash: c9144672be32f908c89c305a787dbbc0166750620273106c7e1c17a20650467b
                    • Instruction Fuzzy Hash: B901DB711043489EE721AB99CD84B77FFADEF55320F28C52AFE494E29AC3799840C671
                    Function 02A7B944 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c2f13be0d3891ddaaddc00533e735d9ce20c41bb778aab80ff729216e148178f
                    • Instruction ID: 72dfd4aac91b798855ee5e143baccff87494f97a30d057c0b85bf1ef95e90c48
                    • Opcode Fuzzy Hash: c2f13be0d3891ddaaddc00533e735d9ce20c41bb778aab80ff729216e148178f
                    • Instruction Fuzzy Hash: 7F11B0B0E41208DFCB44EFA8CA94AAEBBB1FF49305F1045A9D419A7360DB319E41CF65
                    Function 02A76FD8 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c51eb6a60420cd6ae141509613dec1a2c07edc5834c18e05d5724c51b2b94275
                    • Instruction ID: be6dea9c70281319874544430521f841c8fad9cafc8a8f8ececf15af7612bcab
                    • Opcode Fuzzy Hash: c51eb6a60420cd6ae141509613dec1a2c07edc5834c18e05d5724c51b2b94275
                    • Instruction Fuzzy Hash: C7010835900209DFCB40EFB8C58589DBFF0FF49200B1481AAE848EB321E770EA44CB91
                    Function 02A7F5C7 Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4608887d8eacc4fc561a3e270d2a186695a7150929fdefc2ade98c6f8c66e091
                    • Instruction ID: 5791a6f66fda2360b41a822a16b53dff687d1351d5057fc01fd9c7293e66b6df
                    • Opcode Fuzzy Hash: 4608887d8eacc4fc561a3e270d2a186695a7150929fdefc2ade98c6f8c66e091
                    • Instruction Fuzzy Hash: BA1102B0E41208DFCB44EFB8CA94AAEBBB1BF49305F1045A9D419E7360DB309A41CF65
                    Function 02A7AA81 Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6fff05f818b47ac5e0da92b3cc4ea753defe664bd474326b5b420691ba616690
                    • Instruction ID: 12f5212b10010ce309775c0af138ad4a584213428be8d385dd262e8bda0ff004
                    • Opcode Fuzzy Hash: 6fff05f818b47ac5e0da92b3cc4ea753defe664bd474326b5b420691ba616690
                    • Instruction Fuzzy Hash: 2001A7716002008FEB109F6AD8D4785B7A6FB84328F544278D9289F3D6DB7698098F90
                    Function 02A7FBD8 Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 585f544f1f7789ca3df38f97752cbec20f540407abf70afc72a48f60ee0be866
                    • Instruction ID: b6b26f46f1033e1225281d806d5f94748a2ab2f4a7d19acd752c41c035274d11
                    • Opcode Fuzzy Hash: 585f544f1f7789ca3df38f97752cbec20f540407abf70afc72a48f60ee0be866
                    • Instruction Fuzzy Hash: 7C016D31A00704CFD715BB7498405BEB7B6FFC1322F044A6ED949A7610EF319A428AD5
                    Function 02A7FC58 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a7aa1024c5983e80ef5747e0ba9d5c87d510ac95bb4bde0483ba36c743f66de4
                    • Instruction ID: 0ad2f7af576d9c2b573a05964cc35b875b46c1f5b29577ca5565f281e3096826
                    • Opcode Fuzzy Hash: a7aa1024c5983e80ef5747e0ba9d5c87d510ac95bb4bde0483ba36c743f66de4
                    • Instruction Fuzzy Hash: 5DF0C835200B108FC3159B2AE884A2AB7BAFF88322F10052EE406C7721DF31AC42CB91
                    Function 02A75D48 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17809d083af4f6e74ffb07535f220475ca49639e6343b0e6cbecbc25b396ea1d
                    • Instruction ID: aeee4f3be6bb8ca38f3574db7e859b6ce7fe01862ad5d8b5ea7a58cce854d02f
                    • Opcode Fuzzy Hash: 17809d083af4f6e74ffb07535f220475ca49639e6343b0e6cbecbc25b396ea1d
                    • Instruction Fuzzy Hash: 9EF0B475F402159B8F05B7A99D519BFBBBBEFC8710B500428EA05A7340DE314E119BED
                    Function 02A7F6D7 Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f59dcc7c80e7ba4f6e06bd7d51e634ab498cf34b9530f3cfd14a5f45e510fd8
                    • Instruction ID: 589be44aaa93b703a5ec1be3a355094bcdde194ce03092b85d458c34f1997210
                    • Opcode Fuzzy Hash: 7f59dcc7c80e7ba4f6e06bd7d51e634ab498cf34b9530f3cfd14a5f45e510fd8
                    • Instruction Fuzzy Hash: AA014B70D41208DFCB45EFB8C8896ACBBB2FF05305F6049ADC416A7251DB328A46CF40
                    Function 02A7CC00 Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 47c9c65fd4907aa9a609b377e10d560b87d048d315e1e1eb9ade8fc8eff1e00b
                    • Instruction ID: de1fc4cb0406b262326cc9670b3c2698b5ed5b7c214471a596b1726b714e60e1
                    • Opcode Fuzzy Hash: 47c9c65fd4907aa9a609b377e10d560b87d048d315e1e1eb9ade8fc8eff1e00b
                    • Instruction Fuzzy Hash: 97F09072D1051ADBCF05CFA8E8045DEBBB6EF8A331F004426E9007B250DB712949CB90
                    Function 02A7AA90 Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4bfdf3c5444cc9eee181fcdaa2e2dce7cf72f2006351ee529984da8e3f965dd
                    • Instruction ID: f170bc3066607620987f90a025ff539cc64886076e42331ed6de7f7d3399100d
                    • Opcode Fuzzy Hash: c4bfdf3c5444cc9eee181fcdaa2e2dce7cf72f2006351ee529984da8e3f965dd
                    • Instruction Fuzzy Hash: 880181753002008FEB109F6AD8D4795B7A6FF85328F1482B9D9289F3D6CB769809DF90
                    Function 02A7CF98 Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0270d03494af29a543b137c2e3a5d05809702e5bc6d46854074d5bb7779ca9ca
                    • Instruction ID: 9e220956811ee606e7fd48903ba15412cf3c46e8063bbe1d47279b7521b422b1
                    • Opcode Fuzzy Hash: 0270d03494af29a543b137c2e3a5d05809702e5bc6d46854074d5bb7779ca9ca
                    • Instruction Fuzzy Hash: 07016978E40208EFCB00EFB4E9486ADBBB0FB45302F5085AAD805A3251DB34AE16CF44
                    Function 02A7FBE8 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 44dcb55f375c53421efe0c26f68641200d4564ccc8f8c2bef17ec7aade20e6ef
                    • Instruction ID: 00b2390610a20c36e531f988c05117916120db6042f85da6051e35a4d8329be8
                    • Opcode Fuzzy Hash: 44dcb55f375c53421efe0c26f68641200d4564ccc8f8c2bef17ec7aade20e6ef
                    • Instruction Fuzzy Hash: 5CF06231A00704CFCB16BB7488005BEB7B6FFC1311F15466DD855A7650EF31A6428BD5
                    Function 02A7FCD0 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a0c873923429e45d45b49080dad0b11b15d2073e46936249e67aa665574963c6
                    • Instruction ID: f67ae92f493d64100d11e424feb9ec3fa80318e8b6ab2c0410bd51e5e8482ef9
                    • Opcode Fuzzy Hash: a0c873923429e45d45b49080dad0b11b15d2073e46936249e67aa665574963c6
                    • Instruction Fuzzy Hash: D8F054327406154F8714AF6EF88486ABBADEFC8365310457AE10AC7265DF71DD0A8790
                    Function 02A764F0 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b25984e44911f7ed37ee24f68388bf84e050b0b8b426d6010d55aeb57566077b
                    • Instruction ID: 9957fa4d036d9364c0c76e679ac0431afcd183d0a23853b04cc2e11a0c386bbd
                    • Opcode Fuzzy Hash: b25984e44911f7ed37ee24f68388bf84e050b0b8b426d6010d55aeb57566077b
                    • Instruction Fuzzy Hash: 47F027317082846FD704DBB98C116DB7FFE9E85650B00C0B5C804E7211ED309C038750
                    Function 02A7F468 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3088280426a8dd6e9e2cedd9c9443e47753c668529f1132fb4a578aa8f762b44
                    • Instruction ID: 10f1e8728c21f3afc359d316805149ddb1532ff3e2f0e709ba223e55bf0c0d24
                    • Opcode Fuzzy Hash: 3088280426a8dd6e9e2cedd9c9443e47753c668529f1132fb4a578aa8f762b44
                    • Instruction Fuzzy Hash: 6201AF70D102099FCB01EFB8C840AEEBBB0FF41305F0086ABE494A7260EB709644CB41
                    Function 02A7ABA1 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bdef415802a7362f5287f3fdd9e55dd166543bf6a3440c8123601c24b092b872
                    • Instruction ID: 06d730a0a767b36c65476e4be07a0bb432d016fe1023fb675008591c56f49504
                    • Opcode Fuzzy Hash: bdef415802a7362f5287f3fdd9e55dd166543bf6a3440c8123601c24b092b872
                    • Instruction Fuzzy Hash: 7CF0E233B104106BC6214768CCC496E779BEBD66247188193E505C36A6EF32EC808685
                    Function 02A7B828 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5fc8211d7d356c639df82e3713dedaf1e7f532334fe7eb9bb45bb13843b3a931
                    • Instruction ID: 14c23eb4347f745c1ccf13f1f65c49ee7c7971ffa785bbe2082886c2a3c0e229
                    • Opcode Fuzzy Hash: 5fc8211d7d356c639df82e3713dedaf1e7f532334fe7eb9bb45bb13843b3a931
                    • Instruction Fuzzy Hash: 40F04F70D1120D9FC704EFA8C8409EEB7B4FF41300F408A66E855A3251EF709644CB95
                    Function 00AFD758 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2109083648.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_afd000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d615b2456174bd5627936352ce8d5d98498713eeee1ffd535be50448c36754d9
                    • Instruction ID: 3070152e9b51fcbfc2f1f4943773d0747d7f9e3d71497b959f4728277b15187e
                    • Opcode Fuzzy Hash: d615b2456174bd5627936352ce8d5d98498713eeee1ffd535be50448c36754d9
                    • Instruction Fuzzy Hash: 30F0C2710043489EE7218B0ACC84B62FFA8EF51724F18C45AFE480E28AC3799840CAB0
                    Function 02A7F6E8 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d68716670c82193a625fc3f47030c6a1e2a14f85c8488ee7ad7547d9f05ea57b
                    • Instruction ID: cb82558a65bd342cfd056a1243d8d186335122db1b429a09de458f2788d03f80
                    • Opcode Fuzzy Hash: d68716670c82193a625fc3f47030c6a1e2a14f85c8488ee7ad7547d9f05ea57b
                    • Instruction Fuzzy Hash: B5011470D41208DFCB45EFB8C9846ADBBB1FF05305F9048A9C415A3650DB318A41CF44
                    Function 02A7CFA8 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dfa0f24e57a64cf86136966512fa27840d4bca646826bc4dc3c15c1aef783dee
                    • Instruction ID: 6e5be1d0df876ec255ddb71883a28ea615cab17bd839cd36c1641be457ca50f5
                    • Opcode Fuzzy Hash: dfa0f24e57a64cf86136966512fa27840d4bca646826bc4dc3c15c1aef783dee
                    • Instruction Fuzzy Hash: 44F0F978E00208EFCB04EFA4E9485ADBBB1EB46302F5085A9D905A3351DB30AE15CF45
                    Function 02A7FCC0 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 027acd1e9d6174e48325f46cc12354735b1faf7d195b34a640511eae9570bf11
                    • Instruction ID: d59f72c641c867027dadeeb900c30a2c91a64a4b279de9d2b12a1e7ff1d005ee
                    • Opcode Fuzzy Hash: 027acd1e9d6174e48325f46cc12354735b1faf7d195b34a640511eae9570bf11
                    • Instruction Fuzzy Hash: 57F08931B406114FC7145B79F8D496A77ADEF983257114539E106C7261DF70DD09C750
                    Function 02A76FE8 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                    • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                    • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                    • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                    Function 02A7547F Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e68d423b239ce9c8144b978cd89bc68dff57a2dee4e2d08730163dd7a7d69390
                    • Instruction ID: d270241ac62ece37c30f2a1d8b489b77b074a27f881e359b2fa0fda759bdca42
                    • Opcode Fuzzy Hash: e68d423b239ce9c8144b978cd89bc68dff57a2dee4e2d08730163dd7a7d69390
                    • Instruction Fuzzy Hash: 37F090B2C083848EDB21DBA9D8443DDFFF1AF56215F14C4AAC485A7161C679544ACB52
                    Function 02A7FD33 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67efd18a9c468deec05f248e44871250e61c04dcad2b4eaf1997716a1bd6aef6
                    • Instruction ID: 34f4280b2fe0f83f8af0f4e7ca65d91e176b3cd82c30b9c49203d0594885b49c
                    • Opcode Fuzzy Hash: 67efd18a9c468deec05f248e44871250e61c04dcad2b4eaf1997716a1bd6aef6
                    • Instruction Fuzzy Hash: E7F0DF31240A10CFC718DB2CD988D597BEAFF49B1971645A9E10ACB772CB72EC44CB80
                    Function 02A7DCB0 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e72fe4805d7002e1a592a510efb885e6b94036a80284f71a7f49ef9b59b77378
                    • Instruction ID: 11e207a91f346a98ab86913685261260ad8979297c6722233e1c81618571b959
                    • Opcode Fuzzy Hash: e72fe4805d7002e1a592a510efb885e6b94036a80284f71a7f49ef9b59b77378
                    • Instruction Fuzzy Hash: D9E0ED37A9092487C610DF5CFC814B5B3E9E745A693188866F50CCA651E762D862C784
                    Function 02A74DD8 Relevance: .0, Instructions: 25COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3b878c295965476b158ce87f9f4a9b9064126e814d52203173bc55a22912097
                    • Instruction ID: 5c4de1b489c185f98255b185f6998bae66cf58bc31115525903829a7a648a0f2
                    • Opcode Fuzzy Hash: a3b878c295965476b158ce87f9f4a9b9064126e814d52203173bc55a22912097
                    • Instruction Fuzzy Hash: BCF0E535908249EFC701EFF0DA014DD7FB5EF0620071084E9E84487656CB762F06EB41
                    Function 02A78828 Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 60c6538e820b9cdb82cece8415c8a6e05d38f4ba59d4b545c52772fa9d42de68
                    • Instruction ID: 4d483433546acef143b6b007043114f945be235b939da49dd49b65bbeb33d324
                    • Opcode Fuzzy Hash: 60c6538e820b9cdb82cece8415c8a6e05d38f4ba59d4b545c52772fa9d42de68
                    • Instruction Fuzzy Hash: 33E0487760021057C715966DE840E9BA7DAEFD5311F004A3BF115C7264EB645949C694
                    Function 02A760A6 Relevance: .0, Instructions: 23COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0c828f080d136c35525ae5d6bf89073656996f5c9cf22d42fa0c24ea83da576c
                    • Instruction ID: 5febde46e88b7c2562679f977bdafc47841ac1d1fbb8d9dd821ff72198fb6e96
                    • Opcode Fuzzy Hash: 0c828f080d136c35525ae5d6bf89073656996f5c9cf22d42fa0c24ea83da576c
                    • Instruction Fuzzy Hash: 73E0DF7196021DDADF10AB81E9487ECBB74FB44B1BF208022D006B1940CB710A85CB94
                    Function 02A7F698 Relevance: .0, Instructions: 23COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ab1f150cd80c8893fbd18de19d7e4c5da60fda4308138fb5c7e703dabeb7851
                    • Instruction ID: 442509ba955fc21ee21c87ba5b12b50a4071d0c80ad4cb2e76d2c28ab953d107
                    • Opcode Fuzzy Hash: 6ab1f150cd80c8893fbd18de19d7e4c5da60fda4308138fb5c7e703dabeb7851
                    • Instruction Fuzzy Hash: 91E0267094E2889FC701DB74DC25A9ABB349F03309F0040E9E444631A2CB714E01CF59
                    Function 02A713F4 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: badf06bfae3d4264a7cc7e5c75a7221e7b08c24bcc65d852759ca0d91f9d5156
                    • Instruction ID: 081443e96ec826f4d0e793fbb499d1d7b61b5b54eb3b97f2ae93d20a277b86bc
                    • Opcode Fuzzy Hash: badf06bfae3d4264a7cc7e5c75a7221e7b08c24bcc65d852759ca0d91f9d5156
                    • Instruction Fuzzy Hash: 02F0A576A41208CFCB14EFA4DA446ECB7F1EF49355F6004A9D506B3240CB325E56CB64
                    Function 02A7F310 Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ef817614e83da6d196d0d28250b26e7fb20e1f7096d1f448e3c974fba03eaf7b
                    • Instruction ID: 593451d8216cf767fd656b3bae3bb6fdd014fe00cb3fc716f1fa888585907f00
                    • Opcode Fuzzy Hash: ef817614e83da6d196d0d28250b26e7fb20e1f7096d1f448e3c974fba03eaf7b
                    • Instruction Fuzzy Hash: 83E08C70D41109DFCB08EFA8EA41AAEBBB4AF41304F5042B4D80423221DB305E44DB88
                    Function 02A74DE8 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 336d39bc3ed1860e300df6462f69dbbf5eb1f5b27532308b841c06bf28d0a854
                    • Instruction ID: 428def156a2ae1d0a4646b97badc8eb55950ead35fd87200d0280f24ddad5509
                    • Opcode Fuzzy Hash: 336d39bc3ed1860e300df6462f69dbbf5eb1f5b27532308b841c06bf28d0a854
                    • Instruction Fuzzy Hash: 9AE08631A0010DEFCB00EFE4EA0189DBBF9EF45300B1085A8E80597354DB366F01EB51
                    Function 02A774C0 Relevance: .0, Instructions: 18COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d9d67f656c19eb1968dc9b554c544f87555a226e5a71282c2c65558eba814b10
                    • Instruction ID: f356069caabf871ef3418ffadb5d59049105fce20d445e961278adf39b396ade
                    • Opcode Fuzzy Hash: d9d67f656c19eb1968dc9b554c544f87555a226e5a71282c2c65558eba814b10
                    • Instruction Fuzzy Hash: 01D02E2E74010587A7152FB268AA2B63F66AF8012A30980A8A806CA084EF25C84A9702
                    Function 02A7DC83 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 812d393d9016e4527176c7763fa77d1f177504754631e91ba3e754b70335dbcc
                    • Instruction ID: a65b9e3a6f39df86bb1927114a8524d83a3679d8fb99e709874e33593e960b14
                    • Opcode Fuzzy Hash: 812d393d9016e4527176c7763fa77d1f177504754631e91ba3e754b70335dbcc
                    • Instruction Fuzzy Hash: BFB012BF84040A0DEB110560CC073987202DB90305FCC4D745410C078BC46CA1141101

                    Non-executed Functions

                    Function 02A70920 Relevance: 41.7, Strings: 33, Instructions: 440COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                    • API String ID: 0-2711123852
                    • Opcode ID: 45c5430112ba058b7f17613995c83398ed1dd9f9900a391f14298124a51fa44f
                    • Instruction ID: 807d0d0f2cd8b86583433127fad849c1a49386284426017a11737f37315b152b
                    • Opcode Fuzzy Hash: 45c5430112ba058b7f17613995c83398ed1dd9f9900a391f14298124a51fa44f
                    • Instruction Fuzzy Hash: D0126434E4022A8FCB18EF78ED90A9D77B6FF44700F104969D049AB265EF746945CF52
                    Function 02A70930 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2111592980.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_2a70000_PQHcRKfCm.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                    • API String ID: 0-2711123852
                    • Opcode ID: 87175d52c65737f85e573c96b052ab9e4170882786558f7d62063422f9e59295
                    • Instruction ID: 5b8dc26baaed3665eccc6b1a89549d8858c1f5954afe4248215b927599ead338
                    • Opcode Fuzzy Hash: 87175d52c65737f85e573c96b052ab9e4170882786558f7d62063422f9e59295
                    • Instruction Fuzzy Hash: 11126334E4022A8FCB18EF78E950A9D77BAFF44700F104969D049AB265EF746945CF92

                    Execution Graph

                    Execution Coverage:1.8%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:3.6%
                    Total number of Nodes:643
                    Total number of Limit Nodes:17
