Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BANK LETTER INDICATION.exe

Overview

General Information

Sample name:BANK LETTER INDICATION.exe
Analysis ID:1467081
MD5:b0fd67ec3db079fd398d7f2fa7ad45bc
SHA1:a8bfe4c1fc745e35cde2acf1164c9ed92363df7d
SHA256:89d5d25cd020213d6426f13296765683202542062cdcfb10b611d46a65d38d0f
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BANK LETTER INDICATION.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\BANK LETTER INDICATION.exe" MD5: B0FD67EC3DB079FD398D7F2FA7AD45BC)
    • BANK LETTER INDICATION.exe (PID: 3212 cmdline: "C:\Users\user\Desktop\BANK LETTER INDICATION.exe" MD5: B0FD67EC3DB079FD398D7F2FA7AD45BC)
      • iexplore.exe (PID: 1032 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.0 Pro", "Host:Port:Password": "192.3.64.149:2888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7Q1GRN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6c4a8:$a1: Remcos restarted by watchdog!
      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
      00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6656c:$str_b2: Executing file:
      • 0x675ec:$str_b3: GetDirectListeningPort
      • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x67118:$str_b7: \update.vbs
      • 0x66594:$str_b9: Downloaded file:
      • 0x66580:$str_b10: Downloading file:
      • 0x66624:$str_b12: Failed to upload file:
      • 0x675b4:$str_b13: StartForward
      • 0x675d4:$str_b14: StopForward
      • 0x67070:$str_b15: fso.DeleteFile "
      • 0x67004:$str_b16: On Error Resume Next
      • 0x670a0:$str_b17: fso.DeleteFolder "
      • 0x66614:$str_b18: Uploaded file:
      • 0x665d4:$str_b19: Unable to delete:
      • 0x67038:$str_b20: while fso.FileExists("
      • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
      00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6637c:$s1: CoGetObject
      • 0x66390:$s1: CoGetObject
      • 0x663ac:$s1: CoGetObject
      • 0x70338:$s1: CoGetObject
      • 0x6633c:$s2: Elevation:Administrator!new:
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.BANK LETTER INDICATION.exe.4075888.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0.2.BANK LETTER INDICATION.exe.4075888.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0.2.BANK LETTER INDICATION.exe.4075888.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x690a8:$a1: Remcos restarted by watchdog!
          • 0x69620:$a3: %02i:%02i:%02i:%03i
          0.2.BANK LETTER INDICATION.exe.4075888.3.unpackREMCOS_RAT_variantsunknownunknown
          • 0x630fc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6316c:$str_b2: Executing file:
          • 0x641ec:$str_b3: GetDirectListeningPort
          • 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x63d18:$str_b7: \update.vbs
          • 0x63194:$str_b9: Downloaded file:
          • 0x63180:$str_b10: Downloading file:
          • 0x63224:$str_b12: Failed to upload file:
          • 0x641b4:$str_b13: StartForward
          • 0x641d4:$str_b14: StopForward
          • 0x63c70:$str_b15: fso.DeleteFile "
          • 0x63c04:$str_b16: On Error Resume Next
          • 0x63ca0:$str_b17: fso.DeleteFolder "
          • 0x63214:$str_b18: Uploaded file:
          • 0x631d4:$str_b19: Unable to delete:
          • 0x63c38:$str_b20: while fso.FileExists("
          • 0x636b1:$str_c0: [Firefox StoredLogins not found]
          0.2.BANK LETTER INDICATION.exe.4075888.3.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x62f7c:$s1: CoGetObject
          • 0x62f90:$s1: CoGetObject
          • 0x62fac:$s1: CoGetObject
          • 0x6cf38:$s1: CoGetObject
          • 0x62f3c:$s2: Elevation:Administrator!new:
          Click to see the 23 entries

          Sigma Signatures

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: Registry Key setAuthor: Joe Security: Data: Details: 04 AB 7E A7 F4 16 02 5D 15 0B 0A 58 F0 43 62 AB 14 9A 65 EC 8B 02 AC 0A D3 CD 3C CC 31 48 F1 AA 1D A6 25 0A 3E 08 CC 1D AA 21 0B D1 90 4E 05 9C C9 B2 06 5E A3 E9 50 83 BB 48 69 E6 3B 3E B3 BA 72 43 1F EA C2 73 E0 8C 17 6D 5B 0C ED E3 09 5A 72 6B EE 93 77 0D 85 CA 57 DB 37 88 F4 A8 01 05 1D DE F4 66 70 65 CE 0F 01 DB FB 76 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BANK LETTER INDICATION.exe, ProcessId: 3212, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-7Q1GRN\exepath

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Version": "5.1.0 Pro", "Host:Port:Password": "192.3.64.149:2888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7Q1GRN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for submitted file
          Source: BANK LETTER INDICATION.exeReversingLabs: Detection: 31%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: BANK LETTER INDICATION.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_00433837
          Source: BANK LETTER INDICATION.exe, 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_0cd51a1d-1

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR

          Privilege Escalation

          barindex
          Contains functionality to bypass UAC (CMSTPLUA)
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004074FD _wcslen,CoGetObject,3_2_004074FD
          Source: BANK LETTER INDICATION.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: BANK LETTER INDICATION.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: VcJr.pdb source: BANK LETTER INDICATION.exe
          Source: Binary string: VcJr.pdbSHA256{ source: BANK LETTER INDICATION.exe
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407C97
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 4x nop then jmp 02CF3CEAh0_2_02CF351C

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 192.3.64.149
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_0041B380
          Source: BANK LETTER INDICATION.exeString found in binary or memory: http://geoplugin.net/json.gp
          Source: BANK LETTER INDICATION.exe, 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, BANK LETTER INDICATION.exe, 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000003_2_0040A2B8
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B70E
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004168C1
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B70E
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_0040A3E0