                    execution_graph 45800 404e06 WaitForSingleObject 45801 404e20 SetEvent FindCloseChangeNotification 45800->45801 45802 404e37 closesocket 45800->45802 45803 404eb8 45801->45803 45804 404e44 45802->45804 45805 404e5a 45804->45805 45813 4050c4 83 API calls 45804->45813 45807 404e6c WaitForSingleObject 45805->45807 45808 404eae SetEvent CloseHandle 45805->45808 45814 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45807->45814 45808->45803 45810 404e7b SetEvent WaitForSingleObject 45815 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45810->45815 45812 404e93 SetEvent CloseHandle CloseHandle 45812->45808 45813->45805 45814->45810 45815->45812 45816 4457a9 GetLastError 45817 4457c2 45816->45817 45820 4457c8 45816->45820 45842 445ceb 11 API calls 2 library calls 45817->45842 45822 44581f SetLastError 45820->45822 45835 443005 45820->45835 45824 445828 45822->45824 45823 4457e2 45843 443c92 20 API calls __dosmaperr 45823->45843 45827 4457f7 45827->45823 45828 4457fe 45827->45828 45845 445597 20 API calls __dosmaperr 45828->45845 45829 4457e8 45831 445816 SetLastError 45829->45831 45831->45824 45832 445809 45846 443c92 20 API calls __dosmaperr 45832->45846 45834 44580f 45834->45822 45834->45831 45840 443012 __Getctype 45835->45840 45836 443052 45848 43ad91 20 API calls __dosmaperr 45836->45848 45837 44303d RtlAllocateHeap 45838 443050 45837->45838 45837->45840 45838->45823 45844 445d41 11 API calls 2 library calls 45838->45844 45840->45836 45840->45837 45847 440480 7 API calls 2 library calls 45840->45847 45842->45820 45843->45829 45844->45827 45845->45832 45846->45834 45847->45840 45848->45838 45849 40163e 45850 401646 45849->45850 45851 401649 45849->45851 45852 401688 45851->45852 45855 401676 45851->45855 45857 43229f 45852->45857 45854 40167c 45856 43229f new 22 API calls 45855->45856 45856->45854 45861 4322a4 45857->45861 45859 4322d0 45859->45854 45861->45859 45864 439adb 45861->45864 45871 440480 7 API calls 2 library calls 45861->45871 45872 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45861->45872 45873 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45861->45873 45870 443649 __Getctype 45864->45870 45865 443687 45875 43ad91 20 API calls __dosmaperr 45865->45875 45866 443672 RtlAllocateHeap 45868 443685 45866->45868 45866->45870 45868->45861 45870->45865 45870->45866 45874 440480 7 API calls 2 library calls 45870->45874 45871->45861 45874->45870 45875->45868 45876 43263c 45877 432648 ___FrameUnwindToState 45876->45877 45902 43234b 45877->45902 45879 43264f 45881 432678 45879->45881 46166 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 45879->46166 45888 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45881->45888 46167 441763 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 45881->46167 45883 432691 45885 432697 ___FrameUnwindToState 45883->45885 46168 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 45883->46168 45886 432717 45913 4328c9 45886->45913 45888->45886 46169 4408e7 35 API calls 5 library calls 45888->46169 45897 432743 45899 43274c 45897->45899 46170 4408c2 28 API calls _Atexit 45897->46170 46171 4324c2 13 API calls 2 library calls 45899->46171 45903 432354 45902->45903 46172 4329da IsProcessorFeaturePresent 45903->46172 45905 432360 46173 436cd1 10 API calls 4 library calls 45905->46173 45907 432365 45912 432369 45907->45912 46174 4415bf 45907->46174 45909 432380 45909->45879 45912->45879 46190 434c30 45913->46190 45916 43271d 45917 4416b4 45916->45917 46192 44c239 45917->46192 45919 432726 45922 40d3f0 45919->45922 45920 4416bd 45920->45919 46196 443d25 35 API calls 45920->46196 46198 41a8da LoadLibraryA GetProcAddress 45922->46198 45924 40d40c 46205 40dd83 45924->46205 45926 40d415 46220 4020d6 45926->46220 45929 4020d6 28 API calls 45930 40d433 45929->45930 46226 419d87 45930->46226 45934 40d445 46252 401e6d 45934->46252 45936 40d44e 45937 40d461 45936->45937 45938 40d4b8 45936->45938 46258 40e609 45937->46258 45939 401e45 22 API calls 45938->45939 45941 40d4c6 45939->45941 45945 401e45 22 API calls 45941->45945 45944 40d47f 46273 40f98d 45944->46273 45946 40d4e5 45945->45946 46289 4052fe 45946->46289 45949 40d4f4 46294 408209 45949->46294 45958 40d4a3 45960 401fb8 11 API calls 45958->45960 45962 40d4ac 45960->45962 46161 4407f6 GetModuleHandleW 45962->46161 45963 401fb8 11 API calls 45964 40d520 45963->45964 45965 401e45 22 API calls 45964->45965 45966 40d529 45965->45966 46311 401fa0 45966->46311 45968 40d534 45969 401e45 22 API calls 45968->45969 45970 40d54f 45969->45970 45971 401e45 22 API calls 45970->45971 45972 40d569 45971->45972 45973 40d5cf 45972->45973 46315 40822a 28 API calls 45972->46315 45975 401e45 22 API calls 45973->45975 45981 40d5dc 45975->45981 45976 40d594 45977 401fc2 28 API calls 45976->45977 45978 40d5a0 45977->45978 45979 401fb8 11 API calls 45978->45979 45983 40d5a9 45979->45983 45980 40d650 45985 40d660 CreateMutexA GetLastError 45980->45985 45981->45980 45982 401e45 22 API calls 45981->45982 45984 40d5f5 45982->45984 46316 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45983->46316 45988 40d5fc OpenMutexA 45984->45988 45986 40d987 45985->45986 45987 40d67f 45985->45987 45991 401fb8 11 API calls 45986->45991 46028 40d9ec 45986->46028 45989 40d688 45987->45989 45990 40d68a GetModuleFileNameW 45987->45990 45993 40d622 45988->45993 45994 40d60f WaitForSingleObject CloseHandle 45988->45994 45989->45990 46319 4192ae 33 API calls 45990->46319 46015 40d99a ___scrt_get_show_window_mode 45991->46015 46317 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45993->46317 45994->45993 45996 40d5c5 45996->45973 45998 40dd0f 45996->45998 45997 40d6a0 46000 40d6f5 45997->46000 46003 401e45 22 API calls 45997->46003 46349 41239a 30 API calls 45998->46349 46002 401e45 22 API calls 46000->46002 46010 40d720 46002->46010 46008 40d6bf 46003->46008 46004 40dd22 46350 410eda 65 API calls ___scrt_get_show_window_mode 46004->46350 46006 40dcfa 46037 40dd6a 46006->46037 46351 402073 28 API calls 46006->46351 46007 40d63b 46007->45980 46318 41239a 30 API calls 46007->46318 46008->46000 46016 40d6f7 46008->46016 46021 40d6db 46008->46021 46009 40d731 46014 401e45 22 API calls 46009->46014 46010->46009 46323 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46010->46323 46024 40d73a 46014->46024 46331 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46015->46331 46321 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 46016->46321 46017 40dd3a 46352 4052dd 28 API calls 46017->46352 46021->46000 46320 4067a0 36 API calls ___scrt_get_show_window_mode 46021->46320 46030 401e45 22 API calls 46024->46030 46027 40d70d 46027->46000 46322 4066a6 58 API calls 46027->46322 46033 401e45 22 API calls 46028->46033 46032 40d755 46030->46032 46038 401e45 22 API calls 46032->46038 46035 40da10 46033->46035 46332 402073 28 API calls 46035->46332 46353 413980 161 API calls _strftime 46037->46353 46041 40d76f 46038->46041 46044 401e45 22 API calls 46041->46044 46043 40da22 46333 41215f 14 API calls 46043->46333 46046 40d789 46044->46046 46050 401e45 22 API calls 46046->46050 46047 40da38 46048 401e45 22 API calls 46047->46048 46049 40da44 46048->46049 46334 439867 39 API calls _strftime 46049->46334 46054 40d7a3 46050->46054 46052 40da51 46056 40da7e 46052->46056 46335 41aa4f 81 API calls ___scrt_get_show_window_mode 46052->46335 46053 40d810 46053->46015 46057 401e45 22 API calls 46053->46057 46092 40d89f ___scrt_get_show_window_mode 46053->46092 46054->46053 46055 401e45 22 API calls 46054->46055 46064 40d7b8 _wcslen 46055->46064 46336 402073 28 API calls 46056->46336 46061 40d831 46057->46061 46060 40da8d 46337 402073 28 API calls 46060->46337 46067 401e45 22 API calls 46061->46067 46062 40da70 CreateThread 46062->46056 46609 41b212 10 API calls 46062->46609 46064->46053 46069 401e45 22 API calls 46064->46069 46065 40da9c 46338 4194da 79 API calls 46065->46338 46070 40d843 46067->46070 46068 40daa1 46071 401e45 22 API calls 46068->46071 46072 40d7d3 46069->46072 46074 401e45 22 API calls 46070->46074 46073 40daad 46071->46073 46076 401e45 22 API calls 46072->46076 46077 401e45 22 API calls 46073->46077 46075 40d855 46074->46075 46080 401e45 22 API calls 46075->46080 46078 40d7e8 46076->46078 46079 40dabf 46077->46079 46324 40c5ed 31 API calls 46078->46324 46084 401e45 22 API calls 46079->46084 46081 40d87e 46080->46081 46088 401e45 22 API calls 46081->46088 46083 40d7fb 46325 401ef3 28 API calls 46083->46325 46086 40dad5 46084->46086 46091 401e45 22 API calls 46086->46091 46087 40d807 46326 401ee9 11 API calls 46087->46326 46090 40d88f 46088->46090 46327 40b871 46 API calls _wcslen 46090->46327 46093 40daf5 46091->46093 46328 412338 31 API calls 46092->46328 46339 439867 39 API calls _strftime 46093->46339 46096 40d942 ctype 46100 401e45 22 API calls 46096->46100 46098 40db02 46099 401e45 22 API calls 46098->46099 46101 40db0d 46099->46101 46103 40d959 46100->46103 46102 401e45 22 API calls 46101->46102 46104 40db1e 46102->46104 46103->46028 46105 401e45 22 API calls 46103->46105 46340 408f1f 166 API calls _wcslen 46104->46340 46106 40d976 46105->46106 46329 419bca 28 API calls 46106->46329 46108 40d982 46330 40de34 88 API calls 46108->46330 46110 40db33 46112 401e45 22 API calls 46110->46112 46114 40db3c 46112->46114 46113 40db83 46116 401e45 22 API calls 46113->46116 46114->46113 46115 43229f new 22 API calls 46114->46115 46117 40db53 46115->46117 46121 40db91 46116->46121 46118 401e45 22 API calls 46117->46118 46119 40db65 46118->46119 46124 40db6c CreateThread 46119->46124 46120 40dbd9 46123 401e45 22 API calls 46120->46123 46121->46120 46122 43229f new 22 API calls 46121->46122 46125 40dba5 46122->46125 46129 40dbe2 46123->46129 46124->46113 46606 417f6a 101 API calls 2 library calls 46124->46606 46126 401e45 22 API calls 46125->46126 46127 40dbb6 46126->46127 46130 40dbbd CreateThread 46127->46130 46128 40dc4c 46131 401e45 22 API calls 46128->46131 46129->46128 46132 401e45 22 API calls 46129->46132 46130->46120 46603 417f6a 101 API calls 2 library calls 46130->46603 46134 40dc55 46131->46134 46133 40dbfc 46132->46133 46136 401e45 22 API calls 46133->46136 46135 40dc99 46134->46135 46137 401e45 22 API calls 46134->46137 46346 4195f8 79 API calls 46135->46346 46138 40dc11 46136->46138 46140 40dc69 46137->46140 46341 40c5a1 31 API calls 46138->46341 46146 401e45 22 API calls 46140->46146 46141 40dca2 46347 401ef3 28 API calls 46141->46347 46143 40dcad 46348 401ee9 11 API calls 46143->46348 46149 40dc7e 46146->46149 46147 40dc24 46342 401ef3 28 API calls 46147->46342 46148 40dcb6 CreateThread 46153 40dce5 46148->46153 46154 40dcd9 CreateThread 46148->46154 46604 40e18d 122 API calls 46148->46604 46344 439867 39 API calls _strftime 46149->46344 46152 40dc30 46343 401ee9 11 API calls 46152->46343 46153->46006 46156 40dcee CreateThread 46153->46156 46154->46153 46605 410b5c 137 API calls 46154->46605 46156->46006 46607 411140 38 API calls ___scrt_get_show_window_mode 46156->46607 46158 40dc39 CreateThread 46158->46128 46608 401bc9 49 API calls _strftime 46158->46608 46159 40dc8b 46345 40b0a3 7 API calls 46159->46345 46162 432739 46161->46162 46162->45897 46163 44091f 46162->46163 46611 44069c 46163->46611 46166->45879 46167->45883 46168->45888 46169->45886 46170->45899 46171->45885 46172->45905 46173->45907 46178 44cd48 46174->46178 46177 436cfa 8 API calls 3 library calls 46177->45912 46181 44cd61 46178->46181 46180 432372 46180->45909 46180->46177 46182 432d4b 46181->46182 46183 432d56 IsProcessorFeaturePresent 46182->46183 46184 432d54 46182->46184 46186 432d98 46183->46186 46184->46180 46189 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46186->46189 46188 432e7b 46188->46180 46189->46188 46191 4328dc GetStartupInfoW 46190->46191 46191->45916 46193 44c24b 46192->46193 46194 44c242 46192->46194 46193->45920 46197 44c138 48 API calls 5 library calls 46194->46197 46196->45920 46197->46193 46199 41a919 LoadLibraryA GetProcAddress 46198->46199 46200 41a909 GetModuleHandleA GetProcAddress 46198->46200 46201 41a947 GetModuleHandleA GetProcAddress 46199->46201 46202 41a937 GetModuleHandleA GetProcAddress 46199->46202 46200->46199 46203 41a973 24 API calls 46201->46203 46204 41a95f GetModuleHandleA GetProcAddress 46201->46204 46202->46201 46203->45924 46204->46203 46354 419493 FindResourceA 46205->46354 46208 439adb ___std_exception_copy 21 API calls 46209 40ddad ctype 46208->46209 46357 402097 46209->46357 46212 401fc2 28 API calls 46213 40ddd3 46212->46213 46214 401fb8 11 API calls 46213->46214 46215 40dddc 46214->46215 46216 439adb ___std_exception_copy 21 API calls 46215->46216 46217 40dded ctype 46216->46217 46363 4062ee 46217->46363 46219 40de20 46219->45926 46221 4020ec 46220->46221 46222 4023ae 11 API calls 46221->46222 46223 402106 46222->46223 46224 402549 28 API calls 46223->46224 46225 402114 46224->46225 46225->45929 46398 4020bf 46226->46398 46228 419e0a 46229 401fb8 11 API calls 46228->46229 46230 419e3c 46229->46230 46232 401fb8 11 API calls 46230->46232 46231 419e0c 46414 404182 28 API calls 46231->46414 46233 419e44 46232->46233 46236 401fb8 11 API calls 46233->46236 46238 40d43c 46236->46238 46237 419e18 46239 401fc2 28 API calls 46237->46239 46248 40e563 46238->46248 46241 419e21 46239->46241 46240 401fc2 28 API calls 46247 419d9a 46240->46247 46242 401fb8 11 API calls 46241->46242 46244 419e29 46242->46244 46243 401fb8 11 API calls 46243->46247 46245 41ab9a 28 API calls 46244->46245 46245->46228 46247->46228 46247->46231 46247->46240 46247->46243 46402 404182 28 API calls 46247->46402 46403 41ab9a 46247->46403 46249 40e56f 46248->46249 46251 40e576 46248->46251 46440 402143 11 API calls 46249->46440 46251->45934 46253 402143 46252->46253 46254 40217f 46253->46254 46441 402710 11 API calls 46253->46441 46254->45936 46256 402164 46442 4026f2 11 API calls std::_Deallocate 46256->46442 46259 40e624 46258->46259 46443 40f57c 46259->46443 46265 40e663 46266 40d473 46265->46266 46459 40f663 46265->46459 46268 401e45 46266->46268 46269 401e4d 46268->46269 46270 401e55 46269->46270 46554 402138 22 API calls 46269->46554 46270->45944 46275 40f997 __EH_prolog 46273->46275 46555 40fcfb 46275->46555 46276 40f663 36 API calls 46277 40fb90 46276->46277 46559 40fce0 46277->46559 46279 40d491 46281 40e5ba 46279->46281 46280 40fa1a 46280->46276 46565 40f4c6 46281->46565 46284 40d49a 46286 40dd70 46284->46286 46285 40f663 36 API calls 46285->46284 46575 40e5da 70 API calls 46286->46575 46288 40dd7b 46290 4020bf 11 API calls 46289->46290 46291 40530a 46290->46291 46576 403280 46291->46576 46293 405326 46293->45949 46581 4051cf 46294->46581 46296 408217 46585 402035 46296->46585 46299 401fc2 46300 401fd1 46299->46300 46301 402019 46299->46301 46302 4023ae 11 API calls 46300->46302 46308 401fb8 46301->46308 46303 401fda 46302->46303 46304 40201c 46303->46304 46305 401ff5 46303->46305 46306 40265a 11 API calls 46304->46306 46600 403078 28 API calls 46305->46600 46306->46301 46309 4023ae 11 API calls 46308->46309 46310 401fc1 46309->46310 46310->45963 46312 401fb2 46311->46312 46313 401fa9 46311->46313 46312->45968 46601 4025c0 28 API calls 46313->46601 46315->45976 46316->45996 46317->46007 46318->45980 46319->45997 46320->46000 46321->46027 46322->46000 46323->46009 46324->46083 46325->46087 46326->46053 46327->46092 46328->46096 46329->46108 46330->45986 46331->46028 46332->46043 46333->46047 46334->46052 46335->46062 46336->46060 46337->46065 46338->46068 46339->46098 46340->46110 46341->46147 46342->46152 46343->46158 46344->46159 46345->46135 46346->46141 46347->46143 46348->46148 46349->46004 46351->46017 46602 418ccd 104 API calls 46353->46602 46355 4194b0 LoadResource LockResource SizeofResource 46354->46355 46356 40dd9e 46354->46356 46355->46356 46356->46208 46358 40209f 46357->46358 46366 4023ae 46358->46366 46360 4020aa 46370 4024ea 46360->46370 46362 4020b9 46362->46212 46364 402097 28 API calls 46363->46364 46365 406302 46364->46365 46365->46219 46367 402408 46366->46367 46368 4023b8 46366->46368 46367->46360 46368->46367 46377 402787 11 API calls std::_Deallocate 46368->46377 46371 4024fa 46370->46371 46372 402500 46371->46372 46373 402515 46371->46373 46378 402549 46372->46378 46388 4028c8 28 API calls 46373->46388 46376 402513 46376->46362 46377->46367 46389 402868 46378->46389 46380 40255d 46381 402572 46380->46381 46382 402587 46380->46382 46394 402a14 22 API calls 46381->46394 46396 4028c8 28 API calls 46382->46396 46385 40257b 46395 4029ba 22 API calls 46385->46395 46387 402585 46387->46376 46388->46376 46390 402870 46389->46390 46391 402878 46390->46391 46397 402c83 22 API calls 46390->46397 46391->46380 46394->46385 46395->46387 46396->46387 46399 4020c7 46398->46399 46400 4023ae 11 API calls 46399->46400 46401 4020d2 46400->46401 46401->46247 46402->46247 46404 41aba7 46403->46404 46405 41ac06 46404->46405 46409 41abb7 46404->46409 46406 41ac20 46405->46406 46407 41ad46 28 API calls 46405->46407 46424 41aec3 28 API calls 46406->46424 46407->46406 46410 41abef 46409->46410 46415 41ad46 46409->46415 46423 41aec3 28 API calls 46410->46423 46411 41ac02 46411->46247 46414->46237 46417 41ad4e 46415->46417 46416 41ad80 46416->46410 46417->46416 46418 41ad84 46417->46418 46421 41ad68 46417->46421 46435 402705 22 API calls 46418->46435 46425 41adb7 46421->46425 46423->46411 46424->46411 46426 41adc1 __EH_prolog 46425->46426 46436 4026f7 22 API calls 46426->46436 46428 41add4 46437 41aeda 11 API calls 46428->46437 46430 41ae32 46430->46416 46431 41adfa 46431->46430 46438 402710 11 API calls 46431->46438 46433 41ae19 46439 4026f2 11 API calls std::_Deallocate 46433->46439 46436->46428 46437->46431 46438->46433 46439->46430 46440->46251 46441->46256 46442->46254 46463 40f821 46443->46463 46446 40f55d 46541 40f7fb 46446->46541 46448 40f565 46546 40f44c 46448->46546 46450 40e651 46451 40f502 46450->46451 46452 40f510 46451->46452 46458 40f53f std::ios_base::_Ios_base_dtor 46451->46458 46551 4335cb 65 API calls 46452->46551 46454 40f51d 46455 40f44c 20 API calls 46454->46455 46454->46458 46456 40f52e 46455->46456 46552 40fbc8 77 API calls 6 library calls 46456->46552 46458->46265 46460 40f66b 46459->46460 46461 40f67e 46459->46461 46553 40f854 36 API calls 46460->46553 46461->46266 46470 40d2ce 46463->46470 46467 40f83c 46468 40e631 46467->46468 46469 40f663 36 API calls 46467->46469 46468->46446 46469->46468 46471 40d2ff 46470->46471 46472 43229f new 22 API calls 46471->46472 46473 40d306 46472->46473 46480 40cb7a 46473->46480 46476 40f887 46477 40f896 46476->46477 46515 40f8b7 46477->46515 46479 40f89c std::ios_base::_Ios_base_dtor 46479->46467 46483 4332ea 46480->46483 46482 40cb84 46482->46476 46484 4332f6 __EH_prolog3 46483->46484 46495 4330a5 46484->46495 46487 433332 46501 4330fd 46487->46501 46490 433314 46509 43347f 37 API calls _Atexit 46490->46509 46492 433370 std::locale::_Locimp::_Locimp_dtor 46492->46482 46493 43331c 46510 433240 21 API calls 2 library calls 46493->46510 46496 4330b4 46495->46496 46498 4330bb 46495->46498 46511 442df9 EnterCriticalSection _Atexit 46496->46511 46499 4330b9 46498->46499 46512 43393c EnterCriticalSection 46498->46512 46499->46487 46508 43345a 22 API calls 2 library calls 46499->46508 46502 433107 46501->46502 46503 442e02 46501->46503 46504 43311a 46502->46504 46513 43394a LeaveCriticalSection 46502->46513 46514 442de2 LeaveCriticalSection 46503->46514 46504->46492 46507 442e09 46507->46492 46508->46490 46509->46493 46510->46487 46511->46499 46512->46499 46513->46504 46514->46507 46516 4330a5 std::_Lockit::_Lockit 2 API calls 46515->46516 46517 40f8c9 46516->46517 46536 40cae9 4 API calls 2 library calls 46517->46536 46519 40f8dc 46520 40f8ef 46519->46520 46537 40ccd4 77 API calls new 46519->46537 46521 4330fd std::_Lockit::~_Lockit 2 API calls 46520->46521 46522 40f925 46521->46522 46522->46479 46524 40f8ff 46525 40f906 46524->46525 46526 40f92d 46524->46526 46538 4332b6 22 API calls new 46525->46538 46539 436ec6 RaiseException 46526->46539 46529 40f943 46530 40f984 46529->46530 46540 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46529->46540 46530->46479 46536->46519 46537->46524 46538->46520 46539->46529 46542 43229f new 22 API calls 46541->46542 46543 40f80b 46542->46543 46544 40cb7a 41 API calls 46543->46544 46545 40f813 46544->46545 46545->46448 46547 40f469 46546->46547 46548 40f48b 46547->46548 46550 43aa1a 20 API calls 2 library calls 46547->46550 46548->46450 46550->46548 46551->46454 46552->46458 46553->46461 46557 40fd0e 46555->46557 46556 40fd3c 46556->46280 46557->46556 46563 40fe14 36 API calls 46557->46563 46560 40fce8 46559->46560 46562 40fcf3 46560->46562 46564 40fe79 36 API calls __EH_prolog 46560->46564 46562->46279 46563->46556 46564->46562 46566 40f4d0 46565->46566 46567 40f4d4 46565->46567 46570 40f44c 20 API calls 46566->46570 46573 40f30b 67 API calls 46567->46573 46569 40f4d9 46574 43a716 64 API calls 3 library calls 46569->46574 46572 40e5c5 46570->46572 46572->46284 46572->46285 46573->46569 46574->46566 46575->46288 46578 40328a 46576->46578 46577 4032a9 46577->46293 46578->46577 46580 4028c8 28 API calls 46578->46580 46580->46577 46582 4051db 46581->46582 46591 405254 46582->46591 46584 4051e8 46584->46296 46586 402041 46585->46586 46587 4023ae 11 API calls 46586->46587 46588 40205b 46587->46588 46596 40265a 46588->46596 46592 405262 46591->46592 46595 402884 22 API calls 46592->46595 46597 40266b 46596->46597 46598 4023ae 11 API calls 46597->46598 46599 40206d 46598->46599 46599->46299 46600->46301 46601->46312 46610 411253 61 API calls 46605->46610 46612 4406a8 _Atexit 46611->46612 46613 4406c0 46612->46613 46615 4407f6 _Atexit GetModuleHandleW 46612->46615 46633 442d9a EnterCriticalSection 46613->46633 46616 4406b4 46615->46616 46616->46613 46645 44083a GetModuleHandleExW 46616->46645 46617 440766 46634 4407a6 46617->46634 46620 4406c8 46620->46617 46622 44073d 46620->46622 46653 441450 20 API calls _Atexit 46620->46653 46623 440755 46622->46623 46654 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46622->46654 46655 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46623->46655 46624 440783 46637 4407b5 46624->46637 46625 4407af 46656 454909 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46625->46656 46633->46620 46657 442de2 LeaveCriticalSection 46634->46657 46636 44077f 46636->46624 46636->46625 46658 4461f8 46637->46658 46640 4407e3 46643 44083a _Atexit 8 API calls 46640->46643 46641 4407c3 GetPEB 46641->46640 46642 4407d3 GetCurrentProcess TerminateProcess 46641->46642 46642->46640 46644 4407eb ExitProcess 46643->46644 46646 440864 GetProcAddress 46645->46646 46647 440887 46645->46647 46648 440879 46646->46648 46649 440896 46647->46649 46650 44088d FreeLibrary 46647->46650 46648->46647 46651 432d4b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46649->46651 46650->46649 46652 4408a0 46651->46652 46652->46613 46653->46622 46654->46623 46655->46617 46657->46636 46659 44621d 46658->46659 46663 446213 46658->46663 46664 4459f9 46659->46664 46661 432d4b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46662 4407bf 46661->46662 46662->46640 46662->46641 46663->46661 46665 445a25 46664->46665 46666 445a29 46664->46666 46665->46666 46670 445a49 46665->46670 46671 445a95 46665->46671 46666->46663 46668 445a55 GetProcAddress 46669 445a65 __crt_fast_encode_pointer 46668->46669 46669->46666 46670->46666 46670->46668 46672 445ab6 LoadLibraryExW 46671->46672 46673 445aab 46671->46673 46674 445ad3 GetLastError 46672->46674 46675 445aeb 46672->46675 46673->46665 46674->46675 46677 445ade LoadLibraryExW 46674->46677 46675->46673 46676 445b02 FreeLibrary 46675->46676 46676->46673 46677->46675