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041C9E2 SystemParametersInfoW,3_2_0041C9E2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          .NET source code contains very large array initializations
          Source: 0.2.BANK LETTER INDICATION.exe.7b40000.7.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: 0.2.BANK LETTER INDICATION.exe.2f18850.2.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,3_2_004180EF
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004167B4
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_02CF68B80_2_02CF68B8
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_02CF59980_2_02CF5998
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_02CF16C00_2_02CF16C0
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_02CF0D900_2_02CF0D90
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_02E5D3640_2_02E5D364
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_02E5B4C80_2_02E5B4C8
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_053C7D580_2_053C7D58
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_053C7FB00_2_053C7FB0
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_053C00060_2_053C0006
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_053C00400_2_053C0040
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_053CAEB00_2_053CAEB0
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_053C7FA10_2_053C7FA1
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EF7180_2_054EF718
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EBB700_2_054EBB70
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EF6CE0_2_054EF6CE
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EBB600_2_054EBB60
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EFBC80_2_054EFBC8
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EFBBC0_2_054EFBBC
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F10600_2_078F1060
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F7F280_2_078F7F28
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F3D500_2_078F3D50
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F87880_2_078F8788
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F877B0_2_078F877B
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078FF6800_2_078FF680
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F24500_2_078F2450
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F24600_2_078F2460
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078FF2480_2_078FF248
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F0F890_2_078F0F89
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F7F180_2_078F7F18
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F3EE30_2_078F3EE3
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F3D420_2_078F3D42
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F1A980_2_078F1A98
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F190A0_2_078F190A
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F19180_2_078F1918
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F79670_2_078F7967
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F79780_2_078F7978
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0043E0CC3_2_0043E0CC
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041F0FA3_2_0041F0FA
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004541593_2_00454159
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004381683_2_00438168
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004461F03_2_004461F0
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0043E2FB3_2_0043E2FB
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0045332B3_2_0045332B
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0042739D3_2_0042739D
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004374E63_2_004374E6
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0043E5583_2_0043E558
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004387703_2_00438770
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004378FE3_2_004378FE
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004339463_2_00433946
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0044D9C93_2_0044D9C9
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00427A463_2_00427A46
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041DB623_2_0041DB62
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00427BAF3_2_00427BAF
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00437D333_2_00437D33
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00435E5E3_2_00435E5E
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00426E0E3_2_00426E0E
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0043DE9D3_2_0043DE9D
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00413FCA3_2_00413FCA
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00436FEA3_2_00436FEA
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: String function: 00434E10 appears 54 times
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: String function: 00402093 appears 50 times
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: String function: 00434770 appears 41 times
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: String function: 00401E65 appears 34 times
          Source: BANK LETTER INDICATION.exe, 00000000.00000002.1249242251.0000000007B40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs BANK LETTER INDICATION.exe
          Source: BANK LETTER INDICATION.exe, 00000000.00000000.1226432287.0000000000B44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVcJr.exe> vs BANK LETTER INDICATION.exe
          Source: BANK LETTER INDICATION.exe, 00000000.00000002.1240360095.000000000114E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BANK LETTER INDICATION.exe
          Source: BANK LETTER INDICATION.exe, 00000000.00000002.1249348344.0000000007CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs BANK LETTER INDICATION.exe
          Source: BANK LETTER INDICATION.exe, 00000000.00000002.1244372928.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs BANK LETTER INDICATION.exe
          Source: BANK LETTER INDICATION.exeBinary or memory string: OriginalFilenameVcJr.exe> vs BANK LETTER INDICATION.exe
          Source: BANK LETTER INDICATION.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: BANK LETTER INDICATION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, kFNYiTIpTfii78o21e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, kFNYiTIpTfii78o21e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, kFNYiTIpTfii78o21e.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/1@0/0
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00417952
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040F474
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041B4A8
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AA4A
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK LETTER INDICATION.exe.logJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMutant created: NULL
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-7Q1GRN
          Source: BANK LETTER INDICATION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: BANK LETTER INDICATION.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: BANK LETTER INDICATION.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeFile read: C:\Users\user\Desktop\BANK LETTER INDICATION.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: BANK LETTER INDICATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BANK LETTER INDICATION.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: BANK LETTER INDICATION.exeStatic file information: File size 1210368 > 1048576
          Source: BANK LETTER INDICATION.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x121000
          Source: BANK LETTER INDICATION.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: BANK LETTER INDICATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: VcJr.pdb source: BANK LETTER INDICATION.exe
          Source: Binary string: VcJr.pdbSHA256{ source: BANK LETTER INDICATION.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: BANK LETTER INDICATION.exe, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.cs.Net Code: a07XMowFoP System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.7b40000.7.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.7b40000.7.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.cs.Net Code: a07XMowFoP System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.2f18850.2.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.2f18850.2.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.cs.Net Code: a07XMowFoP System.Reflection.Assembly.Load(byte[])
          Source: BANK LETTER INDICATION.exeStatic PE information: 0xF4642AC9 [Sun Dec 6 01:54:17 2099 UTC]
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054EEFD5 push esp; retf 0_2_054EEFDC
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_054E084A pushfd ; ret 0_2_054E0851
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 0_2_078F3AD7 push ebx; retf 0_2_078F3ADA
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00457106 push ecx; ret 3_2_00457119
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0045B11A push esp; ret 3_2_0045B141
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0045E54D push esi; ret 3_2_0045E556
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00457A28 push eax; ret 3_2_00457A46
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00434E56 push ecx; ret 3_2_00434E69
          Source: BANK LETTER INDICATION.exeStatic PE information: section name: .text entropy: 7.983846811568236
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, UhWlHV8ilu8c5OKuiT.csHigh entropy of concatenated method names: 'O3ryO6Zxuw', 'd5JyN2pU3g', 'FpEyMwKeCw', 'GsDyC9RbA9', 'ACayRpG92R', 'KNqywOC3m1', 'T8TyJSAHBw', 'tIryI3pht2', 'C4qyiy96Lg', 'euYynUNE7E'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, zmp1RbqNBb9Chb4FIJ.csHigh entropy of concatenated method names: 'rWSbKjcvSP', 'XgWbED73sx', 'ToString', 'ouhbpc0ShF', 'SjebAIjLZw', 'f4sbFrFe8p', 'xXCbo5hVOO', 'WtablafgFX', 'GC3byPAumv', 'RbNbuGx8Jx'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, faXMxiTgJrofCnucov.csHigh entropy of concatenated method names: 'A5nM60ZMi', 'br4C5KypS', 'qa5w3DrAX', 'Iy7J9RauQ', 'HCxiDl6mD', 'fqRntLFRs', 'badCV00KNgWKkkPWvV', 'i4xsN2IbvqbBprnfwF', 'bbiaIfCG7', 'M0BcmwgJs'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, Us2EPTvVHm95rOGEiv.csHigh entropy of concatenated method names: 'sH5Bop9tOHOLndJ5eXU', 'OCMgn795AHwW2lILHRE', 'FW9kfE9krPJVrYiKPpl', 'xBflaaxLNt', 'Fb8l6Dx2Nc', 'yPClcTJRDv', 'DCBhEb9R0jIvr0ghfti', 'EmKhnV9TkL62utNEeTH'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, yfoh7wXsID2Kr7PUiv.csHigh entropy of concatenated method names: 'DG5GyFNYiT', 'fTfGuii78o', 'eWrGK4TVUI', 'OfsGEDIVAh', 'CbdGWbCYfi', 'cVOGxCNqjq', 'yQS7RLYbdCrR75Lfx8', 'L2yDQ1xkLV9j5gB8WB', 'lmTGG9i6x6', 'XVHGkvrJiR'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, YfikVOtCNqjqoRIwC6.csHigh entropy of concatenated method names: 'Mf0ld8yhS6', 'MdclAo97vx', 'aKmloc84Hu', 'xpclyqOJS5', 'NDalu1O9Me', 'g2roHDpblV', 'bTPoSocp3U', 'EtUoQs3iiQ', 'DX8ogh5De5', 'eBUo0IN2wn'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, nL1hwcSIVJlMqDRIuZ.csHigh entropy of concatenated method names: 'qaMbgfpPAu', 'gCobY7PUby', 'XejaBJAQyR', 'OswaGCwR5M', 'VnPbme3GEp', 'Muwb7hc63d', 'DhkbruwnE0', 'Yt2bVFr1w3', 'UFhb1CKMqB', 'bXhbsADkEh'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, u1vZusAkCoRsMkmLV0.csHigh entropy of concatenated method names: 'Dispose', 'DsuG04eRDk', 'rdvTvpIQNX', 'lGkxxa89YE', 'fEDGYC106e', 'LH4GzY63nY', 'ProcessDialogKey', 'mmpTByhesp', 'aaZTGLJLqV', 'v8tTT109do'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, NS6k6QGkGS1yoLa0kJQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UbxcV3Ks7W', 'hTmc1GDbMY', 'WOkcsckGc8', 'DIQcqWgOmM', 'JIrcHgOMr4', 'DSjcSDVv0W', 'WFVcQRaPn8'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, JVkWLXiWr4TVUImfsD.csHigh entropy of concatenated method names: 'IhRFCSAUTK', 'UC9FwKjd0V', 'PIiFIuleOe', 'epDFivJiEw', 'HXcFWrhjwT', 'RQkFxKd5rb', 'rbRFbhTy5C', 'pHpFaAfrAr', 'GGbF68YY8A', 'DlYFcVjllN'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, fyhesp0BaZLJLqV38t.csHigh entropy of concatenated method names: 'Glfatqfcdx', 'f1FavLZhcf', 'q8ja9G3mSh', 'C3Wa2NfPiP', 'QG8aVJDoHS', 'QcoahlU8ZG', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, i1CxnMDtf7Z4XDkeIp.csHigh entropy of concatenated method names: 'vscypeDsYe', 'FkryFO0aaV', 'ChJylKjrJ6', 'JM6lYUXWEQ', 'nyblzL211s', 'zVJyBDk4uA', 'gKcyGlVDnd', 'PslyTqlE3L', 'awxykFStmA', 'xioyXoLP01'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.csHigh entropy of concatenated method names: 'WZ7kdSPJ6O', 'BqhkpLq2b4', 'unokAOKNa6', 'd5dkFUkdkI', 'kJ4kooAmYc', 'JDJklTOe9b', 'fStkyq4Dbh', 'qjckuKwf46', 'tXqk5cY9db', 'ecjkKpGPU8'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, T7HIrKGBXsoNjHLmmUi.csHigh entropy of concatenated method names: 'cUg6O32us5', 'BAe6NWvgtt', 'vNF6Mr4LOn', 'Cyk6CvWZqA', 'gAS6RgQeYe', 'JKG6wpGM2E', 'mTR6JwcKrt', 'KqM6IyfRcQ', 'nme6i5kdrC', 'dvU6njMkEX'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, R6nN6WrWJpaIfPt4NY.csHigh entropy of concatenated method names: 'mQGfIKxEuN', 'GqPfibf4GF', 'zvPftvP2sk', 'y4rfv81lvT', 'N8bf243OLU', 'sl3fhyACU0', 'HQYfD2Nfk1', 'boKfeQM9ou', 'kJlfPIAMmP', 'Mi2fmcaYCP'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, R09dohYLb0ViIQb8a3.csHigh entropy of concatenated method names: 'D3Z6G8v7fo', 'Ylk6kKJuv3', 'n7x6XovKuQ', 'kSR6pKOuGq', 'gdu6Aht6WD', 'B8Q6ojk7eX', 'fWp6liXOV0', 'dVaaQDg7Ss', 'TDkag3Q8hK', 'cD8a0T8Z5Z'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, DhdG8XVr3HrxhiuhNC.csHigh entropy of concatenated method names: 'llFWPt1Dfk', 'JcLW76QjRD', 'TIvWVDac01', 'gK2W19D7Kc', 'FiTWvYCN3t', 'LAbW9xiTDa', 'vviW2ym8Cf', 'RG2Whe21t0', 'BMQWUZHI5X', 'ROfWDGxsDi'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, EVAhlqnC6pIITJbdbC.csHigh entropy of concatenated method names: 'hLuoRIGaVL', 'aIkoJ8PfPe', 'urPF99jxBn', 'TGIF2LK7UT', 'p7aFhBIfJl', 'qKBFUm8pv4', 'bHIFDEwaNt', 'iGgFeXPZg4', 'NhsF8vAt6L', 'jk4FPmS4cm'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, kFNYiTIpTfii78o21e.csHigh entropy of concatenated method names: 'BA4AVAkLKt', 'mbeA1GVcfZ', 'DkRAsfPOF9', 'eXWAqEy5WK', 'YHTAHe5iGi', 'aVLASkuVO7', 'CTwAQgPso1', 'EieAgoMUUG', 'Rv5A0WosAN', 'Di8AYY0xyI'
          Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, nDC106geDH4Y63nYKm.csHigh entropy of concatenated method names: 'drrapZDh8q', 'P94aAq7Slu', 'sfxaFSFw8a', 'sYtaoA1U0F', 'YKvalFj4AM', 'lTWayfWAKe', 'NluauLrokk', 'NiWa5X0GDp', 'v90aKWdYok', 'j2yaECyfdi'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, UhWlHV8ilu8c5OKuiT.csHigh entropy of concatenated method names: 'O3ryO6Zxuw', 'd5JyN2pU3g', 'FpEyMwKeCw', 'GsDyC9RbA9', 'ACayRpG92R', 'KNqywOC3m1', 'T8TyJSAHBw', 'tIryI3pht2', 'C4qyiy96Lg', 'euYynUNE7E'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, zmp1RbqNBb9Chb4FIJ.csHigh entropy of concatenated method names: 'rWSbKjcvSP', 'XgWbED73sx', 'ToString', 'ouhbpc0ShF', 'SjebAIjLZw', 'f4sbFrFe8p', 'xXCbo5hVOO', 'WtablafgFX', 'GC3byPAumv', 'RbNbuGx8Jx'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, faXMxiTgJrofCnucov.csHigh entropy of concatenated method names: 'A5nM60ZMi', 'br4C5KypS', 'qa5w3DrAX', 'Iy7J9RauQ', 'HCxiDl6mD', 'fqRntLFRs', 'badCV00KNgWKkkPWvV', 'i4xsN2IbvqbBprnfwF', 'bbiaIfCG7', 'M0BcmwgJs'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, Us2EPTvVHm95rOGEiv.csHigh entropy of concatenated method names: 'sH5Bop9tOHOLndJ5eXU', 'OCMgn795AHwW2lILHRE', 'FW9kfE9krPJVrYiKPpl', 'xBflaaxLNt', 'Fb8l6Dx2Nc', 'yPClcTJRDv', 'DCBhEb9R0jIvr0ghfti', 'EmKhnV9TkL62utNEeTH'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, yfoh7wXsID2Kr7PUiv.csHigh entropy of concatenated method names: 'DG5GyFNYiT', 'fTfGuii78o', 'eWrGK4TVUI', 'OfsGEDIVAh', 'CbdGWbCYfi', 'cVOGxCNqjq', 'yQS7RLYbdCrR75Lfx8', 'L2yDQ1xkLV9j5gB8WB', 'lmTGG9i6x6', 'XVHGkvrJiR'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, YfikVOtCNqjqoRIwC6.csHigh entropy of concatenated method names: 'Mf0ld8yhS6', 'MdclAo97vx', 'aKmloc84Hu', 'xpclyqOJS5', 'NDalu1O9Me', 'g2roHDpblV', 'bTPoSocp3U', 'EtUoQs3iiQ', 'DX8ogh5De5', 'eBUo0IN2wn'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, nL1hwcSIVJlMqDRIuZ.csHigh entropy of concatenated method names: 'qaMbgfpPAu', 'gCobY7PUby', 'XejaBJAQyR', 'OswaGCwR5M', 'VnPbme3GEp', 'Muwb7hc63d', 'DhkbruwnE0', 'Yt2bVFr1w3', 'UFhb1CKMqB', 'bXhbsADkEh'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, u1vZusAkCoRsMkmLV0.csHigh entropy of concatenated method names: 'Dispose', 'DsuG04eRDk', 'rdvTvpIQNX', 'lGkxxa89YE', 'fEDGYC106e', 'LH4GzY63nY', 'ProcessDialogKey', 'mmpTByhesp', 'aaZTGLJLqV', 'v8tTT109do'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, NS6k6QGkGS1yoLa0kJQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UbxcV3Ks7W', 'hTmc1GDbMY', 'WOkcsckGc8', 'DIQcqWgOmM', 'JIrcHgOMr4', 'DSjcSDVv0W', 'WFVcQRaPn8'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, JVkWLXiWr4TVUImfsD.csHigh entropy of concatenated method names: 'IhRFCSAUTK', 'UC9FwKjd0V', 'PIiFIuleOe', 'epDFivJiEw', 'HXcFWrhjwT', 'RQkFxKd5rb', 'rbRFbhTy5C', 'pHpFaAfrAr', 'GGbF68YY8A', 'DlYFcVjllN'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, fyhesp0BaZLJLqV38t.csHigh entropy of concatenated method names: 'Glfatqfcdx', 'f1FavLZhcf', 'q8ja9G3mSh', 'C3Wa2NfPiP', 'QG8aVJDoHS', 'QcoahlU8ZG', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, i1CxnMDtf7Z4XDkeIp.csHigh entropy of concatenated method names: 'vscypeDsYe', 'FkryFO0aaV', 'ChJylKjrJ6', 'JM6lYUXWEQ', 'nyblzL211s', 'zVJyBDk4uA', 'gKcyGlVDnd', 'PslyTqlE3L', 'awxykFStmA', 'xioyXoLP01'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.csHigh entropy of concatenated method names: 'WZ7kdSPJ6O', 'BqhkpLq2b4', 'unokAOKNa6', 'd5dkFUkdkI', 'kJ4kooAmYc', 'JDJklTOe9b', 'fStkyq4Dbh', 'qjckuKwf46', 'tXqk5cY9db', 'ecjkKpGPU8'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, T7HIrKGBXsoNjHLmmUi.csHigh entropy of concatenated method names: 'cUg6O32us5', 'BAe6NWvgtt', 'vNF6Mr4LOn', 'Cyk6CvWZqA', 'gAS6RgQeYe', 'JKG6wpGM2E', 'mTR6JwcKrt', 'KqM6IyfRcQ', 'nme6i5kdrC', 'dvU6njMkEX'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, R6nN6WrWJpaIfPt4NY.csHigh entropy of concatenated method names: 'mQGfIKxEuN', 'GqPfibf4GF', 'zvPftvP2sk', 'y4rfv81lvT', 'N8bf243OLU', 'sl3fhyACU0', 'HQYfD2Nfk1', 'boKfeQM9ou', 'kJlfPIAMmP', 'Mi2fmcaYCP'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, R09dohYLb0ViIQb8a3.csHigh entropy of concatenated method names: 'D3Z6G8v7fo', 'Ylk6kKJuv3', 'n7x6XovKuQ', 'kSR6pKOuGq', 'gdu6Aht6WD', 'B8Q6ojk7eX', 'fWp6liXOV0', 'dVaaQDg7Ss', 'TDkag3Q8hK', 'cD8a0T8Z5Z'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, DhdG8XVr3HrxhiuhNC.csHigh entropy of concatenated method names: 'llFWPt1Dfk', 'JcLW76QjRD', 'TIvWVDac01', 'gK2W19D7Kc', 'FiTWvYCN3t', 'LAbW9xiTDa', 'vviW2ym8Cf', 'RG2Whe21t0', 'BMQWUZHI5X', 'ROfWDGxsDi'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, EVAhlqnC6pIITJbdbC.csHigh entropy of concatenated method names: 'hLuoRIGaVL', 'aIkoJ8PfPe', 'urPF99jxBn', 'TGIF2LK7UT', 'p7aFhBIfJl', 'qKBFUm8pv4', 'bHIFDEwaNt', 'iGgFeXPZg4', 'NhsF8vAt6L', 'jk4FPmS4cm'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, kFNYiTIpTfii78o21e.csHigh entropy of concatenated method names: 'BA4AVAkLKt', 'mbeA1GVcfZ', 'DkRAsfPOF9', 'eXWAqEy5WK', 'YHTAHe5iGi', 'aVLASkuVO7', 'CTwAQgPso1', 'EieAgoMUUG', 'Rv5A0WosAN', 'Di8AYY0xyI'
          Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, nDC106geDH4Y63nYKm.csHigh entropy of concatenated method names: 'drrapZDh8q', 'P94aAq7Slu', 'sfxaFSFw8a', 'sYtaoA1U0F', 'YKvalFj4AM', 'lTWayfWAKe', 'NluauLrokk', 'NiWa5X0GDp', 'v90aKWdYok', 'j2yaECyfdi'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, UhWlHV8ilu8c5OKuiT.csHigh entropy of concatenated method names: 'O3ryO6Zxuw', 'd5JyN2pU3g', 'FpEyMwKeCw', 'GsDyC9RbA9', 'ACayRpG92R', 'KNqywOC3m1', 'T8TyJSAHBw', 'tIryI3pht2', 'C4qyiy96Lg', 'euYynUNE7E'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, zmp1RbqNBb9Chb4FIJ.csHigh entropy of concatenated method names: 'rWSbKjcvSP', 'XgWbED73sx', 'ToString', 'ouhbpc0ShF', 'SjebAIjLZw', 'f4sbFrFe8p', 'xXCbo5hVOO', 'WtablafgFX', 'GC3byPAumv', 'RbNbuGx8Jx'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, faXMxiTgJrofCnucov.csHigh entropy of concatenated method names: 'A5nM60ZMi', 'br4C5KypS', 'qa5w3DrAX', 'Iy7J9RauQ', 'HCxiDl6mD', 'fqRntLFRs', 'badCV00KNgWKkkPWvV', 'i4xsN2IbvqbBprnfwF', 'bbiaIfCG7', 'M0BcmwgJs'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, Us2EPTvVHm95rOGEiv.csHigh entropy of concatenated method names: 'sH5Bop9tOHOLndJ5eXU', 'OCMgn795AHwW2lILHRE', 'FW9kfE9krPJVrYiKPpl', 'xBflaaxLNt', 'Fb8l6Dx2Nc', 'yPClcTJRDv', 'DCBhEb9R0jIvr0ghfti', 'EmKhnV9TkL62utNEeTH'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, yfoh7wXsID2Kr7PUiv.csHigh entropy of concatenated method names: 'DG5GyFNYiT', 'fTfGuii78o', 'eWrGK4TVUI', 'OfsGEDIVAh', 'CbdGWbCYfi', 'cVOGxCNqjq', 'yQS7RLYbdCrR75Lfx8', 'L2yDQ1xkLV9j5gB8WB', 'lmTGG9i6x6', 'XVHGkvrJiR'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, YfikVOtCNqjqoRIwC6.csHigh entropy of concatenated method names: 'Mf0ld8yhS6', 'MdclAo97vx', 'aKmloc84Hu', 'xpclyqOJS5', 'NDalu1O9Me', 'g2roHDpblV', 'bTPoSocp3U', 'EtUoQs3iiQ', 'DX8ogh5De5', 'eBUo0IN2wn'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, nL1hwcSIVJlMqDRIuZ.csHigh entropy of concatenated method names: 'qaMbgfpPAu', 'gCobY7PUby', 'XejaBJAQyR', 'OswaGCwR5M', 'VnPbme3GEp', 'Muwb7hc63d', 'DhkbruwnE0', 'Yt2bVFr1w3', 'UFhb1CKMqB', 'bXhbsADkEh'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, u1vZusAkCoRsMkmLV0.csHigh entropy of concatenated method names: 'Dispose', 'DsuG04eRDk', 'rdvTvpIQNX', 'lGkxxa89YE', 'fEDGYC106e', 'LH4GzY63nY', 'ProcessDialogKey', 'mmpTByhesp', 'aaZTGLJLqV', 'v8tTT109do'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, NS6k6QGkGS1yoLa0kJQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UbxcV3Ks7W', 'hTmc1GDbMY', 'WOkcsckGc8', 'DIQcqWgOmM', 'JIrcHgOMr4', 'DSjcSDVv0W', 'WFVcQRaPn8'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, JVkWLXiWr4TVUImfsD.csHigh entropy of concatenated method names: 'IhRFCSAUTK', 'UC9FwKjd0V', 'PIiFIuleOe', 'epDFivJiEw', 'HXcFWrhjwT', 'RQkFxKd5rb', 'rbRFbhTy5C', 'pHpFaAfrAr', 'GGbF68YY8A', 'DlYFcVjllN'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, fyhesp0BaZLJLqV38t.csHigh entropy of concatenated method names: 'Glfatqfcdx', 'f1FavLZhcf', 'q8ja9G3mSh', 'C3Wa2NfPiP', 'QG8aVJDoHS', 'QcoahlU8ZG', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, i1CxnMDtf7Z4XDkeIp.csHigh entropy of concatenated method names: 'vscypeDsYe', 'FkryFO0aaV', 'ChJylKjrJ6', 'JM6lYUXWEQ', 'nyblzL211s', 'zVJyBDk4uA', 'gKcyGlVDnd', 'PslyTqlE3L', 'awxykFStmA', 'xioyXoLP01'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.csHigh entropy of concatenated method names: 'WZ7kdSPJ6O', 'BqhkpLq2b4', 'unokAOKNa6', 'd5dkFUkdkI', 'kJ4kooAmYc', 'JDJklTOe9b', 'fStkyq4Dbh', 'qjckuKwf46', 'tXqk5cY9db', 'ecjkKpGPU8'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, T7HIrKGBXsoNjHLmmUi.csHigh entropy of concatenated method names: 'cUg6O32us5', 'BAe6NWvgtt', 'vNF6Mr4LOn', 'Cyk6CvWZqA', 'gAS6RgQeYe', 'JKG6wpGM2E', 'mTR6JwcKrt', 'KqM6IyfRcQ', 'nme6i5kdrC', 'dvU6njMkEX'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, R6nN6WrWJpaIfPt4NY.csHigh entropy of concatenated method names: 'mQGfIKxEuN', 'GqPfibf4GF', 'zvPftvP2sk', 'y4rfv81lvT', 'N8bf243OLU', 'sl3fhyACU0', 'HQYfD2Nfk1', 'boKfeQM9ou', 'kJlfPIAMmP', 'Mi2fmcaYCP'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, R09dohYLb0ViIQb8a3.csHigh entropy of concatenated method names: 'D3Z6G8v7fo', 'Ylk6kKJuv3', 'n7x6XovKuQ', 'kSR6pKOuGq', 'gdu6Aht6WD', 'B8Q6ojk7eX', 'fWp6liXOV0', 'dVaaQDg7Ss', 'TDkag3Q8hK', 'cD8a0T8Z5Z'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, DhdG8XVr3HrxhiuhNC.csHigh entropy of concatenated method names: 'llFWPt1Dfk', 'JcLW76QjRD', 'TIvWVDac01', 'gK2W19D7Kc', 'FiTWvYCN3t', 'LAbW9xiTDa', 'vviW2ym8Cf', 'RG2Whe21t0', 'BMQWUZHI5X', 'ROfWDGxsDi'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, EVAhlqnC6pIITJbdbC.csHigh entropy of concatenated method names: 'hLuoRIGaVL', 'aIkoJ8PfPe', 'urPF99jxBn', 'TGIF2LK7UT', 'p7aFhBIfJl', 'qKBFUm8pv4', 'bHIFDEwaNt', 'iGgFeXPZg4', 'NhsF8vAt6L', 'jk4FPmS4cm'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, kFNYiTIpTfii78o21e.csHigh entropy of concatenated method names: 'BA4AVAkLKt', 'mbeA1GVcfZ', 'DkRAsfPOF9', 'eXWAqEy5WK', 'YHTAHe5iGi', 'aVLASkuVO7', 'CTwAQgPso1', 'EieAgoMUUG', 'Rv5A0WosAN', 'Di8AYY0xyI'
          Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, nDC106geDH4Y63nYKm.csHigh entropy of concatenated method names: 'drrapZDh8q', 'P94aAq7Slu', 'sfxaFSFw8a', 'sYtaoA1U0F', 'YKvalFj4AM', 'lTWayfWAKe', 'NluauLrokk', 'NiWa5X0GDp', 'v90aKWdYok', 'j2yaECyfdi'
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,3_2_00406EB0
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AA4A
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
          Delayed program exit found
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040F7A7 Sleep,ExitProcess,3_2_0040F7A7
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 7CA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 8CA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 8E50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 9E50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: A1B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: B1B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: 8E50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: A1B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: B1B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0041A748
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407C97
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]3_2_004432B5
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00412077 GetProcessHeap,HeapFree,3_2_00412077
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00434B47 SetUnhandledExceptionFilter,3_2_00434B47
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043BB22
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434FDC
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Contains functionality to inject code into remote processes
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,3_2_004180EF
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory written: C:\Users\user\Desktop\BANK LETTER INDICATION.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeSection loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2A45008Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_004120F7
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00419627 mouse_event,3_2_00419627
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00434C52 cpuid 3_2_00434C52
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: EnumSystemLocalesW,3_2_00452036
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_004520C3
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetLocaleInfoW,3_2_00452313
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: EnumSystemLocalesW,3_2_00448404
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0045243C
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetLocaleInfoW,3_2_00452543
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00452610
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetLocaleInfoA,3_2_0040F8D1
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: GetLocaleInfoW,3_2_004488ED
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00451CD8
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: EnumSystemLocalesW,3_2_00451F50
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: EnumSystemLocalesW,3_2_00451F9B
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeQueries volume information: C:\Users\user\Desktop\BANK LETTER INDICATION.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0040B164 GetLocalTime,wsprintfW,3_2_0040B164
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_0041B60D GetUserNameW,3_2_0041B60D
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_00449190
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040BA12
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040BB30
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: \key3.db3_2_0040BB30