                    Executed Functions

                    Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                    • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                    • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                    • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                    • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                    • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                    • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                    • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$HandleModule$LibraryLoad
                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                    • API String ID: 551388010-2474455403
                    • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                    • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                    • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                    • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                    Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 473 4407b5-4407c1 call 4461f8 476 4407e3-4407ef call 44083a ExitProcess 473->476 477 4407c3-4407d1 GetPEB 473->477 477->476 478 4407d3-4407dd GetCurrentProcess TerminateProcess 477->478 478->476
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                    • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                    • ExitProcess.KERNEL32 ref: 004407EF
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                    • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                    • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                    • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                    Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 81 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->81 82 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->82 90 40d991-40d99a call 401fb8 81->90 91 40d67f-40d686 81->91 98 40d622-40d63f call 401f8b call 411f34 82->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 82->99 109 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->109 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 107 40d6b0-40d6b4 95->107 108 40d6a9-40d6ab 95->108 124 40d651 98->124 125 40d641-40d650 call 401f8b call 41239a 98->125 99->98 134 40dd2c 105->134 113 40d6b6-40d6c9 call 401e45 call 401f8b 107->113 114 40d717-40d72a call 401e45 call 401f8b 107->114 108->107 175 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 109->175 113->114 139 40d6cb-40d6d1 113->139 141 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 114->141 142 40d72c call 40e501 114->142 124->81 125->124 140 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 134->140 139->114 145 40d6d3-40d6d9 139->145 189 40dd6a-40dd6f call 413980 140->189 217 40d815-40d819 141->217 218 40d7af-40d7c8 call 401e45 call 401f8b call 439891 141->218 142->141 151 40d6f7-40d710 call 401f8b call 411eea 145->151 152 40d6db-40d6ee call 4060ea 145->152 151->114 178 40d712 call 4066a6 151->178 152->114 166 40d6f0-40d6f5 call 4067a0 152->166 166->114 221 40da61-40da63 175->221 222 40da65-40da67 175->222 178->114 217->109 220 40d81f-40d826 217->220 218->217 249 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 218->249 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 234 40d8b6-40d8de call 40245c call 43254d 224->234 225->234 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 255 40d8f0 234->255 256 40d8e0-40d8ee call 434c30 234->256 249->217 262 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 255->262 256->262 262->175 332 40d96d-40d98c call 401e45 call 419bca call 40de34 262->332 332->175 346 40d98e-40d990 332->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 372 40dc4c-40dc5e call 401e45 call 401f8b 359->372 373 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->373 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 372->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 372->384 373->372 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->134 416 40dd03-40dd06 412->416 413->412 416->189 418 40dd08-40dd0d 416->418 418->140
                    APIs
                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                      • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                    • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                    • API String ID: 1529173511-1365410817
                    • Opcode ID: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
                    • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                    • Opcode Fuzzy Hash: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
                    • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                    Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                    • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                    • closesocket.WS2_32(?), ref: 00404E3A
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                    • String ID:
                    • API String ID: 2403171778-0
                    • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                    • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                    • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                    • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                    Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 437 4457a9-4457c0 GetLastError 438 4457c2-4457cc call 445ceb 437->438 439 4457ce-4457d5 call 443005 437->439 438->439 444 44581f-445826 SetLastError 438->444 443 4457da-4457e0 439->443 445 4457e2 443->445 446 4457eb-4457f9 call 445d41 443->446 447 445828-44582d 444->447 448 4457e3-4457e9 call 443c92 445->448 452 4457fe-445814 call 445597 call 443c92 446->452 453 4457fb-4457fc 446->453 456 445816-44581d SetLastError 448->456 452->444 452->456 453->448 456->447
                    APIs
                    • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                    • _free.LIBCMT ref: 004457E3
                    • _free.LIBCMT ref: 0044580A
                    • SetLastError.KERNEL32(00000000), ref: 00445817
                    • SetLastError.KERNEL32(00000000), ref: 00445820
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                    • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                    • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                    • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                    Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 460 445a95-445aa9 461 445ab6-445ad1 LoadLibraryExW 460->461 462 445aab-445ab4 460->462 464 445ad3-445adc GetLastError 461->464 465 445afa-445b00 461->465 463 445b0d-445b0f 462->463 468 445ade-445ae9 LoadLibraryExW 464->468 469 445aeb 464->469 466 445b02-445b03 FreeLibrary 465->466 467 445b09 465->467 466->467 471 445b0b-445b0c 467->471 470 445aed-445aef 468->470 469->470 470->465 472 445af1-445af8 470->472 471->463 472->471
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                    • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                    • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                    • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                    • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                    Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 481 4459f9-445a23 482 445a25-445a27 481->482 483 445a8e 481->483 484 445a2d-445a33 482->484 485 445a29-445a2b 482->485 486 445a90-445a94 483->486 487 445a35-445a37 call 445a95 484->487 488 445a4f 484->488 485->486 491 445a3c-445a3f 487->491 490 445a51-445a53 488->490 492 445a55-445a63 GetProcAddress 490->492 493 445a7e-445a8c 490->493 494 445a70-445a76 491->494 495 445a41-445a47 491->495 496 445a65-445a6e call 432123 492->496 497 445a78 492->497 493->483 494->490 495->487 498 445a49 495->498 496->485 497->493 498->488
                    APIs
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc__crt_fast_encode_pointer
                    • String ID:
                    • API String ID: 2279764990-0
                    • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                    • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                    • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                    • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                    Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 501 40163e-401644 502 401646-401648 501->502 503 401649-401654 501->503 504 401656 503->504 505 40165b-401665 503->505 504->505 506 401667-40166d 505->506 507 401688-401689 call 43229f 505->507 506->507 509 40166f-401674 506->509 510 40168e-40168f 507->510 509->504 511 401676-401686 call 43229f 509->511 512 401691-401693 510->512 511->512
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                    • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                    • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                    • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                    Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 515 443005-443010 516 443012-44301c 515->516 517 44301e-443024 515->517 516->517 518 443052-44305d call 43ad91 516->518 519 443026-443027 517->519 520 44303d-44304e RtlAllocateHeap 517->520 525 44305f-443061 518->525 519->520 521 443050 520->521 522 443029-443030 call 442a57 520->522 521->525 522->518 528 443032-44303b call 440480 522->528 528->518 528->520
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                    • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                    • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                    • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                    Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 531 443649-443655 532 443687-443692 call 43ad91 531->532 533 443657-443659 531->533 541 443694-443696 532->541 534 443672-443683 RtlAllocateHeap 533->534 535 44365b-44365c 533->535 537 443685 534->537 538 44365e-443665 call 442a57 534->538 535->534 537->541 538->532 543 443667-443670 call 440480 538->543 543->532 543->534
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                    • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                    • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                    • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                    Non-executed Functions

                    Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                      • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                      • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                      • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                    • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                    • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                    • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                    • API String ID: 3018269243-1736093966
                    • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                    • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                    • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                    • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                    Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 00406D4A
                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                    • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                      • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                      • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                      • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                      • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                      • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                      • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                    • DeleteFileA.KERNEL32(?), ref: 0040768E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                    • API String ID: 1385304114-1507758755
                    • Opcode ID: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
                    • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                    • Opcode Fuzzy Hash: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
                    • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                    Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 004056C6
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • __Init_thread_footer.LIBCMT ref: 00405703
                    • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                    • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                      • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                    • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                    • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                    • CloseHandle.KERNEL32 ref: 00405A03
                    • CloseHandle.KERNEL32 ref: 00405A0B
                    • CloseHandle.KERNEL32 ref: 00405A1D
                    • CloseHandle.KERNEL32 ref: 00405A25
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                    • String ID: SystemDrive$cmd.exe
                    • API String ID: 2994406822-3633465311
                    • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                    • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                    • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                    • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                    Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                    • FindClose.KERNEL32(00000000), ref: 0040AB0A
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                    • FindClose.KERNEL32(00000000), ref: 0040AC53
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                    • API String ID: 1164774033-3681987949
                    • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                    • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                    • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                    • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                    Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                    • FindClose.KERNEL32(00000000), ref: 0040AD0A
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                    • FindClose.KERNEL32(00000000), ref: 0040ADF0
                    • FindClose.KERNEL32(00000000), ref: 0040AE11
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$Close$File$FirstNext
                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                    • API String ID: 3527384056-432212279
                    • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                    • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                    • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                    • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                    Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32 ref: 00414EC2
                    • EmptyClipboard.USER32 ref: 00414ED0
                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                    • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                    • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                    • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                    • CloseClipboard.USER32 ref: 00414F55
                    • OpenClipboard.USER32 ref: 00414F5C
                    • GetClipboardData.USER32(0000000D), ref: 00414F6C
                    • GlobalLock.KERNEL32(00000000), ref: 00414F75
                    • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                    • CloseClipboard.USER32 ref: 00414F84
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                    • String ID:
                    • API String ID: 3520204547-0
                    • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                    • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                    • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                    • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                    Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0$1$2$3$4$5$6$7
                    • API String ID: 0-3177665633
                    • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                    • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                    • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                    • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                    Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                    • GetLastError.KERNEL32 ref: 00418771
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                    • String ID:
                    • API String ID: 3587775597-0
                    • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                    • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                    • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                    • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                    Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                    • FindClose.KERNEL32(00000000), ref: 0040B3BE
                    • FindClose.KERNEL32(00000000), ref: 0040B3E9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                    • API String ID: 1164774033-405221262
                    • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                    • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                    • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                    • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                    Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                      • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                    • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                    • String ID:
                    • API String ID: 2341273852-0
                    • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                    • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                    • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                    • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                    Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                    • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                    • SetLastError.KERNEL32(0000000E), ref: 0041082E
                      • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                    • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                    • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                    • SetLastError.KERNEL32(0000045A), ref: 0041098F
                      • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                      • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                    • String ID: $.F
                    • API String ID: 3950776272-1421728423