          Remote Access Functionality

          barindex
          Detected Remcos RAT
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7Q1GRNJump to behavior
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR
          Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exeCode function: cmd.exe3_2_0040569A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		11
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          Windows Service          		1
          Bypass User Account Control          		1
          Deobfuscate/Decode Files or Information          		111
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol111
          Input Capture          		2
          Encrypted Channel          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts2
          Service Execution          		Logon Script (Windows)1
          Access Token Manipulation          		4
          Obfuscated Files or Information          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Remote Access Software          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Windows Service          		12
          Software Packing          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script421
          Process Injection          		1
          Timestomp          		LSA Secrets33
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials2
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Bypass User Account Control          		DCSync31
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Access Token Manipulation          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd421
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BANK LETTER INDICATION.exe32%ReversingLabsByteCode-MSIL.Trojan.Remcos
          BANK LETTER INDICATION.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://geoplugin.net/json.gp0%URL Reputationsafe
          http://geoplugin.net/json.gp/C0%URL Reputationsafe
          192.3.64.1490%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          192.3.64.149true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://geoplugin.net/json.gpBANK LETTER INDICATION.exefalse
          • URL Reputation: safe
          		unknown
          http://geoplugin.net/json.gp/CBANK LETTER INDICATION.exe, 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, BANK LETTER INDICATION.exe, 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1467081
          Start date and time:2024-07-03 17:50:32 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 22s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:BANK LETTER INDICATION.exe
          Detection:MAL
          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@5/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 95%
          • Number of executed functions: 233
          • Number of non-executed functions: 223
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: BANK LETTER INDICATION.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          11:51:24API Interceptor1x Sleep call for process: BANK LETTER INDICATION.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK LETTER INDICATION.exe.log

          Download File
          Process:C:\Users\user\Desktop\BANK LETTER INDICATION.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.34331486778365
          Encrypted:false
          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
          MD5:1330C80CAAC9A0FB172F202485E9B1E8
          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
          Malicious:true
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.963947151147331
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          • Win32 Executable (generic) a (10002005/4) 49.75%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Windows Screen Saver (13104/52) 0.07%
          • Generic Win/DOS Executable (2004/3) 0.01%
          File name:BANK LETTER INDICATION.exe
          File size:1'210'368 bytes
          MD5:b0fd67ec3db079fd398d7f2fa7ad45bc
          SHA1:a8bfe4c1fc745e35cde2acf1164c9ed92363df7d
          SHA256:89d5d25cd020213d6426f13296765683202542062cdcfb10b611d46a65d38d0f
          SHA512:bf0d480dc4b79a7c4e903741131ce59431bcc1acaf9f503c8e7f936e3fee56e3b1a0249d8764a638cb88444ea985c767f4ae0769362aed8568675ea248c16955
          SSDEEP:24576:BXrUP6Zdhmvcihyofx0xs+8I0I/yXSBHanjgFbosgA19o:BbUPf0ehysMBHanj4bt9o
          TLSH:C445232466B59AB5C93407F59036120403F2ED7EA262EF1E1FE771EB087376185AAE13
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*d...............0......f......z/... ...@....@.. ....................................@................................

          File Icon

          Icon Hash:66666667e69c310e

          Static PE Info

          General

          Entrypoint:0x522f7a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0xF4642AC9 [Sun Dec 6 01:54:17 2099 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x122f270x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1240000x6400.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12c0000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x1212080x70.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x120f800x1210007b7076daf0543e7c9d41c7241cd7d190False0.977489220642301data7.983846811568236IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x1240000x64000x640046e91b17f75608bab9eb1df878211f6aFalse0.395546875data5.1482733960238125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x12c0000xc0x20078b8cc8e784fd76909028c13f88124e8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x1241e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.2701612903225806
          RT_ICON0x1244d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.4966216216216216
          RT_ICON0x1246100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5439765458422174
          RT_ICON0x1254c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6656137184115524
          RT_ICON0x125d800x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5021676300578035
          RT_ICON0x1262f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.3157676348547718
          RT_ICON0x1288b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4090056285178236
          RT_ICON0x1299680x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.5859929078014184
          RT_GROUP_ICON0x129de00x76data0.6440677966101694
          RT_VERSION0x129e680x398OpenPGP Public Key0.41956521739130437
          RT_MANIFEST0x12a2100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:11:51:23
          Start date:03/07/2024
          Path:C:\Users\user\Desktop\BANK LETTER INDICATION.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
          Imagebase:0xa20000
          File size:1'210'368 bytes
          MD5 hash:B0FD67EC3DB079FD398D7F2FA7AD45BC
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:3
          Start time:11:51:25
          Start date:03/07/2024
          Path:C:\Users\user\Desktop\BANK LETTER INDICATION.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
          Imagebase:0x890000
          File size:1'210'368 bytes
          MD5 hash:B0FD67EC3DB079FD398D7F2FA7AD45BC
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
          Reputation:low
          Has exited:true

          General

          Target ID:4
          Start time:11:51:25
          Start date:03/07/2024
          Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
          Wow64 process (32bit):true
          Commandline:"c:\program files (x86)\internet explorer\iexplore.exe"
          Imagebase:0x5d0000
          File size:828'368 bytes
          MD5 hash:6F0F06D6AB125A99E43335427066A4A1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:9.9%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:241
            Total number of Limit Nodes:5
            execution_graph 53658 2cf26cc 53659 2cf26d2 53658->53659 53664 2cf2dce 53659->53664 53682 2cf2d68 53659->53682 53699 2cf2d59 53659->53699 53660 2cf26e3 53665 2cf2d5c 53664->53665 53667 2cf2dd1 53664->53667 53716 2cf372e 53665->53716 53721 2cf3b90 53665->53721 53725 2cf3571 53665->53725 53733 2cf3316 53665->53733 53737 2cf35b9 53665->53737 53745 2cf347a 53665->53745 53749 2cf33bc 53665->53749 53753 2cf369e 53665->53753 53758 2cf3343 53665->53758 53764 2cf32a9 53665->53764 53769 2cf352b 53665->53769 53773 2cf31cb 53665->53773 53778 2cf37ec 53665->53778 53783 2cf32ce 53665->53783 53666 2cf2d8a 53666->53660 53683 2cf2d82 53682->53683 53685 2cf372e 2 API calls 53683->53685 53686 2cf32ce 2 API calls 53683->53686 53687 2cf37ec 2 API calls 53683->53687 53688 2cf31cb 2 API calls 53683->53688 53689 2cf352b 2 API calls 53683->53689 53690 2cf32a9 2 API calls 53683->53690 53691 2cf3343 4 API calls 53683->53691 53692 2cf369e 2 API calls 53683->53692 53693 2cf33bc 2 API calls 53683->53693 53694 2cf347a 2 API calls 53683->53694 53695 2cf35b9 4 API calls 53683->53695 53696 2cf3316 2 API calls 53683->53696 53697 2cf3571 4 API calls 53683->53697 53698 2cf3b90 2 API calls 53683->53698 53684 2cf2d8a 53684->53660 53685->53684 53686->53684 53687->53684 53688->53684 53689->53684 53690->53684 53691->53684 53692->53684 53693->53684 53694->53684 53695->53684 53696->53684 53697->53684 53698->53684 53700 2cf2d5c 53699->53700 53702 2cf372e 2 API calls 53700->53702 53703 2cf32ce 2 API calls 53700->53703 53704 2cf37ec 2 API calls 53700->53704 53705 2cf31cb 2 API calls 53700->53705 53706 2cf352b 2 API calls 53700->53706 53707 2cf32a9 2 API calls 53700->53707 53708 2cf3343 4 API calls 53700->53708 53709 2cf369e 2 API calls 53700->53709 53710 2cf33bc 2 API calls 53700->53710 53711 2cf347a 2 API calls 53700->53711 53712 2cf35b9 4 API calls 53700->53712 53713 2cf3316 2 API calls 53700->53713 53714 2cf3571 4 API calls 53700->53714 53715 2cf3b90 2 API calls 53700->53715 53701 2cf2d8a 53701->53660 53702->53701 53703->53701 53704->53701 53705->53701 53706->53701 53707->53701 53708->53701 53709->53701 53710->53701 53711->53701 53712->53701 53713->53701 53714->53701 53715->53701 53717 2cf3734 53716->53717 53787 2cf3f60 53717->53787 53792 2cf3f70 53717->53792 53718 2cf353f 53718->53666 53722 2cf3b3b 53721->53722 53722->53721 53805 2cf1c88 53722->53805 53809 2cf1c90 53722->53809 53726 2cf3579 53725->53726 53727 2cf32b5 53725->53727 53726->53727 53813 2cf3f28 53726->53813 53818 2cf3f17 53726->53818 53731 2cf3f60 2 API calls 53727->53731 53732 2cf3f70 2 API calls 53727->53732 53728 2cf353f 53728->53666 53731->53728 53732->53728 53734 2cf332b 53733->53734 53735 2cf1c88 WriteProcessMemory 53734->53735 53736 2cf1c90 WriteProcessMemory 53734->53736 53735->53734 53736->53734 53741 2cf3f28 2 API calls 53737->53741 53742 2cf3f17 2 API calls 53737->53742 53738 2cf3579 53738->53737 53739 2cf32b5 53738->53739 53743 2cf3f60 2 API calls 53739->53743 53744 2cf3f70 2 API calls 53739->53744 53740 2cf353f 53740->53666 53741->53738 53742->53738 53743->53740 53744->53740 53831 2cf1d79 53745->53831 53836 2cf1d80 53745->53836 53746 2cf33f2 53746->53666 53750 2cf33c3 53749->53750 53751 2cf1c88 WriteProcessMemory 53750->53751 53752 2cf1c90 WriteProcessMemory 53750->53752 53751->53750 53752->53750 53754 2cf38c2 53753->53754 53756 2cf1c88 WriteProcessMemory 53754->53756 53757 2cf1c90 WriteProcessMemory 53754->53757 53755 2cf38e6 53755->53666 53756->53755 53757->53755 53840 2cf1bc9 53758->53840 53844 2cf1bd0 53758->53844 53759 2cf3361 53760 2cf1c88 WriteProcessMemory 53759->53760 53761 2cf1c90 WriteProcessMemory 53759->53761 53760->53759 53761->53759 53765 2cf32b5 53764->53765 53767 2cf3f60 2 API calls 53765->53767 53768 2cf3f70 2 API calls 53765->53768 53766 2cf353f 53766->53666 53767->53766 53768->53766 53770 2cf346e 53769->53770 53771 2cf1c88 WriteProcessMemory 53770->53771 53772 2cf1c90 WriteProcessMemory 53770->53772 53771->53770 53772->53770 53774 2cf31d8 53773->53774 53848 2cf1f0c 53774->53848 53852 2cf1f18 53774->53852 53779 2cf386b 53778->53779 53780 2cf353f 53778->53780 53779->53780 53781 2cf3f60 2 API calls 53779->53781 53782 2cf3f70 2 API calls 53779->53782 53780->53666 53781->53780 53782->53780 53785 2cf1af8 Wow64SetThreadContext 53783->53785 53786 2cf1af0 Wow64SetThreadContext 53783->53786 53784 2cf32e8 53784->53666 53785->53784 53786->53784 53788 2cf3f85 53787->53788 53797 2cf1608 53788->53797 53801 2cf1610 53788->53801 53789 2cf3f98 53789->53718 53793 2cf3f85 53792->53793 53795 2cf1608 ResumeThread 53793->53795 53796 2cf1610 ResumeThread 53793->53796 53794 2cf3f98 53794->53718 53795->53794 53796->53794 53798 2cf1650 ResumeThread 53797->53798 53800 2cf1681 53798->53800 53800->53789 53802 2cf1650 ResumeThread 53801->53802 53804 2cf1681 53802->53804 53804->53789 53806 2cf1cd8 WriteProcessMemory 53805->53806 53808 2cf1d2f 53806->53808 53808->53722 53810 2cf1cd8 WriteProcessMemory 53809->53810 53812 2cf1d2f 53810->53812 53812->53722 53814 2cf3f3d 53813->53814 53823 2cf1af8 53814->53823 53827 2cf1af0 53814->53827 53815 2cf3f53 53815->53726 53819 2cf3f28 53818->53819 53821 2cf1af8 Wow64SetThreadContext 53819->53821 53822 2cf1af0 Wow64SetThreadContext 53819->53822 53820 2cf3f53 53820->53726 53821->53820 53822->53820 53824 2cf1b3d Wow64SetThreadContext 53823->53824 53826 2cf1b85 53824->53826 53826->53815 53828 2cf1b3d Wow64SetThreadContext 53827->53828 53830 2cf1b85 53828->53830 53830->53815 53832 2cf1d7f ReadProcessMemory 53831->53832 53833 2cf1d4b 53831->53833 53835 2cf1e0f 53832->53835 53833->53746 53835->53746 53837 2cf1dcb ReadProcessMemory 53836->53837 53839 2cf1e0f 53837->53839 53839->53746 53841 2cf1c10 VirtualAllocEx 53840->53841 53843 2cf1c4d 53841->53843 53843->53759 53845 2cf1c10 VirtualAllocEx 53844->53845 53847 2cf1c4d 53845->53847 53847->53759 53849 2cf1fa1 CreateProcessA 53848->53849 53851 2cf2163 53849->53851 53853 2cf1fa1 CreateProcessA 53852->53853 53855 2cf2163 53853->53855 53925 2e5acb0 53926 2e5acbf 53925->53926 53929 2e5ad97 53925->53929 53937 2e5ada8 53925->53937 53930 2e5adb9 53929->53930 53932 2e5addc 53929->53932 53930->53932 53945 2e5b040 53930->53945 53949 2e5b031 53930->53949 53931 2e5add4 53931->53932 53933 2e5afe0 GetModuleHandleW 53931->53933 53932->53926 53934 2e5b00d 53933->53934 53934->53926 53938 2e5adb9 53937->53938 53940 2e5addc 53937->53940 53938->53940 53943 2e5b031 LoadLibraryExW 53938->53943 53944 2e5b040 LoadLibraryExW 53938->53944 53939 2e5add4 53939->53940 53941 2e5afe0 GetModuleHandleW 53939->53941 53940->53926 53942 2e5b00d 53941->53942 53942->53926 53943->53939 53944->53939 53946 2e5b054 53945->53946 53947 2e5b079 53946->53947 53953 2e5a168 53946->53953 53947->53931 53950 2e5b054 53949->53950 53951 2e5a168 LoadLibraryExW 53950->53951 53952 2e5b079 53950->53952 53951->53952 53952->53931 53954 2e5b220 LoadLibraryExW 53953->53954 53956 2e5b299 53954->53956 53956->53947 53915 2cf40e8 53916 2cf410e 53915->53916 53920 2cf42a8 53915->53920 53917 2cf4273 53916->53917 53921 2cf4368 PostMessageW 53916->53921 53923 2cf4360 PostMessageW 53916->53923 53922 2cf43d4 53921->53922 53922->53916 53924 2cf43d4 53923->53924 53924->53916 53856 2e54668 53857 2e5467a 53856->53857 53858 2e54686 53857->53858 53860 2e54779 53857->53860 53861 2e5479d 53860->53861 53865 2e54888 53861->53865 53869 2e54878 53861->53869 53866 2e548af 53865->53866 53868 2e5498c 53866->53868 53873 2e544e0 53866->53873 53870 2e548af 53869->53870 53871 2e544e0 CreateActCtxA 53870->53871 53872 2e5498c 53870->53872 53871->53872 53874 2e55918 CreateActCtxA 53873->53874 53876 2e559cf 53874->53876 53957 2e5d438 53958 2e5d47e 53957->53958 53962 2e5d608 53958->53962 53965 2e5d618 53958->53965 53959 2e5d56b 53968 2e5b790 53962->53968 53966 2e5d646 53965->53966 53967 2e5b790 DuplicateHandle 53965->53967 53966->53959 53967->53966 53969 2e5d680 DuplicateHandle 53968->53969 53970 2e5d646 53969->53970 53970->53959 53877 112d01c 53878 112d034 53877->53878 53879 112d08e 53878->53879 53882 53c2818 53878->53882 53887 53c2808 53878->53887 53884 53c2845 53882->53884 53883 53c2877 53884->53883 53892 53c2da8 53884->53892 53896 53c2d88 53884->53896 53888 53c2845 53887->53888 53889 53c2877 53888->53889 53890 53c2da8 2 API calls 53888->53890 53891 53c2d88 2 API calls 53888->53891 53890->53889 53891->53889 53894 53c2dbc 53892->53894 53893 53c2e48 53893->53883 53900 53c2e60 53894->53900 53897 53c2dbc 53896->53897 53899 53c2e60 2 API calls 53897->53899 53898 53c2e48 53898->53883 53899->53898 53901 53c2e71 53900->53901 53903 53c4022 53900->53903 53901->53893 53907 53c4050 53903->53907 53911 53c4040 53903->53911 53904 53c403a 53904->53901 53908 53c4092 53907->53908 53910 53c4099 53907->53910 53909 53c40ea CallWindowProcW 53908->53909 53908->53910 53909->53910 53910->53904 53912 53c4050 53911->53912 53913 53c40ea CallWindowProcW 53912->53913 53914 53c4099 53912->53914 53913->53914 53914->53904