                    • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                    • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                    • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                    • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                    Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                    • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                    • GetLastError.KERNEL32 ref: 00409375
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                    • TranslateMessage.USER32(?), ref: 004093D2
                    • DispatchMessageA.USER32(?), ref: 004093DD
                    Strings
                    • Keylogger initialization failure: error , xrefs: 00409389
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                    • String ID: Keylogger initialization failure: error
                    • API String ID: 3219506041-952744263
                    • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                    • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                    • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                    • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                    Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                    • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressCloseCreateLibraryLoadProcsend
                    • String ID: SHDeleteKeyW$Shlwapi.dll
                    • API String ID: 2127411465-314212984
                    • Opcode ID: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
                    • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                    • Opcode Fuzzy Hash: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
                    • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                    Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00446741
                    • _free.LIBCMT ref: 00446765
                    • _free.LIBCMT ref: 004468EC
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                    • _free.LIBCMT ref: 00446AB8
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                    • String ID:
                    • API String ID: 314583886-0
                    • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                    • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                    • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                    • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                    Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                      • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                      • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                    • Sleep.KERNEL32(00000BB8), ref: 0040E243
                    • ExitProcess.KERNEL32 ref: 0040E2B4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseExitOpenProcessQuerySleepValue
                    • String ID: 3.8.0 Pro$override$pth_unenc$!G
                    • API String ID: 2281282204-1386060931
                    • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                    • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                    • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                    • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                    Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                    • InternetCloseHandle.WININET(00000000), ref: 00419407
                    • InternetCloseHandle.WININET(00000000), ref: 0041940A
                    Strings
                    • http://geoplugin.net/json.gp, xrefs: 004193A2
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleOpen$FileRead
                    • String ID: http://geoplugin.net/json.gp
                    • API String ID: 3121278467-91888290
                    • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                    • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                    • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                    • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                    Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                    • GetLastError.KERNEL32 ref: 0040A999
                    Strings
                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                    • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                    • UserProfile, xrefs: 0040A95F
                    • [Chrome StoredLogins not found], xrefs: 0040A9B3
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteErrorFileLast
                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • API String ID: 2018770650-1062637481
                    • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                    • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                    • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                    • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                    Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                    • GetLastError.KERNEL32 ref: 00415CDB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                    • String ID: SeShutdownPrivilege
                    • API String ID: 3534403312-3733053543
                    • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                    • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                    • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                    • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                    Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 00408393
                      • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                    • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                      • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                      • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                      • Part of subcall function 00404E06: FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                    • FindClose.KERNEL32(00000000), ref: 004086F4
                      • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                      • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                    • String ID:
                    • API String ID: 2435342581-0
                    • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                    • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                    • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                    • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                    Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 0040949C
                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                    • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                    • GetKeyState.USER32(00000010), ref: 004094B8
                    • GetKeyboardState.USER32(?), ref: 004094C5
                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                    • String ID:
                    • API String ID: 3566172867-0
                    • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                    • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                    • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                    • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                    Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                    • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                    • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                    • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ManagerStart
                    • String ID:
                    • API String ID: 276877138-0
                    • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                    • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                    • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                    • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                    Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Find$CreateFirstNext
                    • String ID: H"G$`'G$`'G
                    • API String ID: 341183262-2774397156
                    • Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                    • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                    • Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                    • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                    Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                      • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                      • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                      • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                      • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                    • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                    • String ID: PowrProf.dll$SetSuspendState
                    • API String ID: 1589313981-1420736420
                    • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                    • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                    • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                    • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                    Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                    • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: ACP$OCP
                    • API String ID: 2299586839-711371036
                    • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                    • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                    • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                    • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                    Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                    • wsprintfW.USER32 ref: 0040A13F
                      • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: EventLocalTimewsprintf
                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                    • API String ID: 1497725170-248792730
                    • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                    • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                    • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                    • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                    Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                    • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                    • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                    • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID: SETTINGS
                    • API String ID: 3473537107-594951305
                    • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                    • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                    • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                    • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                    Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004087A5
                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstH_prologNext
                    • String ID:
                    • API String ID: 1157919129-0
                    • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                    • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                    • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                    • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                    Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                    • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                    • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                    • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                    • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                    • String ID:
                    • API String ID: 745075371-0
                    • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                    • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                    • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                    • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                    Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 0040784D
                    • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                    • String ID:
                    • API String ID: 1771804793-0
                    • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                    • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                    • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                    • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                    Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                    • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                      • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                      • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                    • String ID:
                    • API String ID: 1735047541-0
                    • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                    • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                    • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                    • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                    Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: A%E$A%E
                    • API String ID: 0-137320553
                    • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                    • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                    • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                    • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                    Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                      • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                      • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                      • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateInfoParametersSystemValue
                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                    • API String ID: 4127273184-3576401099
                    • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                    • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                    • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                    • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                    Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                    • _wcschr.LIBVCRUNTIME ref: 0044F02A
                    • _wcschr.LIBVCRUNTIME ref: 0044F038
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                    • String ID:
                    • API String ID: 4212172061-0
                    • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                    • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                    • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                    • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                    Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DownloadExecuteFileShell
                    • String ID: open
                    • API String ID: 2825088817-2758837156
                    • Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                    • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                    • Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                    • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                    Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorInfoLastLocale$_free$_abort
                    • String ID:
                    • API String ID: 2829624132-0
                    • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                    • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                    • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                    • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                    Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 004399A4
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                    • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                    • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                    • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                    Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$Context$AcquireRandomRelease
                    • String ID:
                    • API String ID: 1815803762-0
                    • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                    • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                    • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                    • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                    Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00000000), ref: 0040A65D
                    • GetClipboardData.USER32(0000000D), ref: 0040A669
                    • CloseClipboard.USER32 ref: 0040A671
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$CloseDataOpen
                    • String ID:
                    • API String ID: 2058664381-0
                    • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                    • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                    • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                    • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                    Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-3916222277
                    • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                    • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                    • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                    • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                    Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .
                    • API String ID: 0-248832578
                    • Opcode ID: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                    • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                    • Opcode Fuzzy Hash: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                    • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                    Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: GetLocaleInfoEx
                    • API String ID: 2299586839-2904428671
                    • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                    • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                    • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                    • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                    Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$FirstNextsend
                    • String ID:
                    • API String ID: 4113138495-0
                    • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                    • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                    • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                    • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                    Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free$InfoLocale_abort
                    • String ID:
                    • API String ID: 1663032902-0
                    • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                    • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                    • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                    • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                    Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                    • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                    • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                    • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                    • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                    Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$InfoLocale_abort_free