            Executed Functions

            Function 053C7FB0 Relevance: 3.4, Strings: 1, Instructions: 2177COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 53c7fb0-53c7fdb 1 53c7fdd 0->1 2 53c7fe2-53c8806 call 53c7d58 call 53c7d68 * 3 call 53c7d58 call 53c7d78 * 2 call 53c7d88 * 2 call 53c7d78 * 7 call 53c7d98 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7de8 call 53c7df8 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7df8 call 53c7da8 call 53c7db8 call 53c7dc8 0->2 1->2 121 53c8f1f-53c8f38 2->121 122 53c8f3e-53c92be call 53c7dd8 call 53c7df8 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7d98 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7de8 call 53c7da8 call 53c7db8 121->122 123 53c880b-53c884b 121->123 262 53c92c5-53c9303 call 53c7e08 122->262 263 53c92c0 122->263 129 53c884d 123->129 130 53c8852-53c887b 123->130 129->130 131 53c887d-53c8885 130->131 132 53c8887-53c88a1 130->132 134 53c88b0-53c88cc 131->134 135 53c88a9 132->135 136 53c88a3-53c88a7 132->136 137 53c88de-53c88fb 134->137 138 53c88ce-53c88dc 134->138 135->134 136->134 142 53c890d-53c8917 137->142 143 53c88fd-53c890b 137->143 141 53c891a-53c893e 138->141 144 53c8950-53c896d 141->144 145 53c8940-53c894e 141->145 142->141 143->141 148 53c897f-53c8989 144->148 149 53c896f-53c897d 144->149 147 53c898c-53c89b0 145->147 151 53c89c2-53c89d7 147->151 152 53c89b2-53c89c0 147->152 148->147 149->147 154 53c89d9-53c89df 151->154 155 53c89e1-53c89eb 151->155 153 53c89ee-53c8a0f 152->153 157 53c8a1b-53c8a35 153->157 158 53c8a11-53c8a19 153->158 154->153 155->153 161 53c8a3d-53c8a3f 157->161 162 53c8a37-53c8a3b 157->162 160 53c8a42-53c8a63 158->160 164 53c8a6f-53c8a89 160->164 165 53c8a65-53c8a6d 160->165 161->160 162->160 167 53c8a8b-53c8a8f 164->167 168 53c8a91 164->168 166 53c8a98-53c8ab9 165->166 170 53c8abb-53c8ac3 166->170 171 53c8ac5-53c8adf 166->171 167->166 168->166 173 53c8aee-53c8b0f 170->173 174 53c8ae7 171->174 175 53c8ae1-53c8ae5 171->175 176 53c8b1b-53c8b35 173->176 177 53c8b11-53c8b19 173->177 174->173 175->173 180 53c8b3d-53c8b3f 176->180 181 53c8b37-53c8b3b 176->181 179 53c8b42-53c8b63 177->179 184 53c8b6f-53c8b89 179->184 185 53c8b65-53c8b6d 179->185 180->179 181->179 186 53c8b8b-53c8b8f 184->186 187 53c8b91-53c8b93 184->187 189 53c8b96-53c8bba 185->189 186->189 187->189 190 53c8bcc-53c8be9 189->190 191 53c8bbc-53c8bca 189->191 194 53c8bfb-53c8bfd 190->194 195 53c8beb-53c8bf9 190->195 193 53c8c00-53c8c21 191->193 197 53c8c2d-53c8c47 193->197 198 53c8c23-53c8c2b 193->198 194->193 195->193 201 53c8c4f 197->201 202 53c8c49-53c8c4d 197->202 200 53c8c56-53c8c7a 198->200 204 53c8c8c-53c8ca9 200->204 205 53c8c7c-53c8c8a 200->205 201->200 202->200 207 53c8cab-53c8cb1 204->207 208 53c8cb3-53c8cbd 204->208 206 53c8cc0-53c8ce1 205->206 209 53c8ced-53c8d07 206->209 210 53c8ce3-53c8ceb 206->210 207->206 208->206 213 53c8d0f-53c8d11 209->213 214 53c8d09-53c8d0d 209->214 212 53c8d14-53c8d35 210->212 216 53c8d37-53c8d3f 212->216 217 53c8d41-53c8d5b 212->217 213->212 214->212 219 53c8d68-53c8d8c 216->219 221 53c8d5d-53c8d61 217->221 222 53c8d63-53c8d65 217->222 224 53c8d8e-53c8d94 219->224 225 53c8d96-53c8dab 219->225 221->219 222->219 226 53c8dca-53c8deb 224->226 227 53c8dbd-53c8dc7 225->227 228 53c8dad-53c8dbb 225->228 229 53c8ded-53c8df5 226->229 230 53c8df7-53c8e11 226->230 227->226 228->226 232 53c8e20-53c8e41 229->232 233 53c8e19 230->233 234 53c8e13-53c8e17 230->234 236 53c8e4d-53c8e67 232->236 237 53c8e43-53c8e4b 232->237 233->232 234->232 240 53c8e6f-53c8e71 236->240 241 53c8e69-53c8e6d 236->241 239 53c8e74-53c8e85 237->239 243 53c8e8c-53c8ea8 239->243 244 53c8e87 239->244 240->239 241->239 246 53c8eaf-53c8f0d 243->246 247 53c8eaa 243->247 244->243 251 53c8f0f 246->251 252 53c8f14-53c8f1e 246->252 247->246 251->252 252->121 266 53c930e-53ca4ff call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e38 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e38 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7e48 call 53c7e58 call 53c7e68 call 53c7e78 * 16 call 53c7e88 call 53c7e98 call 53c7db8 call 53c7ea8 262->266 263->262
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: $Nq
            • API String ID: 0-1575210091
            • Opcode ID: 3d4f8d49f3f23132f65e4c712d75d277ebf27485bd0a88c457e73f7c48e488be
            • Instruction ID: ca14b4486c4c9179aa486be9249255236ffb8882454b1d03302b42416b17adaa
            • Opcode Fuzzy Hash: 3d4f8d49f3f23132f65e4c712d75d277ebf27485bd0a88c457e73f7c48e488be
            • Instruction Fuzzy Hash: A133A234A11229CFDB25DF65C888BE9B7B5FF89301F5091E9D809AB251DB70AE85CF40
            Function 053C7FA1 Relevance: 3.0, Strings: 1, Instructions: 1718COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 512 53c7fa1-53c7fdb 513 53c7fdd 512->513 514 53c7fe2-53c809e 512->514 513->514 519 53c80a8-53c80b4 call 53c7d58 514->519 521 53c80b9-53c83e4 call 53c7d68 * 3 call 53c7d58 call 53c7d78 * 2 call 53c7d88 * 2 call 53c7d78 * 7 519->521 585 53c83ef-53c8403 call 53c7d98 521->585 587 53c8408-53c84a2 call 53c7da8 call 53c7db8 585->587 593 53c84ac-53c84c6 call 53c7dc8 587->593 595 53c84cb-53c8549 call 53c7dd8 call 53c7de8 593->595 603 53c8553-53c859c call 53c7df8 595->603 606 53c85a2-53c8806 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7df8 call 53c7da8 call 53c7db8 call 53c7dc8 603->606 633 53c8f1f-53c8f38 606->633 634 53c8f3e-53c9283 call 53c7dd8 call 53c7df8 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7d98 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7de8 call 53c7da8 call 53c7db8 633->634 635 53c880b-53c884b 633->635 771 53c9288-53c92a8 634->771 641 53c884d 635->641 642 53c8852-53c887b 635->642 641->642 643 53c887d-53c8885 642->643 644 53c8887-53c88a1 642->644 646 53c88b0-53c88cc 643->646 647 53c88a9 644->647 648 53c88a3-53c88a7 644->648 649 53c88de-53c88fb 646->649 650 53c88ce-53c88dc 646->650 647->646 648->646 654 53c890d-53c8917 649->654 655 53c88fd-53c890b 649->655 653 53c891a-53c893e 650->653 656 53c8950-53c896d 653->656 657 53c8940-53c894e 653->657 654->653 655->653 660 53c897f-53c8989 656->660 661 53c896f-53c897d 656->661 659 53c898c-53c89b0 657->659 663 53c89c2-53c89d7 659->663 664 53c89b2-53c89c0 659->664 660->659 661->659 666 53c89d9-53c89df 663->666 667 53c89e1-53c89eb 663->667 665 53c89ee-53c8a0f 664->665 669 53c8a1b-53c8a35 665->669 670 53c8a11-53c8a19 665->670 666->665 667->665 673 53c8a3d-53c8a3f 669->673 674 53c8a37-53c8a3b 669->674 672 53c8a42-53c8a63 670->672 676 53c8a6f-53c8a89 672->676 677 53c8a65-53c8a6d 672->677 673->672 674->672 679 53c8a8b-53c8a8f 676->679 680 53c8a91 676->680 678 53c8a98-53c8ab9 677->678 682 53c8abb-53c8ac3 678->682 683 53c8ac5-53c8adf 678->683 679->678 680->678 685 53c8aee-53c8b0f 682->685 686 53c8ae7 683->686 687 53c8ae1-53c8ae5 683->687 688 53c8b1b-53c8b35 685->688 689 53c8b11-53c8b19 685->689 686->685 687->685 692 53c8b3d-53c8b3f 688->692 693 53c8b37-53c8b3b 688->693 691 53c8b42-53c8b63 689->691 696 53c8b6f-53c8b89 691->696 697 53c8b65-53c8b6d 691->697 692->691 693->691 698 53c8b8b-53c8b8f 696->698 699 53c8b91-53c8b93 696->699 701 53c8b96-53c8bba 697->701 698->701 699->701 702 53c8bcc-53c8be9 701->702 703 53c8bbc-53c8bca 701->703 706 53c8bfb-53c8bfd 702->706 707 53c8beb-53c8bf9 702->707 705 53c8c00-53c8c21 703->705 709 53c8c2d-53c8c47 705->709 710 53c8c23-53c8c2b 705->710 706->705 707->705 713 53c8c4f 709->713 714 53c8c49-53c8c4d 709->714 712 53c8c56-53c8c7a 710->712 716 53c8c8c-53c8ca9 712->716 717 53c8c7c-53c8c8a 712->717 713->712 714->712 719 53c8cab-53c8cb1 716->719 720 53c8cb3-53c8cbd 716->720 718 53c8cc0-53c8ce1 717->718 721 53c8ced-53c8d07 718->721 722 53c8ce3-53c8ceb 718->722 719->718 720->718 725 53c8d0f-53c8d11 721->725 726 53c8d09-53c8d0d 721->726 724 53c8d14-53c8d35 722->724 728 53c8d37-53c8d3f 724->728 729 53c8d41-53c8d5b 724->729 725->724 726->724 731 53c8d68-53c8d8c 728->731 733 53c8d5d-53c8d61 729->733 734 53c8d63-53c8d65 729->734 736 53c8d8e-53c8d94 731->736 737 53c8d96-53c8dab 731->737 733->731 734->731 738 53c8dca-53c8deb 736->738 739 53c8dbd-53c8dc7 737->739 740 53c8dad-53c8dbb 737->740 741 53c8ded-53c8df5 738->741 742 53c8df7-53c8e11 738->742 739->738 740->738 744 53c8e20-53c8e41 741->744 745 53c8e19 742->745 746 53c8e13-53c8e17 742->746 748 53c8e4d-53c8e67 744->748 749 53c8e43-53c8e4b 744->749 745->744 746->744 752 53c8e6f-53c8e71 748->752 753 53c8e69-53c8e6d 748->753 751 53c8e74-53c8e85 749->751 755 53c8e8c-53c8ea8 751->755 756 53c8e87 751->756 752->751 753->751 758 53c8eaf-53c8f0d 755->758 759 53c8eaa 755->759 756->755 763 53c8f0f 758->763 764 53c8f14-53c8f1e 758->764 759->758 763->764 764->633 773 53c92ae-53c92be 771->773 774 53c92c5-53c92e6 call 53c7e08 773->774 775 53c92c0 773->775 777 53c92eb-53c9303 774->777 775->774 778 53c930e-53ca4ff call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e38 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e38 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7da8 call 53c7db8 call 53c7dc8 call 53c7dd8 call 53c7e18 call 53c7e28 call 53c7e48 call 53c7e58 call 53c7e68 call 53c7e78 * 16 call 53c7e88 call 53c7e98 call 53c7db8 call 53c7ea8 777->778
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: $Nq
            • API String ID: 0-1575210091
            • Opcode ID: aaa4fa9b9d166231f3bd6969280dbff9531df9a3f727784dd0f9e43b69f82895
            • Instruction ID: b7651a4aaeca513a86f202ac3be4c73f4584c3704d19022a1ab2e25f6a9a63db
            • Opcode Fuzzy Hash: aaa4fa9b9d166231f3bd6969280dbff9531df9a3f727784dd0f9e43b69f82895
            • Instruction Fuzzy Hash: 7C03B534A11219CFCB25DB35C898AE9B7B5FF8A300F5191E9D8096B365DB70AE85CF40
            Function 078F3D50 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: !Y3E
            • API String ID: 0-2826621527
            • Opcode ID: 9e808a9b4cb90091c8b2f94e24186406e4e007147312cb4beedf2ba68e0206de
            • Instruction ID: 3c4f8372a27b07978bab4f8c5d2c4bfe2ca6accee260badef22943a37dac34f0
            • Opcode Fuzzy Hash: 9e808a9b4cb90091c8b2f94e24186406e4e007147312cb4beedf2ba68e0206de
            • Instruction Fuzzy Hash: 72A18E74B10209CFDB589B79C859B6E7AF3BF98700F21802AE906DB798DE75DC418B50
            Function 053C7D58 Relevance: .6, Instructions: 592COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8ffff50fc78e240ccb016aa35fb9b31211e24116729900c3119aa1aef8f0d555
            • Instruction ID: aa00803c5ea3d0a7f8477cd2a6220d29def5b8919cbc4c8c248bc172b365f653
            • Opcode Fuzzy Hash: 8ffff50fc78e240ccb016aa35fb9b31211e24116729900c3119aa1aef8f0d555
            • Instruction Fuzzy Hash: FA525C34A003198FDB14DF68C844B99B7B2BF89314F2582E9D5586F3A1DB71AD86CF81
            Function 053CAEB0 Relevance: .6, Instructions: 575COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 03ab6eecdc86108113628e8a6af83829e4a0c92150638f6a4f816b9b396025fb
            • Instruction ID: 62338a5b0851840f0d0ebd741a0d42a414082f263fe065d483ebaafd41155b31
            • Opcode Fuzzy Hash: 03ab6eecdc86108113628e8a6af83829e4a0c92150638f6a4f816b9b396025fb
            • Instruction Fuzzy Hash: AD524B34A003598FDB14DF28C844B98B7B2BF89314F2582E9D5586F3A1DB71AD86CF81
            Function 054EBB70 Relevance: .4, Instructions: 382COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b125c955756ea5c21c7fc5b7475ff24eb010393290d33c9ccffb5b6ba68492b6
            • Instruction ID: c1b9586b18ea7e5bc1fe953463a962291714b14e2cc89019010b1b4ca19656b6
            • Opcode Fuzzy Hash: b125c955756ea5c21c7fc5b7475ff24eb010393290d33c9ccffb5b6ba68492b6
            • Instruction Fuzzy Hash: 4D12B775D0061A8FCB15DF69C884AE9F7B1FF49300F15C6AAD459A7211EB70AAC5CF80
            Function 054EBB60 Relevance: .4, Instructions: 376COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4083b0ccc5d8465f932e8aa04c772fdcde82eb4cbe82c0762ffbf94de141a92a
            • Instruction ID: 2c74971f1b166b368b5a920b31556236b2741b808bbac1d6ad7724566a15c8eb
            • Opcode Fuzzy Hash: 4083b0ccc5d8465f932e8aa04c772fdcde82eb4cbe82c0762ffbf94de141a92a
            • Instruction Fuzzy Hash: EF12C775D0061A8FCB15DF69C884AD9F7B1FF49300F15C6AAD859A7211EB70AAC5CF80
            Function 078F3D42 Relevance: .3, Instructions: 278COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b833a4d8389c07735a7af27dedcdc1e3d6d8d3d36ab54528ecf61833e817050b
            • Instruction ID: dd2662f579ed74e598f8f27f6cfc25d92b5aacda73378a66d11706d5f064a694
            • Opcode Fuzzy Hash: b833a4d8389c07735a7af27dedcdc1e3d6d8d3d36ab54528ecf61833e817050b
            • Instruction Fuzzy Hash: 6CA17E74B102099FDB589B78C859B6E7AF3BF98700F21802AE906DB794DE75DC418B50
            Function 078F0F89 Relevance: .3, Instructions: 251COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9ce1de347884c6a73e5a83c14413cc7296e71453702b63b6188b82cdd62e27f
            • Instruction ID: a2edf5f38d1aa5578d33dd0c6f87ff39f255dfbd569c8e786aad90bf7c564997
            • Opcode Fuzzy Hash: f9ce1de347884c6a73e5a83c14413cc7296e71453702b63b6188b82cdd62e27f
            • Instruction Fuzzy Hash: D29166B2A1414ECFC704CF28D8989A9BFB2FF96320BA2555AD605DF391D331D985CB84
            Function 054EF6CE Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfeb09f088a55c4ea35c968a4b4f44b309e3c3eeb69ec4eab489ad2e5cb7fb0f
            • Instruction ID: 6f8df59412ac6d7277cc82db9850f3223ce2cfd98f547ce3a401de3993cf9062
            • Opcode Fuzzy Hash: dfeb09f088a55c4ea35c968a4b4f44b309e3c3eeb69ec4eab489ad2e5cb7fb0f
            • Instruction Fuzzy Hash: A251E536B101159BDB04DB68C8957EEBAB3FB98206F55406BE502EB354DB318D0A8B91
            Function 078F1060 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 932228d2e1adbb5ae523463415a76f5c07725a8208536510d074eba0e89edbd2
            • Instruction ID: 23b232600bcbaf0f224a6d073307f6e83cb19f13879164a298680eea9798f0ea
            • Opcode Fuzzy Hash: 932228d2e1adbb5ae523463415a76f5c07725a8208536510d074eba0e89edbd2
            • Instruction Fuzzy Hash: 4461E5B1A2414DCFC704CF29C988929BBB6FBA6304BA28467DA06EF351D731ED45CB45
            Function 078F3EE3 Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 99a5211317a9fe7013287c39a30df1947457384cd2d657a67f5cea8f7281b1c8
            • Instruction ID: 9f443cf3c8846c087d5f6f5882c6fb7f97696ec5608e813747a100f0e021d2e6
            • Opcode Fuzzy Hash: 99a5211317a9fe7013287c39a30df1947457384cd2d657a67f5cea8f7281b1c8
            • Instruction Fuzzy Hash: 4751AE74B102099FDB189F74D859B6EBAB3FF98701F20842AE906DB798DE75DC418B40
            Function 054EF718 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 167f10f9440343f7fbd5d572c1a0702a99e3e4620d440e24513fe322d3abbbb7
            • Instruction ID: 0a4207ce891d2ccea01e316acdbf4919435925585d402bbd3aea7b77d0615b41
            • Opcode Fuzzy Hash: 167f10f9440343f7fbd5d572c1a0702a99e3e4620d440e24513fe322d3abbbb7
            • Instruction Fuzzy Hash: F641C435B101159FDB48DBA9C8556FEBBB7FB88302F21402AE502EB394DB718D06CB91
            Function 078F7F18 Relevance: .1, Instructions: 114COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 552bbb84a62c1f434f4232062ad9a71f5afc5d2053ea6b375710b96121712cf5
            • Instruction ID: 4b5cedd7b0d6e8b0865357a89dea2c413acff5590fe99d725650468ce64553eb
            • Opcode Fuzzy Hash: 552bbb84a62c1f434f4232062ad9a71f5afc5d2053ea6b375710b96121712cf5
            • Instruction Fuzzy Hash: 01419AB5F1411DDFE744CFA8C9405BEFBB6EF99214F604466E606EB250D631CD428B82
            Function 078F7F28 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 094cd3bf7ba86ca45e1ebe998858ec32fb65d1691870a4f005d0064e89f3aa1c
            • Instruction ID: de9a7d3c7612e26b987578b7a1eb88b61f765028c7557b682bf70e438dd293b7
            • Opcode Fuzzy Hash: 094cd3bf7ba86ca45e1ebe998858ec32fb65d1691870a4f005d0064e89f3aa1c
            • Instruction Fuzzy Hash: 7841B975B1415DDFEB04CFA8C9408AEFBB6EF99314FA04466E60AEB350D631DD418B82
            Function 054EFBC8 Relevance: .1, Instructions: 112COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f24f2640020a1a74494928bf3f60d0c282405f966f6117b76c88ecdd61e48c83
            • Instruction ID: 12ac7850660cf9b7ec55758ed5d0b60098506b074364f4984edd015dff73766b
            • Opcode Fuzzy Hash: f24f2640020a1a74494928bf3f60d0c282405f966f6117b76c88ecdd61e48c83
            • Instruction Fuzzy Hash: 2F410575B142159FC704CBA9D5809FEBBF7BB88201F21816BE906FB390D635CD168A51
            Function 054EFBBC Relevance: .1, Instructions: 94COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7bf36387be8c493d3d8f7fc9de6a0ea4e12fc07974b1f41d36aed361aaa0e72f
            • Instruction ID: a13f3120c7b905dab3ec3a074c9ec1c6c2ee9e29fde94e6d2ce66866ef877d8a
            • Opcode Fuzzy Hash: 7bf36387be8c493d3d8f7fc9de6a0ea4e12fc07974b1f41d36aed361aaa0e72f
            • Instruction Fuzzy Hash: 3F31F536B14115DFC708CA69E5414FEBBB3FBC8102B214567E906FB250D631CD6B8B42
            Function 02CF1F0C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1024 2cf1f0c-2cf1fad 1026 2cf1faf-2cf1fb9 1024->1026 1027 2cf1fe6-2cf2006 1024->1027 1026->1027 1028 2cf1fbb-2cf1fbd 1026->1028 1034 2cf203f-2cf206e 1027->1034 1035 2cf2008-2cf2012 1027->1035 1029 2cf1fbf-2cf1fc9 1028->1029 1030 2cf1fe0-2cf1fe3 1028->1030 1032 2cf1fcd-2cf1fdc 1029->1032 1033 2cf1fcb 1029->1033 1030->1027 1032->1032 1036 2cf1fde 1032->1036 1033->1032 1043 2cf20a7-2cf2161 CreateProcessA 1034->1043 1044 2cf2070-2cf207a 1034->1044 1035->1034 1037 2cf2014-2cf2016 1035->1037 1036->1030 1039 2cf2039-2cf203c 1037->1039 1040 2cf2018-2cf2022 1037->1040 1039->1034 1041 2cf2026-2cf2035 1040->1041 1042 2cf2024 1040->1042 1041->1041 1045 2cf2037 1041->1045 1042->1041 1055 2cf216a-2cf21f0 1043->1055 1056 2cf2163-2cf2169 1043->1056 1044->1043 1046 2cf207c-2cf207e 1044->1046 1045->1039 1048 2cf20a1-2cf20a4 1046->1048 1049 2cf2080-2cf208a 1046->1049 1048->1043 1050 2cf208e-2cf209d 1049->1050 1051 2cf208c 1049->1051 1050->1050 1053 2cf209f 1050->1053 1051->1050 1053->1048 1066 2cf21f2-2cf21f6 1055->1066 1067 2cf2200-2cf2204 1055->1067 1056->1055 1066->1067 1068 2cf21f8 1066->1068 1069 2cf2206-2cf220a 1067->1069 1070 2cf2214-2cf2218 1067->1070 1068->1067 1069->1070 1073 2cf220c 1069->1073 1071 2cf221a-2cf221e 1070->1071 1072 2cf2228-2cf222c 1070->1072 1071->1072 1074 2cf2220 1071->1074 1075 2cf223e-2cf2245 1072->1075 1076 2cf222e-2cf2234 1072->1076 1073->1070 1074->1072 1077 2cf225c 1075->1077 1078 2cf2247-2cf2256 1075->1078 1076->1075 1080 2cf225d 1077->1080 1078->1077 1080->1080
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02CF214E
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 8f89da54f8749eebf7da53550a4ed8d8a7a077e9448f82650dd6cd8b276f7a9a
            • Instruction ID: 66946863fb84aa65d59e29c87df9f8f1b4f3191f0e13b7741993dae200316358
            • Opcode Fuzzy Hash: 8f89da54f8749eebf7da53550a4ed8d8a7a077e9448f82650dd6cd8b276f7a9a
            • Instruction Fuzzy Hash: 7BA15B71D00219CFEB64DF68CC41BEDBBB2BF48314F148169E918A7244DB759A85CF92
            Function 02CF1F18 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1081 2cf1f18-2cf1fad 1083 2cf1faf-2cf1fb9 1081->1083 1084 2cf1fe6-2cf2006 1081->1084 1083->1084 1085 2cf1fbb-2cf1fbd 1083->1085 1091 2cf203f-2cf206e 1084->1091 1092 2cf2008-2cf2012 1084->1092 1086 2cf1fbf-2cf1fc9 1085->1086 1087 2cf1fe0-2cf1fe3 1085->1087 1089 2cf1fcd-2cf1fdc 1086->1089 1090 2cf1fcb 1086->1090 1087->1084 1089->1089 1093 2cf1fde 1089->1093 1090->1089 1100 2cf20a7-2cf2161 CreateProcessA 1091->1100 1101 2cf2070-2cf207a 1091->1101 1092->1091 1094 2cf2014-2cf2016 1092->1094 1093->1087 1096 2cf2039-2cf203c 1094->1096 1097 2cf2018-2cf2022 1094->1097 1096->1091 1098 2cf2026-2cf2035 1097->1098 1099 2cf2024 1097->1099 1098->1098 1102 2cf2037 1098->1102 1099->1098 1112 2cf216a-2cf21f0 1100->1112 1113 2cf2163-2cf2169 1100->1113 1101->1100 1103 2cf207c-2cf207e 1101->1103 1102->1096 1105 2cf20a1-2cf20a4 1103->1105 1106 2cf2080-2cf208a 1103->1106 1105->1100 1107 2cf208e-2cf209d 1106->1107 1108 2cf208c 1106->1108 1107->1107 1110 2cf209f 1107->1110 1108->1107 1110->1105 1123 2cf21f2-2cf21f6 1112->1123 1124 2cf2200-2cf2204 1112->1124 1113->1112 1123->1124 1125 2cf21f8 1123->1125 1126 2cf2206-2cf220a 1124->1126 1127 2cf2214-2cf2218 1124->1127 1125->1124 1126->1127 1130 2cf220c 1126->1130 1128 2cf221a-2cf221e 1127->1128 1129 2cf2228-2cf222c 1127->1129 1128->1129 1131 2cf2220 1128->1131 1132 2cf223e-2cf2245 1129->1132 1133 2cf222e-2cf2234 1129->1133 1130->1127 1131->1129 1134 2cf225c 1132->1134 1135 2cf2247-2cf2256 1132->1135 1133->1132 1137 2cf225d 1134->1137 1135->1134 1137->1137
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02CF214E
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: cb38e0bb7ed70cce01fb7f263ea65574d1a488a753e345979126e2b2326ed0e4
            • Instruction ID: 493d2302330a2eb0570dd0622a94d363b2f8d20ce2e434fa45c68baa8b24e545
            • Opcode Fuzzy Hash: cb38e0bb7ed70cce01fb7f263ea65574d1a488a753e345979126e2b2326ed0e4
            • Instruction Fuzzy Hash: 04915A71D00219CFEB64DFA8CC41BEDBBB2BB48314F148169E918A7244DB759A85CF92
            Function 02E5ADA8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1138 2e5ada8-2e5adb7 1139 2e5ade3-2e5ade7 1138->1139 1140 2e5adb9-2e5adc6 call 2e5a100 1138->1140 1141 2e5ade9-2e5adf3 1139->1141 1142 2e5adfb-2e5ae3c 1139->1142 1147 2e5addc 1140->1147 1148 2e5adc8 1140->1148 1141->1142 1149 2e5ae3e-2e5ae46 1142->1149 1150 2e5ae49-2e5ae57 1142->1150 1147->1139 1195 2e5adce call 2e5b031 1148->1195 1196 2e5adce call 2e5b040 1148->1196 1149->1150 1152 2e5ae59-2e5ae5e 1150->1152 1153 2e5ae7b-2e5ae7d 1150->1153 1151 2e5add4-2e5add6 1151->1147 1154 2e5af18-2e5af2f 1151->1154 1156 2e5ae60-2e5ae67 call 2e5a10c 1152->1156 1157 2e5ae69 1152->1157 1155 2e5ae80-2e5ae87 1153->1155 1171 2e5af31-2e5af90 1154->1171 1159 2e5ae94-2e5ae9b 1155->1159 1160 2e5ae89-2e5ae91 1155->1160 1158 2e5ae6b-2e5ae79 1156->1158 1157->1158 1158->1155 1162 2e5ae9d-2e5aea5 1159->1162 1163 2e5aea8-2e5aeaa call 2e5a11c 1159->1163 1160->1159 1162->1163 1167 2e5aeaf-2e5aeb1 1163->1167 1169 2e5aeb3-2e5aebb 1167->1169 1170 2e5aebe-2e5aec3 1167->1170 1169->1170 1172 2e5aec5-2e5aecc 1170->1172 1173 2e5aee1-2e5aeee 1170->1173 1189 2e5af92-2e5afd8 1171->1189 1172->1173 1174 2e5aece-2e5aede call 2e5a12c call 2e5a13c 1172->1174 1179 2e5af11-2e5af17 1173->1179 1180 2e5aef0-2e5af0e 1173->1180 1174->1173 1180->1179 1190 2e5afe0-2e5b00b GetModuleHandleW 1189->1190 1191 2e5afda-2e5afdd 1189->1191 1192 2e5b014-2e5b028 1190->1192 1193 2e5b00d-2e5b013 1190->1193 1191->1190 1193->1192 1195->1151 1196->1151
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 02E5AFFE
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 02f10a63c270d5a0483a100802541795ccad22a57a6b555080b20e205277270b
            • Instruction ID: e8d5629f40064cd369f1ae2eb81ddf090c48a7cf38be9b86bc190e2bfca501c4
            • Opcode Fuzzy Hash: 02f10a63c270d5a0483a100802541795ccad22a57a6b555080b20e205277270b
            • Instruction Fuzzy Hash: 61713570A10B158FDB24DF2AD54075ABBF1BF88208F008A2DD89ADBB54DB75E845CB90
            Function 02E5590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1197 2e5590c-2e559d9 CreateActCtxA 1199 2e559e2-2e55a3c 1197->1199 1200 2e559db-2e559e1 1197->1200 1207 2e55a3e-2e55a41 1199->1207 1208 2e55a4b-2e55a4f 1199->1208 1200->1199 1207->1208 1209 2e55a51-2e55a5d 1208->1209 1210 2e55a60-2e55a90 1208->1210 1209->1210 1214 2e55a42 1210->1214 1215 2e55a92-2e55a97 1210->1215 1217 2e55a44-2e55a4a 1214->1217 1218 2e55ab2-2e55ab7 1214->1218 1216 2e55b09-2e55b14 1215->1216 1217->1208 1220 2e559cf-2e559d9 1217->1220 1218->1216 1220->1199 1220->1200
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 02E559C9
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: be5cbd238a17413ea5ebb5629dec039577f43a6b25aa6901285984bc582d2638
            • Instruction ID: 4befcefc0e63ea8c9745441541209a3ddef6d5b62a4fe16034b1ef3a8e864edd
            • Opcode Fuzzy Hash: be5cbd238a17413ea5ebb5629dec039577f43a6b25aa6901285984bc582d2638
            • Instruction Fuzzy Hash: 2541D271C40729CFEB24CFA9C98578DBBF1BF48314F60856AD408AB251DB75694ACF50
            Function 02E544E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1221 2e544e0-2e559d9 CreateActCtxA 1224 2e559e2-2e55a3c 1221->1224 1225 2e559db-2e559e1 1221->1225 1232 2e55a3e-2e55a41 1224->1232 1233 2e55a4b-2e55a4f 1224->1233 1225->1224 1232->1233 1234 2e55a51-2e55a5d 1233->1234 1235 2e55a60-2e55a90 1233->1235 1234->1235 1239 2e55a42 1235->1239 1240 2e55a92-2e55a97 1235->1240 1242 2e55a44-2e55a4a 1239->1242 1243 2e55ab2-2e55ab7 1239->1243 1241 2e55b09-2e55b14 1240->1241 1242->1233 1245 2e559cf-2e559d9 1242->1245 1243->1241 1245->1224 1245->1225
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 02E559C9
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: fa91306d4eabb88c8950a81410e3acba8fec6b1480a7243bfcd1a688c71bab02
            • Instruction ID: 080a54f60fb90e0442bfd51fdb44ec748c587febbe213dbca941e375a8d3dd4f
            • Opcode Fuzzy Hash: fa91306d4eabb88c8950a81410e3acba8fec6b1480a7243bfcd1a688c71bab02
            • Instruction Fuzzy Hash: D241D371C0072DCBDB24DFA9C88579EBBF5BF48314F60816AD408AB251DB75694ACF90
            Function 053C4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1246 53c4050-53c408c 1247 53c413c-53c415c 1246->1247 1248 53c4092-53c4097 1246->1248 1254 53c415f-53c416c 1247->1254 1249 53c4099-53c40d0 1248->1249 1250 53c40ea-53c4122 CallWindowProcW 1248->1250 1257 53c40d9-53c40e8 1249->1257 1258 53c40d2-53c40d8 1249->1258 1251 53c412b-53c413a 1250->1251 1252 53c4124-53c412a 1250->1252 1251->1254 1252->1251 1257->1254 1258->1257
            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 053C4111
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: 3f215362414a0898cc2485efd20b4a72920e42649f0c1fdaf87a71ecef5821a8
            • Instruction ID: ede4ff213d81e51b4e39fdc435fd32df7a8f2b3f6e18ea159a379e83ead3de7b
            • Opcode Fuzzy Hash: 3f215362414a0898cc2485efd20b4a72920e42649f0c1fdaf87a71ecef5821a8
            • Instruction Fuzzy Hash: 81411AB89003098FDB14DF95C449AAABBF5FB88315F24C49DD519AB321D775A841CFA0
            Function 02CF1D79 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1260 2cf1d79-2cf1d7d 1261 2cf1d7f-2cf1e0d ReadProcessMemory 1260->1261 1262 2cf1d4b-2cf1d66 1260->1262 1265 2cf1e0f-2cf1e15 1261->1265 1266 2cf1e16-2cf1e46 1261->1266 1265->1266
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02CF1E00
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: c6cab84d86446f94770a43a4c5c688e68359db8c193c3312008e9f3ae5ca277b
            • Instruction ID: 1a9ad8a901d4c56da634fc85d05084c5be87aab9a1a6b926f1d166246ff36b50
            • Opcode Fuzzy Hash: c6cab84d86446f94770a43a4c5c688e68359db8c193c3312008e9f3ae5ca277b
            • Instruction Fuzzy Hash: C3312972C002498FDB10DF99D8417EEBBF1FF88320F54842AD559A7241D7799551DB60
            Function 02CF1C88 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1270 2cf1c88-2cf1cde 1272 2cf1cee-2cf1d2d WriteProcessMemory 1270->1272 1273 2cf1ce0-2cf1cec 1270->1273 1275 2cf1d2f-2cf1d35 1272->1275 1276 2cf1d36-2cf1d66 1272->1276 1273->1272 1275->1276