                    • String ID:
                    • API String ID: 2692324296-0
                    • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                    • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                    • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                    • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                    Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                    • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                    • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                    • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                    • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                    Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                    • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                    • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                    • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                    Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                    • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalEnterEnumLocalesSectionSystem
                    • String ID:
                    • API String ID: 1272433827-0
                    • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                    • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                    • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                    • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                    Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                    • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                    • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                    • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                    • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                    Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID:
                    • API String ID: 2299586839-0
                    • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                    • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                    • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                    • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                    Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                    • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                    • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                    • Instruction Fuzzy Hash:
                    Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                    • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                      • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                    • DeleteDC.GDI32(00000000), ref: 00416F32
                    • DeleteDC.GDI32(00000000), ref: 00416F35
                    • DeleteObject.GDI32(00000000), ref: 00416F38
                    • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                    • DeleteDC.GDI32(00000000), ref: 00416F6A
                    • DeleteDC.GDI32(00000000), ref: 00416F6D
                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                    • GetIconInfo.USER32(?,?), ref: 00416FC5
                    • DeleteObject.GDI32(?), ref: 00416FF4
                    • DeleteObject.GDI32(?), ref: 00417001
                    • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                    • DeleteDC.GDI32(?), ref: 0041713C
                    • DeleteDC.GDI32(00000000), ref: 0041713F
                    • DeleteObject.GDI32(00000000), ref: 00417142
                    • GlobalFree.KERNEL32(?), ref: 0041714D
                    • DeleteObject.GDI32(00000000), ref: 00417201
                    • GlobalFree.KERNEL32(?), ref: 00417208
                    • DeleteDC.GDI32(?), ref: 00417218
                    • DeleteDC.GDI32(00000000), ref: 00417223
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                    • String ID: DISPLAY
                    • API String ID: 479521175-865373369
                    • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                    • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                    • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                    • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                    Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                    • GetProcAddress.KERNEL32(00000000), ref: 00416477
                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                    • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                    • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                    • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                    • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                    • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                    • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                    • ResumeThread.KERNEL32(?), ref: 00416773
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                    • GetCurrentProcess.KERNEL32(?), ref: 00416795
                    • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                    • GetLastError.KERNEL32 ref: 004167B8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                    • API String ID: 4188446516-3035715614
                    • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                    • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                    • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                    • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                    Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                      • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                      • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                      • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                    • ExitProcess.KERNEL32 ref: 0040C389
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                    • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                    • API String ID: 1861856835-1953526029
                    • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                    • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                    • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                    • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                    Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                    • ExitProcess.KERNEL32(00000000), ref: 00410F05
                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                    • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                    • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                    • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                    • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                    • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                      • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                    • Sleep.KERNEL32(000001F4), ref: 004110E7
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                    • CloseHandle.KERNEL32(00000000), ref: 0041110E
                    • GetCurrentProcessId.KERNEL32 ref: 00411114
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                    • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                    • API String ID: 2649220323-71629269
                    • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                    • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                    • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                    • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                    Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 0040B882
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                    • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                    • _wcslen.LIBCMT ref: 0040B968
                    • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                    • _wcslen.LIBCMT ref: 0040BA25
                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                    • ExitProcess.KERNEL32 ref: 0040BC36
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                    • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                    • API String ID: 2743683619-2376316431
                    • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                    • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                    • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                    • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                    Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                      • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                      • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                      • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                    • ExitProcess.KERNEL32 ref: 0040BFD7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                    • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                    • API String ID: 3797177996-2974882535
                    • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                    • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                    • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                    • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                    Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                    • SetEvent.KERNEL32 ref: 004191CF
                    • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                    • CloseHandle.KERNEL32 ref: 004191F0
                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                    • API String ID: 738084811-1354618412
                    • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                    • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                    • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                    • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                    Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                    • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                    • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                    • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Write$Create
                    • String ID: RIFF$WAVE$data$fmt
                    • API String ID: 1602526932-4212202414
                    • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                    • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                    • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                    • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                    Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                    • LoadLibraryA.KERNEL32(?), ref: 0041386D
                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                    • FreeLibrary.KERNEL32(00000000), ref: 00413894
                    • LoadLibraryA.KERNEL32(?), ref: 004138CC
                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                    • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                    • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                    • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                    • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                    • API String ID: 2490988753-3443138237
                    • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                    • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                    • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                    • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                    Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$EnvironmentVariable$_wcschr
                    • String ID:
                    • API String ID: 3899193279-0
                    • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                    • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                    • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                    • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                    Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                    • _free.LIBCMT ref: 0044E4DF
                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                    • _free.LIBCMT ref: 0044E501
                    • _free.LIBCMT ref: 0044E516
                    • _free.LIBCMT ref: 0044E521
                    • _free.LIBCMT ref: 0044E543
                    • _free.LIBCMT ref: 0044E556
                    • _free.LIBCMT ref: 0044E564
                    • _free.LIBCMT ref: 0044E56F
                    • _free.LIBCMT ref: 0044E5A7
                    • _free.LIBCMT ref: 0044E5AE
                    • _free.LIBCMT ref: 0044E5CB
                    • _free.LIBCMT ref: 0044E5E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID: pF
                    • API String ID: 161543041-2973420481
                    • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                    • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                    • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                    • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                    Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                      • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                      • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                      • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                    • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                    • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                    • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                    • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                    • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                    • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                    • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                    • Sleep.KERNEL32(00000064), ref: 00411C63
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                    • String ID: /stext "$$.F$@#G$@#G
                    • API String ID: 1223786279-2596709126
                    • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                    • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                    • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                    • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                    Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: pF
                    • API String ID: 269201875-2973420481
                    • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                    • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                    • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                    • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                    Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040DE79
                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                      • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                    • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                    • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                    • API String ID: 193334293-3226144251
                    • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                    • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                    • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                    • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                    Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                    • RegCloseKey.ADVAPI32(?), ref: 0041A749
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnumOpen
                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                    • API String ID: 1332880857-3714951968
                    • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                    • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                    • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                    • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                    Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                    Download Yara Rule
                    APIs
                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                    • GetCursorPos.USER32(?), ref: 0041B39E
                    • SetForegroundWindow.USER32(?), ref: 0041B3A7
                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                    • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                    • ExitProcess.KERNEL32 ref: 0041B41A
                    • CreatePopupMenu.USER32 ref: 0041B420
                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                    • String ID: Close
                    • API String ID: 1657328048-3535843008
                    • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                    • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                    • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                    • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                    Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$Info
                    • String ID:
                    • API String ID: 2509303402-0
                    • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                    • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                    • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                    • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                    Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                    • __aulldiv.LIBCMT ref: 00407D89
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                    • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                    • CloseHandle.KERNEL32(00000000), ref: 00408038
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                    • API String ID: 3086580692-2596673759
                    • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                    • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                    • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                    • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                    Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                      • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                      • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                      • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                      • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                    • ExitProcess.KERNEL32 ref: 0040C57D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                    • API String ID: 1913171305-2600661426
                    • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                    • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                    • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                    • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                    Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                    Download Yara Rule