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02CF1D20
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: a9f33b5dad46a1f6cc19dffc790a2251406ed3ba353d8bde9acd55a29342deb2
            • Instruction ID: db27060118cfa5fe77b5ff18f8a6a61deb34b4176a2b50416359ed2ccd7e6fe1
            • Opcode Fuzzy Hash: a9f33b5dad46a1f6cc19dffc790a2251406ed3ba353d8bde9acd55a29342deb2
            • Instruction Fuzzy Hash: D32146B1D003499FDB20CFA9C885BEEBBF1FF48310F248429E958A7240C7799941DB60
            Function 02CF1C90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1280 2cf1c90-2cf1cde 1282 2cf1cee-2cf1d2d WriteProcessMemory 1280->1282 1283 2cf1ce0-2cf1cec 1280->1283 1285 2cf1d2f-2cf1d35 1282->1285 1286 2cf1d36-2cf1d66 1282->1286 1283->1282 1285->1286
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02CF1D20
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 8e5e1d5691ceef79c5ca737945e5695328125d504cfb4aa493561a899782e147
            • Instruction ID: bf10a564d41987503a13c14f9cfabf84c3467c93d1cab7bdea8a0c63a8d7be0e
            • Opcode Fuzzy Hash: 8e5e1d5691ceef79c5ca737945e5695328125d504cfb4aa493561a899782e147
            • Instruction Fuzzy Hash: 26212771D003499FDB20DFA9C881BDEBBF5FF48310F148429E918A7240C7799940DBA0
            Function 02CF1AF0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1290 2cf1af0-2cf1b43 1292 2cf1b45-2cf1b51 1290->1292 1293 2cf1b53-2cf1b83 Wow64SetThreadContext 1290->1293 1292->1293 1295 2cf1b8c-2cf1bbc 1293->1295 1296 2cf1b85-2cf1b8b 1293->1296 1296->1295
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02CF1B76
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: bdbb9ce89855e238330188544599582d9fb7e7a5eae0a746632cab602376d00b
            • Instruction ID: e37183749d1dec976bf9919177a865ea53ab60c2912a38a66eb6198727176bb2
            • Opcode Fuzzy Hash: bdbb9ce89855e238330188544599582d9fb7e7a5eae0a746632cab602376d00b
            • Instruction Fuzzy Hash: 8E2136B1D003498FDB60DFAAC485BEEBBF0AF48324F24842DD559A7241DB799945CF90
            Function 02E5B790 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1300 2e5b790-2e5d714 DuplicateHandle 1302 2e5d716-2e5d71c 1300->1302 1303 2e5d71d-2e5d73a 1300->1303 1302->1303
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E5D646,?,?,?,?,?), ref: 02E5D707
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 38abcade76661e441a6ea297a218b6e3bbaddf68ad35e112e963033515492c3a
            • Instruction ID: 56e2f22ace1ea16d065cfa2ce241c41fb92cd8861ed2d4591a4d7fef7002f20c
            • Opcode Fuzzy Hash: 38abcade76661e441a6ea297a218b6e3bbaddf68ad35e112e963033515492c3a
            • Instruction Fuzzy Hash: F221E3B5D102589FDB10CF9AD985ADEBBF4EB48310F14842AE918A3350D375A950CFA4
            Function 02E5D678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E5D646,?,?,?,?,?), ref: 02E5D707
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 0823032e5a57f20f7255345beeb50c7c708570713aae26d08f36bb9c0e6108dd
            • Instruction ID: 2c13138d0cb1198727e82036db3bb1adee5bf86ff6d31fb15069afbdc7a85599
            • Opcode Fuzzy Hash: 0823032e5a57f20f7255345beeb50c7c708570713aae26d08f36bb9c0e6108dd
            • Instruction Fuzzy Hash: 2721E4B5D10259DFDB10CFAAD984ADEBBF5EB48314F14841AE918A3350D378A954CF60
            Function 02CF1AF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1306 2cf1af8-2cf1b43 1308 2cf1b45-2cf1b51 1306->1308 1309 2cf1b53-2cf1b83 Wow64SetThreadContext 1306->1309 1308->1309 1311 2cf1b8c-2cf1bbc 1309->1311 1312 2cf1b85-2cf1b8b 1309->1312 1312->1311
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02CF1B76
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 725aa82fbd9f3afb5f264dcc0c24bc2b5bbac66b8c279f79cc87fa61cba94cbb
            • Instruction ID: ecc0e4991b78ddbc0f3e438de9e6e79c20917b184409825196eaa04c7b66fa82
            • Opcode Fuzzy Hash: 725aa82fbd9f3afb5f264dcc0c24bc2b5bbac66b8c279f79cc87fa61cba94cbb
            • Instruction Fuzzy Hash: 382138B1D003098FDB50DFAAC485BEEBBF4EF48324F548429D519A7240DB789945CFA0
            Function 02CF1D80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1316 2cf1d80-2cf1e0d ReadProcessMemory 1319 2cf1e0f-2cf1e15 1316->1319 1320 2cf1e16-2cf1e46 1316->1320 1319->1320
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02CF1E00
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 490ecd671eae41c9b3afc4ce591e76a726ed5d28af8f2c00bdc50ee0c5062c80
            • Instruction ID: 4ac82fbe42f260b94247eb3ec84aa46a325e72e988054a8e1ea520a34cdeaf4e
            • Opcode Fuzzy Hash: 490ecd671eae41c9b3afc4ce591e76a726ed5d28af8f2c00bdc50ee0c5062c80
            • Instruction Fuzzy Hash: 4B2116B1C003499FDB10DFAAC845BEEBBF5FF48320F548429E918A7240D7799941CBA0
            Function 02CF1BC9 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02CF1C3E
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 296b66133a949bb7f8a1687f352601db1cac62d87a253895140a457b25f3b251
            • Instruction ID: abc2dc63b3d85c829c9b51aa01f6872d7c65401fb0a4932c76535c756195979f
            • Opcode Fuzzy Hash: 296b66133a949bb7f8a1687f352601db1cac62d87a253895140a457b25f3b251
            • Instruction Fuzzy Hash: 8E113671C003499FDB20DFAAC845BEEBFF1AF48324F248419E959A7250CB769951DF90
            Function 02E5A168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E5B079,00000800,00000000,00000000), ref: 02E5B28A
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: b9cfff00c020471e34bdd2cf562537b751b2fb3bf37689ae325d84337627dea0
            • Instruction ID: 0b8beab8159afda4e64a43d1792490c4a9be8663501b74718f159e9ac22094b9
            • Opcode Fuzzy Hash: b9cfff00c020471e34bdd2cf562537b751b2fb3bf37689ae325d84337627dea0
            • Instruction Fuzzy Hash: 5611F2B6D003098FDB20DF9AD444B9EFBF4EB48314F10842EE919A7200C775A945CFA5
            Function 02E5B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E5B079,00000800,00000000,00000000), ref: 02E5B28A
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 1af310a0c87c53c9c84a128caf7269a088a66de84a39539a8b8fd03373235c3c
            • Instruction ID: a051b23755fcd0572ce85d697f0f2188028cd210f7553218080241a54c811c7b
            • Opcode Fuzzy Hash: 1af310a0c87c53c9c84a128caf7269a088a66de84a39539a8b8fd03373235c3c
            • Instruction Fuzzy Hash: F91114B6C003498FDB20DF9AC444BDEFBF4AB48314F10842ED819A7610C379A545CFA5
            Function 02CF1BD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02CF1C3E
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 90bc3ffde94b6b24460a2296f20ade679e49360daa8cf64eb24b6454a31a1d0b
            • Instruction ID: 84bc241a5a661026def065d0934f1b9f4edfa340216919f25917e9d57e6e9886
            • Opcode Fuzzy Hash: 90bc3ffde94b6b24460a2296f20ade679e49360daa8cf64eb24b6454a31a1d0b
            • Instruction Fuzzy Hash: D0112671D003499FDB20DFAAC845BDEBBF5EB48320F148419E519A7250CB769950DFA0
            Function 02CF720A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02CF70C1,?,?), ref: 02CF7268
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 2c9cbec9861e17d7f94b7095e583b406d905e9f818430c60bfb89ca3801aa333
            • Instruction ID: 02aa9ba58ec3ed35e0bc905341d474638f1467fa57e15f34613603eba09e109d
            • Opcode Fuzzy Hash: 2c9cbec9861e17d7f94b7095e583b406d905e9f818430c60bfb89ca3801aa333
            • Instruction Fuzzy Hash: 4B1128B5C00249CFCB20DFA9C545BEEBBF0EB48320F208429D568A7241C779A545CFA1
            Function 02CF1608 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: e5f6978c0613d4ada8d3ca7eb0c9e734ad111dfeccfdfcd99b082c85bd12e6ee
            • Instruction ID: a40aaaa6d2542bf6a94470aec957b2d23b53fc1b6aba0ea38214112a03071131
            • Opcode Fuzzy Hash: e5f6978c0613d4ada8d3ca7eb0c9e734ad111dfeccfdfcd99b082c85bd12e6ee
            • Instruction Fuzzy Hash: 54114971D003498FDB20DFAAC4457EEBBF5EF98224F14852AD559A7240CB799541CB90
            Function 02CF65E4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02CF70C1,?,?), ref: 02CF7268
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: f1fe47f389b1a8f25a1f0ba07071a98920de28b201619b722016236efb386ed1
            • Instruction ID: 1e9560ae71592b79f88ee558120b92119a8621adc9a8bf390f1d56796e0fbefc
            • Opcode Fuzzy Hash: f1fe47f389b1a8f25a1f0ba07071a98920de28b201619b722016236efb386ed1
            • Instruction Fuzzy Hash: 061113B5800349CFCB60DF9AC545B9EFBF4EB48320F20842AE958A7241D779A945CFA5
            Function 02CF4360 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,?,?,?), ref: 02CF43C5
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 595fe9a627c6653e91a32b4796f8f7e61fb31dd879c38b9c2cb820ecf605d7fd
            • Instruction ID: b934aa2304ac56dc262f26c1800bfc5d6ca3fd1f64191a4e3ef878061a7d01cf
            • Opcode Fuzzy Hash: 595fe9a627c6653e91a32b4796f8f7e61fb31dd879c38b9c2cb820ecf605d7fd
            • Instruction Fuzzy Hash: 9B11F5B59002499FDB20DF99D485BEEBFF4EB49320F208419D558A3600C375A955CFA1
            Function 02CF1610 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 6a61c56b5c201c96e800216a9aee86e1bdba4b43c1ec165464bad533a0afb42c
            • Instruction ID: 13c6e2fe3d98793c1f1479d71bdf560d74f12d881cd37eefafeeca556180913c
            • Opcode Fuzzy Hash: 6a61c56b5c201c96e800216a9aee86e1bdba4b43c1ec165464bad533a0afb42c
            • Instruction Fuzzy Hash: DF1128B1D003498FDB20DFAAC44579EFBF5EB98224F248429D519A7240CB75A941CB94
            Function 02E5AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 02E5AFFE
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 4126fbe445cfe3948ba405b0938c72d536bdc1c71c3f31e758de4169a5cafae9
            • Instruction ID: 27c006de992a8544ce53b49fb78e7f13773895f29192d522c9fa78532479ee80
            • Opcode Fuzzy Hash: 4126fbe445cfe3948ba405b0938c72d536bdc1c71c3f31e758de4169a5cafae9
            • Instruction Fuzzy Hash: 3F11D2B5C002598FDB20DF9AC444B9EFBF5AF48218F10842AD829A7210D375A545CFA1
            Function 02CF4368 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,?,?,?), ref: 02CF43C5
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 572feef66d9f46623c928dfb02e205b885a0e45984d843e928da7346b8735d2a
            • Instruction ID: 6e5272711110bc7fc4dfe71014be3d147828c027eedb2d7b382072c3eb62d45b
            • Opcode Fuzzy Hash: 572feef66d9f46623c928dfb02e205b885a0e45984d843e928da7346b8735d2a
            • Instruction Fuzzy Hash: 3211D3B58003499FDB20DF9AD945BDEFBF8EB48324F108419D518A7640C375A944CFA1
            Function 078F279F Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2df14b1deda850a0a5948f9d393e814911eb7fa13f428d6e1ddc32ee6814cf8
            • Instruction ID: 523f38d01649362a2969475368b67e7c8fc441de0616703b44ef6e3a17e70143
            • Opcode Fuzzy Hash: b2df14b1deda850a0a5948f9d393e814911eb7fa13f428d6e1ddc32ee6814cf8
            • Instruction Fuzzy Hash: 56B1AD35600701CFC705EF38D454AAABBF2FF8A310B5485AED45A8B321EB31AD46CB91
            Function 078F2E17 Relevance: .2, Instructions: 244COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0400c22030fb23560996597c6d5ffa476a264a93e3cdce21a6f85e8fdf45c0bd
            • Instruction ID: 645618e03ce1199175fc4105939022c7e4c177a6f090a163e11f927f36d77728
            • Opcode Fuzzy Hash: 0400c22030fb23560996597c6d5ffa476a264a93e3cdce21a6f85e8fdf45c0bd
            • Instruction Fuzzy Hash: 1AA16B35610701CFC709EB38D444AAABBF2FF89310B5089ADD45A8B365EF31AD46CB91
            Function 078F2E57 Relevance: .2, Instructions: 233COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e087ecb6f63650f2d270131accf8cfeee2a350f87ddea75ea45e0f8762c50222
            • Instruction ID: 0079e508658fd1b042dc926e385707d674f677e00b60dae05d96a37afb5093b5
            • Opcode Fuzzy Hash: e087ecb6f63650f2d270131accf8cfeee2a350f87ddea75ea45e0f8762c50222
            • Instruction Fuzzy Hash: E2916A346107018FC709EB38C484AAEBBE2FF89311B5085ADD45A8B361EF31AD46CB91
            Function 078F3528 Relevance: .2, Instructions: 229COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 239a24ea9a59a5d466a40709334b4465039c28128de81af5c71f44d534a6e543
            • Instruction ID: 4f6a7e66c0b7a58b4da434e5812aeb284300f33a1c12cbb82e94200544c86f0e
            • Opcode Fuzzy Hash: 239a24ea9a59a5d466a40709334b4465039c28128de81af5c71f44d534a6e543
            • Instruction Fuzzy Hash: 10915C75A002198FCB04DFA9D4809AEBBF6FF89310B14806AE905EB355EB35DD06CB91
            Function 054E3F28 Relevance: .2, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 18b97b523aca8cfd9e38abef28d804d9d50da25dfc06bd20633c63ca00935c86
            • Instruction ID: 19f24fc6580321d1e98a909c0ba878b310ab0fc419de8671c02c452d1dd36c42
            • Opcode Fuzzy Hash: 18b97b523aca8cfd9e38abef28d804d9d50da25dfc06bd20633c63ca00935c86
            • Instruction Fuzzy Hash: D381C238710614CFCB14EF28D9989AA7BF6FF89615B1541AAE506CB375DB71EC01CB80
            Function 054E5628 Relevance: .2, Instructions: 210COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b4da4fd2ddc0a2e3eaea34c8159507b8268990f83e801da157856dd88abe1b6
            • Instruction ID: a7841e6c0c959a7d91c3507f0043d62d0057ba6892a038cec9cb86fd797bc2b0
            • Opcode Fuzzy Hash: 6b4da4fd2ddc0a2e3eaea34c8159507b8268990f83e801da157856dd88abe1b6
            • Instruction Fuzzy Hash: 84815C74E003188FDB18DFA9C8546EEBBF2FF88310F24816AD405AB354DB745946CB91
            Function 078F2EB0 Relevance: .2, Instructions: 196COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff618546ced042f91601c316dbeaa6e0c79ba44fa084cd73f853f3b66b75195f
            • Instruction ID: e0ff5d1ebf5614d126ebcce9305cdf9808f2731f41dbde676decc295a5163d6b
            • Opcode Fuzzy Hash: ff618546ced042f91601c316dbeaa6e0c79ba44fa084cd73f853f3b66b75195f
            • Instruction Fuzzy Hash: 8D813A74610B008FC719EB38C454AAEBBE6FF89301B50856DD51ACB365EF31AD46CB91
            Function 054E39D8 Relevance: .2, Instructions: 191COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 55d55ed9d2afb027da782016c956fa1249cd1d01f0ea0ba215f7dbbc807d6e0b
            • Instruction ID: 0f57cc5988d946ba0285d6393065d93a15cd9b625a48a500b8b3986820b0b317
            • Opcode Fuzzy Hash: 55d55ed9d2afb027da782016c956fa1249cd1d01f0ea0ba215f7dbbc807d6e0b
            • Instruction Fuzzy Hash: F0713B35B002188FCB19EFA4C5599EEB7F2BF88211B2044A9D406AB3A5CB35ED41CF61
            Function 054E2D30 Relevance: .2, Instructions: 168COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8bb9e7a67f5187fac3916e9b3f164dedef6fa511dd8d80cf81fb872c17d76733
            • Instruction ID: 536177fe71053a8cebfac95b10fcd9d769c599f674442ac59af9ba57fccc12b0
            • Opcode Fuzzy Hash: 8bb9e7a67f5187fac3916e9b3f164dedef6fa511dd8d80cf81fb872c17d76733
            • Instruction Fuzzy Hash: 9C719D78A01218AFCB14DFA9D884DAEBBB6FF49711B114499F901AB361DB71EC81CF50
            Function 054E4734 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8ccf9cc12db5fafe28ca8d6d22e08abfdf92484a1120cd7f9323dabfcfa4e7b8
            • Instruction ID: fc896143df8515372a6434860b15334b74ebaf14ead053c7bd0281d534235b70
            • Opcode Fuzzy Hash: 8ccf9cc12db5fafe28ca8d6d22e08abfdf92484a1120cd7f9323dabfcfa4e7b8
            • Instruction Fuzzy Hash: 98516071E002499FCF14DFAAD844AEFBBFAEF88211F10846AE455E7350DB749945CBA0
            Function 054EA7D8 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fba3e9f07ceda2ea1856b37c293e4669926b4886961479c2cf4a4542e0ba2f5d
            • Instruction ID: ff892c6ceef24279fd9e2e557527ec8e53996287fac0f6d93fd613c3b8bf1142
            • Opcode Fuzzy Hash: fba3e9f07ceda2ea1856b37c293e4669926b4886961479c2cf4a4542e0ba2f5d
            • Instruction Fuzzy Hash: 0351F4307043009FCB19D766C818BAFBBE6BF85311F1589AFD45A87791CB749806CB51
            Function 054EB8B0 Relevance: .2, Instructions: 152COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 772d9550f55a905ef30c46e778ebf51782782c1d15ab2beafee7d2987b58b892
            • Instruction ID: 8537cfc4e85dcf4bd8d8e46d58f5955c98389a3694fdd667d8cb394fac739847
            • Opcode Fuzzy Hash: 772d9550f55a905ef30c46e778ebf51782782c1d15ab2beafee7d2987b58b892
            • Instruction Fuzzy Hash: 3051B030B043199FDB08EFB488106AE7BB6BF89211F14C56AD455EB394DF39D9428BA1
            Function 078F3B04 Relevance: .2, Instructions: 152COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e2b73851759696528bb0e0c9e48293539fc3e4e2f14b89e1edf08c90a174f4b6
            • Instruction ID: b9ca058f95568866274d0f2b24613dec25f2b9fa419add675c9dcd101017d0df
            • Opcode Fuzzy Hash: e2b73851759696528bb0e0c9e48293539fc3e4e2f14b89e1edf08c90a174f4b6
            • Instruction Fuzzy Hash: 0B519275B002068FDB14DF7998449BEBBF6FFC42247148529E529DB394EF309D068B91
            Function 078F3F41 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 843435d2d99a52627b9c2a42344964097192d08c85dde3fc3566b6ecaf46fe70
            • Instruction ID: 01f49893b3dc132ba6a6fdb403960e492d7d886d18d136faa3914bd5919cae33
            • Opcode Fuzzy Hash: 843435d2d99a52627b9c2a42344964097192d08c85dde3fc3566b6ecaf46fe70
            • Instruction Fuzzy Hash: D8517E34B102089FDB189F74D855B6EBAB3FF88701F208429E906EB798DE35DC018B50
            Function 078F3F7B Relevance: .1, Instructions: 136COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3ff8df6a58e1c42727dbd4cd57cd75107fb54c322aac50afffa63563a716f78b
            • Instruction ID: 2facbdc2c271d63ac318ec9a7bdbdabfb3cd0dee34a13ce5fd6878eefd7eca3c
            • Opcode Fuzzy Hash: 3ff8df6a58e1c42727dbd4cd57cd75107fb54c322aac50afffa63563a716f78b
            • Instruction Fuzzy Hash: 28417E34B002089FDB189F74C855B6EBAB3FF98701F208429E906DB798DE35DC018B50
            Function 078F4C87 Relevance: .1, Instructions: 135COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3ca7001886be967fec694cea8a1b8490ebffb33bb950cae4166ae8156cb3b5b0
            • Instruction ID: 0c604a496ec1aa6bde0aec512a6154dd065ef8c402dff3f33f97fce357b4319d
            • Opcode Fuzzy Hash: 3ca7001886be967fec694cea8a1b8490ebffb33bb950cae4166ae8156cb3b5b0
            • Instruction Fuzzy Hash: E951BFB4909284DFD306CB69E554A69BFF1AF8A301B2A80C6D484DB2B3D7359D16C723
            Function 054E483C Relevance: .1, Instructions: 134COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8e29eb23b90212064029b5a2cafd82f6c3af0c96401fc3a6dd53664925352b10
            • Instruction ID: 638cf1dcc026292a8ad46727ec00ae762ac6b45be3b4b417a0dc4494e08d5407
            • Opcode Fuzzy Hash: 8e29eb23b90212064029b5a2cafd82f6c3af0c96401fc3a6dd53664925352b10
            • Instruction Fuzzy Hash: FC319270E12218DFCB14DFA5F598AEDBBB2FF85315F1285AAE441A7254CB309855CF40
            Function 054E0AF8 Relevance: .1, Instructions: 132COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 28ed270e9eb0a9acc4ede12f3b29e57c2d5487823ab1887862d44ffd3ba23b1e
            • Instruction ID: cc18ffa361264f9948cd4ddde7778f9b64146b28a78df9f27ad22a41b853c1fa
            • Opcode Fuzzy Hash: 28ed270e9eb0a9acc4ede12f3b29e57c2d5487823ab1887862d44ffd3ba23b1e
            • Instruction Fuzzy Hash: 13413532B002119FD718AB68C0487EEB7A6FF88315F1881AAD45EEB754CB75AC42C7D0
            Function 078FBBA0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7ba537c688653c840c68ac0f08e35a3405117bfb59d06fcd438c300cc8c2d0e9
            • Instruction ID: 8fc030060c07c50527fe00fbe0670e90b19efe3ed46cb69a126a3a48dad7193e
            • Opcode Fuzzy Hash: 7ba537c688653c840c68ac0f08e35a3405117bfb59d06fcd438c300cc8c2d0e9
            • Instruction Fuzzy Hash: 004125F4E18209CBDB08CFAAD8846AEBFF6AB99310F14D029E519A7255DB3449018B54
            Function 054E4878 Relevance: .1, Instructions: 124COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b51e9924ddb9c3da4f3bb4887fa70ab79c0b046c57cc78fe45beab5a18e49e5a
            • Instruction ID: 86e28bde189ae6ba64bbadd16ab62b7e3cffa0156e49682d7f3c370468a2355c
            • Opcode Fuzzy Hash: b51e9924ddb9c3da4f3bb4887fa70ab79c0b046c57cc78fe45beab5a18e49e5a
            • Instruction Fuzzy Hash: 6D415131E002188FDF29EFB5D0547EEBBB2EF88221F15456AD501B7384DB748986CBA5
            Function 054E2D22 Relevance: .1, Instructions: 123COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19d738b927a3d471714504dda932b6e31bbd626e0ef97eb625bf810dc71530e7
            • Instruction ID: 36542b4f611d368de2470b36b0dac0ba42d789e6f721a238308b73cbd1d4daf9
            • Opcode Fuzzy Hash: 19d738b927a3d471714504dda932b6e31bbd626e0ef97eb625bf810dc71530e7
            • Instruction Fuzzy Hash: B2518038611218AFCB14DF68D894DAEBBB6FF49721B114499F901AB361DB71EC81CF50
            Function 078F4E3A Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1549d489dc11bd7a27eee70a6e7b9e7aea109ef5163f281bd030510b2567a1cf
            • Instruction ID: 813e3d2edcd0cac54a475cc97d4f5cb5fa688d1233cd567afdb5450a3ac349b7
            • Opcode Fuzzy Hash: 1549d489dc11bd7a27eee70a6e7b9e7aea109ef5163f281bd030510b2567a1cf
            • Instruction Fuzzy Hash: 9C410FB4A2925ADFCB00CFA8E4849BEBBB5FB5E310F015856E65AE7310D7309811CB24
            Function 054E47B8 Relevance: .1, Instructions: 118COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: feaf56e7a8f593956a408131f3c91c97a5dd6fb57989d76d434ff44f7ba2d0fb
            • Instruction ID: 06b0e22767b60a0ad6de337d426478d5b7c781964b2ca055e03a103c2efe5c3a
            • Opcode Fuzzy Hash: feaf56e7a8f593956a408131f3c91c97a5dd6fb57989d76d434ff44f7ba2d0fb
            • Instruction Fuzzy Hash: A741D671E003148FEF25EB78C4643EE7BA2EF85315F1549BBC141AB381DA358986C7A5
            Function 054E8360 Relevance: .1, Instructions: 118COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ededf9ffcfa6eeb664f6e5b29c1fb2bc6ef8318d90306245dd2447a53b6e6f3f
            • Instruction ID: 81fd45a8ea757718b1224141da5101cdc5e8b4e5844eb71124c96d744eb049cb
            • Opcode Fuzzy Hash: ededf9ffcfa6eeb664f6e5b29c1fb2bc6ef8318d90306245dd2447a53b6e6f3f
            • Instruction Fuzzy Hash: DD41C834A542288FDF54DBA8C884BDEB7B1FF88705F1140A9E905AB3A5DB799C01CF60
            Function 078F4E48 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bbd855b4444a94f366c5bd589d793bd426b32f4957f592b98a4898603f5b6c9f
            • Instruction ID: 1768df6488485e109a65ad8d08ef09c70f466592169469ba7af0b0dd3d41fda4
            • Opcode Fuzzy Hash: bbd855b4444a94f366c5bd589d793bd426b32f4957f592b98a4898603f5b6c9f
            • Instruction Fuzzy Hash: 5A4102B4A2525ADFCB00CFA8E4849BFBBB5FB5E310F115856E61AE7310D7309811CB24
            Function 054E5D50 Relevance: .1, Instructions: 115COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19d236e282e82861a7aa42e95f408a91855d73f62c5149bff4971d7935884d50
            • Instruction ID: f0bdeb8a66095c2a5719470b7ca777e00d867bc3251e044ec74565b80e3b7c00
            • Opcode Fuzzy Hash: 19d236e282e82861a7aa42e95f408a91855d73f62c5149bff4971d7935884d50
            • Instruction Fuzzy Hash: 03419530710209DFDB089BA4D8596AF7FA6FBC8250F25C469D506973A8DF349C42C799
            Function 078F570B Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 271c7ed071c692dca662c76adc001857710c9d492c3e5fdec2ca895018296142
            • Instruction ID: c6d3ea3ca00793916a75b596abf6ff68dea8a93a9d4615e71bb2e309285cc8a3
            • Opcode Fuzzy Hash: 271c7ed071c692dca662c76adc001857710c9d492c3e5fdec2ca895018296142
            • Instruction Fuzzy Hash: A4419BB4E112199FDB04CFA9C884AEEBBF2BB1A200F509025E916F7210DB34AA51CF14
            Function 054EB2C0 Relevance: .1, Instructions: 107COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e421a29701b69c0d00f721fed8d0f7cf75cfa7d93c789f823919b64a76a25ae1
            • Instruction ID: f25b9fa24d730696a0368901fbf968220ef2263efc34f75b86c164382f262e52
            • Opcode Fuzzy Hash: e421a29701b69c0d00f721fed8d0f7cf75cfa7d93c789f823919b64a76a25ae1
            • Instruction Fuzzy Hash: 3941EE30D0474A8ECB45EFA9C494AEEB7B1FF45300F55866AD459BB221EB30E9C5CB50
            Function 078F4FC6 Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0542b4e92ae8e6c89bec4c4f0f2d7483c0b5be4b52a1c0acfc8b9cc1cfd68dc2
            • Instruction ID: 6b5b7aa2dfe2ba1776ff42a880231bdcc39712a77612eba2d22a64179350ffb0
            • Opcode Fuzzy Hash: 0542b4e92ae8e6c89bec4c4f0f2d7483c0b5be4b52a1c0acfc8b9cc1cfd68dc2
            • Instruction Fuzzy Hash: F441D0B4D2525DDFCB00CFA8E4849BEBBB5FB5E314F015856E61AE7211D7309911CB24
            Function 054E6918 Relevance: .1, Instructions: 103COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf263740273a4d0ef34b4110bb7b3b70560749bba2d40ac7337c9497d842f318
            • Instruction ID: 6ef5e48525d04f1d2b0d70117fe6197ed47dbdd40867289a289d63908b548012
            • Opcode Fuzzy Hash: cf263740273a4d0ef34b4110bb7b3b70560749bba2d40ac7337c9497d842f318
            • Instruction Fuzzy Hash: F1210630B002049FD718EBB5E4986AF7BF6FBC4211F24886ED545C7744DE30A8478761
            Function 078F729C Relevance: .1, Instructions: 103COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c99edd64647d15aeccf43bbdb80c2b14e4641c3f0e1d762eb96083795f723975
            • Instruction ID: 6cb232cb9754bdc00bf9ecc867ec542a3d7623a076e5f882500747c989066e15
            • Opcode Fuzzy Hash: c99edd64647d15aeccf43bbdb80c2b14e4641c3f0e1d762eb96083795f723975
            • Instruction Fuzzy Hash: BC31A760B142154FEB1E677D582826F599B9FE8150764442ED706CB394DD28CC0287AE
            Function 078F72D4 Relevance: .1, Instructions: 100COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3ab9f99f20273c8266e390e972542f762298f9c515c41f81f7982782773a3cda
            • Instruction ID: 8918970ff1b5334c48e051d2bf9ccbbf41a52084b22483d899dadfe309db8695
            • Opcode Fuzzy Hash: 3ab9f99f20273c8266e390e972542f762298f9c515c41f81f7982782773a3cda
            • Instruction Fuzzy Hash: BF3167B1900309AFCF14DFAAC844ADEBFF9EB48310F10842AE909E7250D775A944CFA5
            Function 054E8228 Relevance: .1, Instructions: 99COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 48054b0872f9b780443d67e553636a759a3a7ccae20269d32e0f81894d11d421
            • Instruction ID: fdbbf89c248b18e54c73733a100e746cb6b5b89fcde43cb9546f7454c4898dba
            • Opcode Fuzzy Hash: 48054b0872f9b780443d67e553636a759a3a7ccae20269d32e0f81894d11d421
            • Instruction Fuzzy Hash: C331B130B042148FCB59EB79C8546AF7BA7EFC9211B14C5AAD446DB368CF359C068B91
            Function 078F3518 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e9d565c035a8090b1ee47ac5e6bfe9b2ec13eef5310f0fbd83c0309a19ac053
            • Instruction ID: 2bdddb3bdd3ac7f4d3024a30f15e75d6ae030abfce8a6ea31040a6643a1989f0
            • Opcode Fuzzy Hash: 1e9d565c035a8090b1ee47ac5e6bfe9b2ec13eef5310f0fbd83c0309a19ac053
            • Instruction Fuzzy Hash: 66318C75A002498FCB05DFA4C984AEE7BF2EF89300F1580A9E905EB365DB35ED05CB50
            Function 054E4728 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7df95c1c3b67912db8120f5c09cf12a591da73f242f25aa065dd781d1398e5a7
            • Instruction ID: eb4421edfade4c332fe4599be90c37ee945a902c9641ad8543c3709ddcadd822
            • Opcode Fuzzy Hash: 7df95c1c3b67912db8120f5c09cf12a591da73f242f25aa065dd781d1398e5a7