                    APIs
                    • connect.WS2_32(?,?,?), ref: 004048C0
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                    • WSAGetLastError.WS2_32 ref: 00404A01
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                    • API String ID: 994465650-2151626615
                    • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                    • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                    • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                    • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                    Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                    • __dosmaperr.LIBCMT ref: 00452ED6
                    • GetFileType.KERNEL32(00000000), ref: 00452EE2
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                    • __dosmaperr.LIBCMT ref: 00452EF5
                    • CloseHandle.KERNEL32(00000000), ref: 00452F15
                    • CloseHandle.KERNEL32(00000000), ref: 0045305F
                    • GetLastError.KERNEL32 ref: 00453091
                    • __dosmaperr.LIBCMT ref: 00453098
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                    • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                    • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                    • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                    Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 65535$udp
                    • API String ID: 0-1267037602
                    • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                    • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                    • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                    • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                    Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 00409C81
                    • Sleep.KERNEL32(000001F4), ref: 00409C8C
                    • GetForegroundWindow.USER32 ref: 00409C92
                    • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                    • Sleep.KERNEL32(000003E8), ref: 00409D9D
                      • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                    • String ID: [${ User has been idle for $ minutes }$]
                    • API String ID: 911427763-3954389425
                    • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                    • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                    • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                    • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                    Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LongNamePath
                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                    • API String ID: 82841172-425784914
                    • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                    • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                    • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                    • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                    Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                    • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                    • __dosmaperr.LIBCMT ref: 00438646
                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                    • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                    • __dosmaperr.LIBCMT ref: 00438683
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                    • __dosmaperr.LIBCMT ref: 004386D7
                    • _free.LIBCMT ref: 004386E3
                    • _free.LIBCMT ref: 004386EA
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                    • String ID:
                    • API String ID: 2441525078-0
                    • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                    • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                    • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                    • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                    Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: pF$tF
                    • API String ID: 269201875-2954683558
                    • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                    • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                    • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                    • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                    Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 0040549F
                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                    • TranslateMessage.USER32(?), ref: 0040555E
                    • DispatchMessageA.USER32(?), ref: 00405569
                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                    • String ID: CloseChat$DisplayMessage$GetMessage
                    • API String ID: 2956720200-749203953
                    • Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                    • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                    • Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                    • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                    Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                    • CloseHandle.KERNEL32(00000000), ref: 00416123
                    • DeleteFileA.KERNEL32(00000000), ref: 00416132
                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                    • String ID: <$@$@%G$@%G$Temp
                    • API String ID: 1704390241-4139030828
                    • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                    • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                    • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                    • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                    Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                    • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                    • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                    • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                    Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00445645
                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                    • _free.LIBCMT ref: 00445651
                    • _free.LIBCMT ref: 0044565C
                    • _free.LIBCMT ref: 00445667
                    • _free.LIBCMT ref: 00445672
                    • _free.LIBCMT ref: 0044567D
                    • _free.LIBCMT ref: 00445688
                    • _free.LIBCMT ref: 00445693
                    • _free.LIBCMT ref: 0044569E
                    • _free.LIBCMT ref: 004456AC
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                    • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                    • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                    • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                    Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 00417F6F
                    • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                    • Sleep.KERNEL32(000003E8), ref: 004180B3
                    • GetLocalTime.KERNEL32(?), ref: 004180BB
                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                    • API String ID: 489098229-3790400642
                    • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                    • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                    • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                    • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                    Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00001388), ref: 00409738
                      • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                      • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                      • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                      • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                    • String ID: H"G$H"G
                    • API String ID: 3795512280-1424798214
                    • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                    • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                    • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                    • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                    Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                    • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                    • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                    • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                    Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                    • Sleep.KERNEL32(00000064), ref: 00415A46
                    • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CreateDeleteExecuteShellSleep
                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                    • API String ID: 1462127192-2001430897
                    • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                    • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                    • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                    • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                    Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                    • ExitProcess.KERNEL32 ref: 00406782
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteExitProcessShell
                    • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                    • API String ID: 1124553745-1488154373
                    • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                    • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                    • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                    • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                    Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                    • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocConsoleShowWindow
                    • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                    • API String ID: 4118500197-4025029772
                    • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                    • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                    • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                    • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                    Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                      • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                      • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                      • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                    • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                    • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                    • TranslateMessage.USER32(?), ref: 0041B29E
                    • DispatchMessageA.USER32(?), ref: 0041B2A8
                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                    • String ID: Remcos
                    • API String ID: 1970332568-165870891
                    • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                    • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                    • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                    • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                    Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                    • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                    • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                    • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                    Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                    • __alloca_probe_16.LIBCMT ref: 004510CA
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                    • __alloca_probe_16.LIBCMT ref: 00451174
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                    • __freea.LIBCMT ref: 004511E3
                    • __freea.LIBCMT ref: 004511EF
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                    • String ID:
                    • API String ID: 201697637-0
                    • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                    • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                    • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                    • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                    Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                    • _memcmp.LIBVCRUNTIME ref: 00442935
                    • _free.LIBCMT ref: 004429A6
                    • _free.LIBCMT ref: 004429BF
                    • _free.LIBCMT ref: 004429F1
                    • _free.LIBCMT ref: 004429FA
                    • _free.LIBCMT ref: 00442A06
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorLast$_abort_memcmp
                    • String ID: C
                    • API String ID: 1679612858-1037565863
                    • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                    • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                    • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                    • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                    Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: tcp$udp
                    • API String ID: 0-3725065008
                    • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                    • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                    • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                    • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                    Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Eventinet_ntoa
                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                    • API String ID: 3578746661-168337528
                    • Opcode ID: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
                    • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                    • Opcode Fuzzy Hash: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
                    • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                    Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                      • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                      • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                    • String ID: .part
                    • API String ID: 1303771098-3499674018
                    • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                    • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                    • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                    • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                    Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                    • __alloca_probe_16.LIBCMT ref: 00447056
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                    • __alloca_probe_16.LIBCMT ref: 0044713B
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                    • __freea.LIBCMT ref: 004471AB
                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                    • __freea.LIBCMT ref: 004471B4
                    • __freea.LIBCMT ref: 004471D9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                    • String ID:
                    • API String ID: 3864826663-0
                    • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                    • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                    • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                    • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                    Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: InputSend
                    • String ID:
                    • API String ID: 3431551938-0
                    • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                    • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                    • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                    • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                    Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32 ref: 00414F41
                    • EmptyClipboard.USER32 ref: 00414F4F
                    • CloseClipboard.USER32 ref: 00414F55
                    • OpenClipboard.USER32 ref: 00414F5C
                    • GetClipboardData.USER32(0000000D), ref: 00414F6C
                    • GlobalLock.KERNEL32(00000000), ref: 00414F75
                    • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                    • CloseClipboard.USER32 ref: 00414F84
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                    • String ID:
                    • API String ID: 2172192267-0
                    • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                    • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                    • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                    • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                    Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                    • __fassign.LIBCMT ref: 00447814
                    • __fassign.LIBCMT ref: 0044782F
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                    • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                    • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                    • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                    • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                    • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                    Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: $-E$$-E
                    • API String ID: 269201875-3140958853
                    • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                    • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                    • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                    • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                    Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    • _strftime.LIBCMT ref: 00401D30
                      • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                    • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                    • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                    • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                    • String ID: %Y-%m-%d %H.%M$.wav
                    • API String ID: 3809562944-3597965672
                    • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                    • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                    • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                    • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                    Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                      • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                      • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                    • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                    • API String ID: 1133728706-4073444585
                    • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                    • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                    • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                    • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                    Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                    • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                    • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                    • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                    Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                    • _free.LIBCMT ref: 0044E128
                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                    • _free.LIBCMT ref: 0044E133
                    • _free.LIBCMT ref: 0044E13E
                    • _free.LIBCMT ref: 0044E192
                    • _free.LIBCMT ref: 0044E19D
                    • _free.LIBCMT ref: 0044E1A8
                    • _free.LIBCMT ref: 0044E1B3
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                    • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                    • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                    • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                    Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                      • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                      • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                      • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                    • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCurrentOpenProcessQueryValue
                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                    • API String ID: 1866151309-2070987746
                    • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                    • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                    • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                    • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                    Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                    • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                    • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                    • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                    • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                    Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                    • GetLastError.KERNEL32 ref: 0040AA28
                    Strings
                    • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                    • UserProfile, xrefs: 0040A9EE
                    • [Chrome Cookies not found], xrefs: 0040AA42
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteErrorFileLast
                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    • API String ID: 2018770650-304995407
                    • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                    • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                    • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                    • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                    Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 00438A09
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                    • __allrem.LIBCMT ref: 00438A3C
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                    • __allrem.LIBCMT ref: 00438A71
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                    • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                    • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                    • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                    Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe
                    • String ID:
                    • API String ID: 4189289331-0
                    • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                    • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                    • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                    • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                    Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16_free
                    • String ID: a/p$am/pm
                    • API String ID: 2936374016-3206640213
                    • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                    • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                    • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                    • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                    Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                    • int.LIBCPMT ref: 0040F8D7
                      • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                      • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                    • std::_Facet_Register.LIBCPMT ref: 0040F917
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                    • __Init_thread_footer.LIBCMT ref: 0040F97F
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                    • String ID:
                    • API String ID: 3815856325-0
                    • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                    • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                    • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                    • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                    Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                    • String ID:
                    • API String ID: 493672254-0
                    • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                    • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                    • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                    • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                    Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                    • _free.LIBCMT ref: 0044575C
                    • _free.LIBCMT ref: 00445784
                    • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                    • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                    • _abort.LIBCMT ref: 004457A3
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                    • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                    • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                    • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                    Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                    • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                    • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                    • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                    Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                    • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                    • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                    • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                    Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                    • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                    • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                    • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                    Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                    • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                    • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSizeSleep
                    • String ID: h G
                    • API String ID: 1958988193-3300504347
                    • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                    • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                    • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                    • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                    Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegisterClassExA.USER32(00000030), ref: 0041B310
                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                    • GetLastError.KERNEL32 ref: 0041B335
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ClassCreateErrorLastRegisterWindow
                    • String ID: 0$MsgWindowClass
                    • API String ID: 2877667751-2410386613
                    • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                    • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                    • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                    • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                    Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                      • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                    • _UnwindNestedFrames.LIBCMT ref: 00437631
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                    • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                    • String ID: /zC
                    • API String ID: 2633735394-4132788633
                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                    • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                    • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                    Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                    • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                    • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                    • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: MetricsSystem
                    • String ID: ]tA
                    • API String ID: 4116985748-3517819141
                    • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                    • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                    • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                    • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                    Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                    Strings
                    • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreateProcess
                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                    • API String ID: 2922976086-4183131282
                    • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                    • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                    • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                    • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                    Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                    • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                    • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                    • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                    • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                    Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    Strings
                    • Connection KeepAlive | Disabled, xrefs: 004050D9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                    • String ID: Connection KeepAlive | Disabled
                    • API String ID: 2993684571-3818284553
                    • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                    • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                    • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                    • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                    Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                    • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                    • Sleep.KERNEL32(00002710), ref: 00418DBD
                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: PlaySound$HandleLocalModuleSleepTime
                    • String ID: Alarm triggered
                    • API String ID: 614609389-2816303416
                    • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                    • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                    • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                    • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                    Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                    • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                    • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                    • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                    Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000,?), ref: 004044A4
                      • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prologSleep
                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                    • API String ID: 3469354165-3547787478
                    • Opcode ID: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
                    • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                    • Opcode Fuzzy Hash: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
                    • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                    Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                    • _free.LIBCMT ref: 00442318
                    • _free.LIBCMT ref: 0044232F
                    • _free.LIBCMT ref: 0044234E
                    • _free.LIBCMT ref: 00442369
                    • _free.LIBCMT ref: 00442380
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$AllocateHeap
                    • String ID:
                    • API String ID: 3033488037-0
                    • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                    • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                    • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                    • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                    Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                    • _free.LIBCMT ref: 004468EC
                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                    • _free.LIBCMT ref: 00446AB8
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                    • String ID:
                    • API String ID: 1286116820-0
                    • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                    • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                    • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                    • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                    Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                    • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                    • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                    • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                    Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                    • __alloca_probe_16.LIBCMT ref: 0044E391
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                    • __freea.LIBCMT ref: 0044E3FD
                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                    • String ID:
                    • API String ID: 313313983-0
                    • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                    • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                    • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                    • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                    Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                    • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                    • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                    • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                    • waveInStart.WINMM ref: 00401CDE
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                    • String ID:
                    • API String ID: 1356121797-0
                    • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                    • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                    • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                    • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                    Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                    • _free.LIBCMT ref: 0044C59F
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                    • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                    • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                    • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                    Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                    • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreatePointerWrite
                    • String ID:
                    • API String ID: 1852769593-0
                    • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                    • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                    • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                    • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                    Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                    • int.LIBCPMT ref: 0040FBE8
                      • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                      • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                    • std::_Facet_Register.LIBCPMT ref: 0040FC28
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                    • String ID:
                    • API String ID: 2536120697-0
                    • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                    • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                    • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                    • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                    Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0044DBB4
                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                    • _free.LIBCMT ref: 0044DBC6
                    • _free.LIBCMT ref: 0044DBD8
                    • _free.LIBCMT ref: 0044DBEA
                    • _free.LIBCMT ref: 0044DBFC
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                    • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                    • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                    • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                    Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00441566
                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                    • _free.LIBCMT ref: 00441578
                    • _free.LIBCMT ref: 0044158B
                    • _free.LIBCMT ref: 0044159C
                    • _free.LIBCMT ref: 004415AD
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                    • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                    • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                    • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                    Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Enum$InfoQueryValue
                    • String ID: [regsplt]
                    • API String ID: 3554306468-4262303796
                    • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                    • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                    • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                    • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                    Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • _strpbrk.LIBCMT ref: 0044B918
                    • _free.LIBCMT ref: 0044BA35
                      • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                      • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                      • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                    • String ID: *?$.
                    • API String ID: 2812119850-3972193922
                    • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                    • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                    • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                    • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                    Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alloca_probe_16__freea
                    • String ID: H"G$H"GH"G
                    • API String ID: 1635606685-3036711414
                    • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                    • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                    • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                    • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                    Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0040189E
                    • ExitThread.KERNEL32 ref: 004018D6
                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                      • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                    • String ID: 8:G
                    • API String ID: 1649129571-405301104
                    • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                    • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                    • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                    • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                    Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\PQHcRKfCm.exe,00000104), ref: 00440975
                    • _free.LIBCMT ref: 00440A40
                    • _free.LIBCMT ref: 00440A4A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Users\user\AppData\Roaming\PQHcRKfCm.exe
                    • API String ID: 2506810119-3712390588
                    • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                    • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                    • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                    • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                    Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                      • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                      • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                      • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                    • _wcslen.LIBCMT ref: 00419744
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                    • String ID: .exe$program files (x86)\$program files\
                    • API String ID: 37874593-1203593143
                    • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                    • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                    • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                    • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                    Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                    • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                    • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                      • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                      • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$LocalTimewsprintf
                    • String ID: Offline Keylogger Started
                    • API String ID: 465354869-4114347211
                    • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                    • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                    • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                    • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                    Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                      • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                    • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                    • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$LocalTime$wsprintf
                    • String ID: Online Keylogger Started
                    • API String ID: 112202259-1258561607
                    • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                    • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                    • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                    • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                    Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?), ref: 00404F61
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                    • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                    Strings
                    • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$EventLocalThreadTime
                    • String ID: Connection KeepAlive | Enabled | Timeout:
                    • API String ID: 2532271599-507513762
                    • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                    • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                    • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                    • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                    Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                    • GetProcAddress.KERNEL32(00000000), ref: 00406097
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: CryptUnprotectData$crypt32
                    • API String ID: 2574300362-2380590389
                    • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                    • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                    • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                    • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                    Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                    • CloseHandle.KERNEL32(?), ref: 004051AA
                    • SetEvent.KERNEL32(?), ref: 004051B9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandleObjectSingleWait
                    • String ID: Connection Timeout
                    • API String ID: 2055531096-499159329
                    • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                    • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                    • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                    • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                    Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw
                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                    • API String ID: 2005118841-1866435925
                    • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                    • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                    • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                    • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                    Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                    • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: origmsc
                    • API String ID: 3677997916-68016026
                    • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                    • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                    • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                    • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                    Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell
                    • String ID: /C $cmd.exe$open
                    • API String ID: 587946157-3896048727
                    • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                    • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                    • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                    • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                    Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                    • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                    Strings
                    • http\shell\open\command, xrefs: 00412026
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: http\shell\open\command
                    • API String ID: 3677997916-1487954565
                    • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                    • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                    • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                    • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                    Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                    • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                    • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                    Strings
                    • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: Software\Classes\mscfile\shell\open\command
                    • API String ID: 1818849710-505396733
                    • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                    • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                    • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                    • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                    Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                      • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                      • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                    • String ID: bad locale name
                    • API String ID: 3628047217-1405518554
                    • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                    • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                    • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                    • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                    Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                    • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                    • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: P0F
                    • API String ID: 1818849710-3540264436
                    • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                    • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                    • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                    • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                    Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                    • GetProcAddress.KERNEL32(00000000), ref: 00401403
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: GetCursorInfo$User32.dll
                    • API String ID: 1646373207-2714051624
                    • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                    • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                    • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                    • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                    Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                    • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetLastInputInfo$User32.dll
                    • API String ID: 2574300362-1519888992
                    • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                    • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                    • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                    • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                    Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID:
                    • API String ID: 1036877536-0
                    • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                    • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                    • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                    • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                    Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                    • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                    • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                    • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                    Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                    • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                    • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                    • String ID:
                    • API String ID: 3360349984-0
                    • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                    • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                    • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                    • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                    Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • Cleared browsers logins and cookies., xrefs: 0040B036
                    • [Cleared browsers logins and cookies.], xrefs: 0040B025
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                    • API String ID: 3472027048-1236744412
                    • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                    • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                    • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                    • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                    Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                      • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                      • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                    • Sleep.KERNEL32(00000BB8), ref: 004111DF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQuerySleepValue
                    • String ID: H"G$exepath$!G
                    • API String ID: 4119054056-2148977334
                    • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                    • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                    • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                    • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                    Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                      • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                      • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                    • Sleep.KERNEL32(000001F4), ref: 0040955A
                    • Sleep.KERNEL32(00000064), ref: 004095F5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$SleepText$ForegroundLength
                    • String ID: [ $ ]
                    • API String ID: 3309952895-93608704
                    • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                    • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                    • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                    • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                    Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                    • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                    • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                    • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                    Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                    • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                    • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                    • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                    Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                    • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleReadSize
                    • String ID:
                    • API String ID: 3919263394-0
                    • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                    • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                    • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                    • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                    Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                      • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                    • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                    • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                    Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHandling__start
                    • String ID: pow
                    • API String ID: 3213639722-2276729525
                    • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                    • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                    • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                    • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                    Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                      • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                      • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                      • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                    • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                    Strings
                    • /sort "Visit Time" /stext ", xrefs: 00404092
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                    • String ID: /sort "Visit Time" /stext "
                    • API String ID: 368326130-1573945896
                    • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                    • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                    • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                    • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                    Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                    • __Init_thread_footer.LIBCMT ref: 0040A6E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer__onexit
                    • String ID: [End of clipboard]$[Text copied to clipboard]
                    • API String ID: 1881088180-3686566968
                    • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                    • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                    • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                    • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                    Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ACP$OCP
                    • API String ID: 0-711371036
                    • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                    • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                    • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                    • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                    Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                    • IsWindowVisible.USER32(?), ref: 00415B37
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$TextVisible
                    • String ID: (%G
                    • API String ID: 1670992164-3377777310
                    • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                    • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                    • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                    • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                    Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                    Strings
                    • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime
                    • String ID: Connection KeepAlive | Enabled | Timeout:
                    • API String ID: 481472006-507513762
                    • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                    • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                    • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                    • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                    Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                    • ___raise_securityfailure.LIBCMT ref: 00432E76
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: (F
                    • API String ID: 3761405300-3109638091
                    • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                    • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                    • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                    • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                    Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime
                    • String ID: | $%02i:%02i:%02i:%03i
                    • API String ID: 481472006-2430845779
                    • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                    • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                    • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                    • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                    Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: alarm.wav$x(G
                    • API String ID: 1174141254-2413638199
                    • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                    • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                    • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                    • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                    Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                      • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                    • CloseHandle.KERNEL32(?), ref: 00409FFD
                    • UnhookWindowsHookEx.USER32 ref: 0040A010
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                    • String ID: Online Keylogger Stopped
                    • API String ID: 1623830855-1496645233
                    • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                    • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                    • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                    • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                    Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                    • API String ID: 1174141254-2800177040
                    • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                    • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                    • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                    • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                    Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                    • API String ID: 1174141254-4188645398
                    • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                    • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                    • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                    • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                    Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: AppData$\Opera Software\Opera Stable\
                    • API String ID: 1174141254-1629609700
                    • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                    • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                    • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                    • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                    Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyState.USER32(00000011), ref: 0040A597
                      • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                      • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                      • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                      • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                      • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                      • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                      • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                    • String ID: [AltL]$[AltR]
                    • API String ID: 3195419117-2658077756
                    • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                    • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                    • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                    • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                    Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyState.USER32(00000012), ref: 0040A5F1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: State
                    • String ID: [CtrlL]$[CtrlR]
                    • API String ID: 1649606143-2446555240
                    • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                    • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                    • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                    • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                    Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                    • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteOpenValue
                    • String ID: 6h@
                    • API String ID: 2654517830-73392143
                    • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                    • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                    • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                    • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                    Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                    • GetLastError.KERNEL32 ref: 0043B4E9
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID:
                    • API String ID: 1717984340-0
                    • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                    • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                    • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                    • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                    Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00410955), ref: 004105F1
                    • IsBadReadPtr.KERNEL32(?,00000014,00410955), ref: 004106BD
                    • SetLastError.KERNEL32(0000007F), ref: 004106DF
                    • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2088520187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_PQHcRKfCm.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastRead
                    • String ID:
                    • API String ID: 4100373531-0
                    • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                    • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                    • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                    • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19