            • Instruction Fuzzy Hash: 0C41AFB0D103599FDB14CF9AC884ADEFBB5FF48714F60812AE418AB254DBB55845CF90
            Function 078F5073 Relevance: .1, Instructions: 94COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b7af04bc02dd2deafb43d5789d7abfe3da7cb0ac04d506bdd6e23a5edf076c3
            • Instruction ID: d756492caca6e3b4e2f89056c47c454603310396c2c2f166d1195ab29dc3b06e
            • Opcode Fuzzy Hash: 5b7af04bc02dd2deafb43d5789d7abfe3da7cb0ac04d506bdd6e23a5edf076c3
            • Instruction Fuzzy Hash: 0031F7B4E2424DDFCB00CFA8D4809EDBBB5FB5A354F109526EA16EB315E330A951CB90
            Function 054E4868 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f2709ca9ee2b6eeb0d250e688aa78f26f5c61929cf6998f95d40e48e95c5ff9b
            • Instruction ID: 2ccdc90204ccb0905d98512dc12eb20b20acbfe4960d06629092556de72a6b4b
            • Opcode Fuzzy Hash: f2709ca9ee2b6eeb0d250e688aa78f26f5c61929cf6998f95d40e48e95c5ff9b
            • Instruction Fuzzy Hash: 64319031E002148FDF28EB7980547EEBBA2EF88211F114A7AD501A7384DB798942CBA5
            Function 054E5910 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b168ba843ba33538d5ff5f29d6cb96b972399c796ba40d90a054ff5950d8a12b
            • Instruction ID: 8ea908fe79e508725c4c193886227dbcfc9825b5bc1e682dc443fb819112450d
            • Opcode Fuzzy Hash: b168ba843ba33538d5ff5f29d6cb96b972399c796ba40d90a054ff5950d8a12b
            • Instruction Fuzzy Hash: E0215E71F001599FCB10EBAAC844AFFBBFAAFC8201F10855BE555D3250EA709A418BE0
            Function 054ED8E0 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fdf0f8fd0ea0c7b350f67edec3fb56c3255c224a7d0670bb3352bd8c82aea787
            • Instruction ID: 3775a5a166afa3285114e77f8bc66326b88a6d32bf0eff679bae5fbe504ab445
            • Opcode Fuzzy Hash: fdf0f8fd0ea0c7b350f67edec3fb56c3255c224a7d0670bb3352bd8c82aea787
            • Instruction Fuzzy Hash: B021623AB102148FCB14EB69D8149AE77E6EFC862271540BEE906CB360DE31DC01CB90
            Function 054E5F50 Relevance: .1, Instructions: 80COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c93a1b0185c54ebf3fc3ba03c3490ed9c68d472189b35de532fec6874e40448f
            • Instruction ID: bb2c3d5ae8e191dbfc38049279937c071ee4dde3456d0b3bce12feea1573cd4b
            • Opcode Fuzzy Hash: c93a1b0185c54ebf3fc3ba03c3490ed9c68d472189b35de532fec6874e40448f
            • Instruction Fuzzy Hash: 2F31A934A04218EFCB04CF99E840EDEBBF5BF48301F1584AAE505AB261DB71D945CB60
            Function 054E0098 Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9191d01d0cbad6ee88e27bf35dba7a0a9377a0101e48808cb9193b157d164a4
            • Instruction ID: 3e8d2d9de834d88134595743e2f4e7c77e2e1ec5b67f0d090be667981178371e
            • Opcode Fuzzy Hash: f9191d01d0cbad6ee88e27bf35dba7a0a9377a0101e48808cb9193b157d164a4
            • Instruction Fuzzy Hash: A7310F32910B09DECB01EFB8C8448D9F7B5FF95300B519A5AE9596B221FB30E6D5CB81
            Function 054EC1D1 Relevance: .1, Instructions: 77COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c943db873d928e545616a47f9d5ee216a1dcb557afff79d6f6489e12f51580de
            • Instruction ID: 30d27e2330f9488b4433b16526916d35969cbf434f53fad9bfb2cbc7f44ca678
            • Opcode Fuzzy Hash: c943db873d928e545616a47f9d5ee216a1dcb557afff79d6f6489e12f51580de
            • Instruction Fuzzy Hash: 8B310031C14B4A8ECB01EFA9C8546EAF7B0FF55300F45C69AD4997B122EB30A9C5CB51
            Function 054E4D26 Relevance: .1, Instructions: 76COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1188014f6c7fbfbfa25ff4b04b546a792bac04770c93eeba48bc7fb059483bd8
            • Instruction ID: ad35f2a5361072ef248d45b47d0c46ad51c8ee8c0253b52f3ddba44a45bf6b4c
            • Opcode Fuzzy Hash: 1188014f6c7fbfbfa25ff4b04b546a792bac04770c93eeba48bc7fb059483bd8
            • Instruction Fuzzy Hash: 4531D635A10219DFDB099FB4D4489DEBFB6FF89304F15451AF002AB254DF309805CB50
            Function 054E5614 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b9ba5cc3ad06b1163cca6f5b3b605851a43e21d05e6299c78433e7177c42f9ed
            • Instruction ID: 0a5c800c2f864c4c0bc6b1e5fcc5ee4711b8c3f7786b142788bea16813a4e465
            • Opcode Fuzzy Hash: b9ba5cc3ad06b1163cca6f5b3b605851a43e21d05e6299c78433e7177c42f9ed
            • Instruction Fuzzy Hash: B8218E75E0021A8FDF14EFA9C8809EEBBF7EF89340F54452AD505E7240EB3099018BA1
            Function 054E8639 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ef47fe93c8d3f0b7fc6185ef9d69ae9700b7d584e647d97393fc29a57b1993c1
            • Instruction ID: f6bf38773e1acd7c4f76a79e8b9f24970b9ad11bb79ebd85daf40d40848725ab
            • Opcode Fuzzy Hash: ef47fe93c8d3f0b7fc6185ef9d69ae9700b7d584e647d97393fc29a57b1993c1
            • Instruction Fuzzy Hash: 30211D343102108FDF64AB79C854AAA77A6EF85716B1484AED506CB3A5DB71EC02CB50
            Function 054E4D30 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9cdc478010d8f02959e4e5792041c83ee0e3b1d83762f25ac083432cf5cd8c61
            • Instruction ID: 34d6a1251787bda299c79210e317add6ac589f9fc68574132ea1210b3c12406f
            • Opcode Fuzzy Hash: 9cdc478010d8f02959e4e5792041c83ee0e3b1d83762f25ac083432cf5cd8c61
            • Instruction Fuzzy Hash: 2B21A335A10219EFDB099FB4D8489DEBFB6FF99314F154626F0026B254DF719805CB90
            Function 0111D3D8 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1239726503.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_111d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 905c43ef2a67e17f5286ee604ebc770d11f1084ec3c56ef80b9d951ef0d7b8e5
            • Instruction ID: c6f6d17e69cbe5bed1e2be1f9a8f512ca4045894c3bfb21128b1fcc26cfff325
            • Opcode Fuzzy Hash: 905c43ef2a67e17f5286ee604ebc770d11f1084ec3c56ef80b9d951ef0d7b8e5
            • Instruction Fuzzy Hash: DD213671544200DFDF19DF44E9C8B56FB65FB88324F20C179E8090BA4AC336E446CBA2
            Function 0111D4C4 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1239726503.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_111d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 950619e770005e3bc77207856f7d4f7075a915399ccf8848351919ea0708981f
            • Instruction ID: 41db356aef7d4609d003dfc134c85871944d63457e63fce88240dac44f9358b7
            • Opcode Fuzzy Hash: 950619e770005e3bc77207856f7d4f7075a915399ccf8848351919ea0708981f
            • Instruction Fuzzy Hash: C221F171604240DFDF19DF54E9C8B26FF75FB88328F20C579E8090A65AC336D456CAA2
            Function 054E00A8 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4082e0fab3b7ecf51cf68282dc828520a51f6d827f845fcacfe174715c9c5bfc
            • Instruction ID: cf56682079623c70a6e298da6ffa965a7c49ada2b4b090b6c7fd7175b5b53ff2
            • Opcode Fuzzy Hash: 4082e0fab3b7ecf51cf68282dc828520a51f6d827f845fcacfe174715c9c5bfc
            • Instruction Fuzzy Hash: 80312132910B09DECB01EF68C8448D9F7B5FF95300B11875AE9596B221FB30E695CB80
            Function 0112D1D4 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1240260889.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_112d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cef336e36922d0e70cc9f29a22b9e78f41d99fcea4660dc323493b40abe40820
            • Instruction ID: eac0f2c66569d9ed1957abcc04cfcccbbbce37fe66d39050729d7716ca715aaa
            • Opcode Fuzzy Hash: cef336e36922d0e70cc9f29a22b9e78f41d99fcea4660dc323493b40abe40820
            • Instruction Fuzzy Hash: 7B210771A04300DFDF19DF94E9C4B15BB65FB85324F20C56DE8494B252C336D456CA62
            Function 0112D01C Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1240260889.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_112d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bae94c202d1fa0b7babba3d5b816e2cd801a314fb77d64031a43f76da1f760de
            • Instruction ID: ef93e595102567e28f5116b60df1804244a7a18b870a80ba899859ddcad73782
            • Opcode Fuzzy Hash: bae94c202d1fa0b7babba3d5b816e2cd801a314fb77d64031a43f76da1f760de
            • Instruction Fuzzy Hash: DF212271604340DFDF19DF54E9C4B16BB61EB84314F20C5ADD84A0B2A6C33AD827CB66
            Function 078F3170 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e91637a8d6ec3aeb288ad824dac90ddc4b9b11d7580d2563433a6e85368a3060
            • Instruction ID: 06705a5870f6009987ef455b13ee33344afc8560508ee0e973e75153190f2e1f
            • Opcode Fuzzy Hash: e91637a8d6ec3aeb288ad824dac90ddc4b9b11d7580d2563433a6e85368a3060
            • Instruction Fuzzy Hash: E7218C75A007158FC310CF69C8809ABBBFAFF89700B00856DE859DB310E730AD46CBA1
            Function 054E357F Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93d96e75067e439296cbdf7b6b0e30ac207bdfdfde9b72827d8c7c633f049bf4
            • Instruction ID: 6c23279966508df0607e3abb500e57c94cbcfd6de1019298085bbdd6a41320b0
            • Opcode Fuzzy Hash: 93d96e75067e439296cbdf7b6b0e30ac207bdfdfde9b72827d8c7c633f049bf4
            • Instruction Fuzzy Hash: C821EC76E1020A9FCB04DFA9D8849EEFBF5FF98310B10855AE514E7210E770A956CB90
            Function 054E2C70 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c274f095eb38f3903368a58e25318717b675c82ea4f614fbb1c298792a73b02c
            • Instruction ID: 178581946c0ac285255eec8903c103361e9268290a1d9d70c25ffaeb01f6e33c
            • Opcode Fuzzy Hash: c274f095eb38f3903368a58e25318717b675c82ea4f614fbb1c298792a73b02c
            • Instruction Fuzzy Hash: BA2163797046149FC724DF15D580EAB77BBFB84722B10856EE90687750CBB1EC41CB60
            Function 078F6F4C Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5f2e16aa0c31fa0399efb7a83a89539e7a09b6260c2878e2e276f88fb13dc69
            • Instruction ID: 64337e13917bb18d3562ddf288485e2881047089e1d727fd7ff02fdf34ba60f9
            • Opcode Fuzzy Hash: a5f2e16aa0c31fa0399efb7a83a89539e7a09b6260c2878e2e276f88fb13dc69
            • Instruction Fuzzy Hash: 9921A4B1A002199FDB14DF69C844B9ABBF5FF99320F14C26AE514DB290E7719944CB90
            Function 054E0AB2 Relevance: .1, Instructions: 67COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e305ce178b94a301299617160d1693f9a8b69fb8ca30072f072e52973f5b3e6b
            • Instruction ID: 54be957f653c4fd561c010211cc4cd13c8663c81b91efc1a7c20b496fce3578d
            • Opcode Fuzzy Hash: e305ce178b94a301299617160d1693f9a8b69fb8ca30072f072e52973f5b3e6b
            • Instruction Fuzzy Hash: 6C11F372A09611AFD3299F98D00C7AAFBA4FF40705F1845AFC4AD97A40C770B851C7E1
            Function 078F3CA4 Relevance: .1, Instructions: 67COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c933cf4e15517a4cc781d9b9940bb066263b71f2290dd45bd04b5d842f7f649c
            • Instruction ID: 7f3118589abf2abecb3778ebe98b4ec16ee94d04d18f318964e6379ad90214be
            • Opcode Fuzzy Hash: c933cf4e15517a4cc781d9b9940bb066263b71f2290dd45bd04b5d842f7f649c
            • Instruction Fuzzy Hash: F531EEB0D0031CDFDB20DF99C588B8EBBF5EB18724F24812AE508AB240D7B95845CFA0
            Function 054E2C60 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fcc2c9f8710408777b3a6add1a25d54ae7e1de2fad1c198032b54cb689f5622c
            • Instruction ID: 704351d331c1693afe3a1a5a2c32ac447446e79f38b245623e3c133d2f7cf3fd
            • Opcode Fuzzy Hash: fcc2c9f8710408777b3a6add1a25d54ae7e1de2fad1c198032b54cb689f5622c
            • Instruction Fuzzy Hash: 38216D796006149FCB24DE15C581EA777BAFB84711F15846EE90697750C7B1F840CB60
            Function 078F3180 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95202e4dec330f884129d256d714012baf479fa25c6aa6b6aea52a3c0431717f
            • Instruction ID: 88c485d3315864641c9152e9985c7a495572da7518b0bde423de7edfdbe85c6b
            • Opcode Fuzzy Hash: 95202e4dec330f884129d256d714012baf479fa25c6aa6b6aea52a3c0431717f
            • Instruction Fuzzy Hash: C2215875A007159BC720DF69C8809BBBBB9FF88710B40896DE9199B310E770AD46CBA1
            Function 078F6B8E Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b275b351aff4e917c06c7af1963ca451774617ffddac6d7cad6260ef8f38cf3e
            • Instruction ID: 9b9f0e29a7c6d1602fa89cacaf7501eefd2bf8852b9668c3e4531d143545c08a
            • Opcode Fuzzy Hash: b275b351aff4e917c06c7af1963ca451774617ffddac6d7cad6260ef8f38cf3e
            • Instruction Fuzzy Hash: BD21E0B0D013189FDB20DF99C585B8EBBF5EB18324F24812AE508AB240D7B95845CFA5
            Function 0112D006 Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1240260889.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_112d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14439724fe57c2814b53804993b417cd6f75935713ae77ab22536958987b6231
            • Instruction ID: e3f3d049ea2fcc2536b57c31550a82af3e751458d2b366a28dc388a0e05dd3df
            • Opcode Fuzzy Hash: 14439724fe57c2814b53804993b417cd6f75935713ae77ab22536958987b6231
            • Instruction Fuzzy Hash: 2B2180755083809FCB06CF64D994715BF71EB46214F28C5DAD8898F2A7C33A9816CB62
            Function 054E64F8 Relevance: .1, Instructions: 62COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b734dbb4f101f8fc67d9396e5f32663c6e8a57a6b8bd92818b9f2927365cb07
            • Instruction ID: a1d33aecafc6227c22d4892d3a7012f0ff82826845d38927845421c48eb4eafe
            • Opcode Fuzzy Hash: 6b734dbb4f101f8fc67d9396e5f32663c6e8a57a6b8bd92818b9f2927365cb07
            • Instruction Fuzzy Hash: 1A110431B082145FDB099B79A8586BF3FF6EBC5251B2508AFE406C7381EE24CC0287A5
            Function 054E0C88 Relevance: .1, Instructions: 62COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 57a8e9ac62772070c6acfe2b475cc7285daefe16687098b94389ce663526e5ff
            • Instruction ID: 48ad1508515eb79c41f2953d34a31b40ba2d74d09e30c58af346f4cfb2743151
            • Opcode Fuzzy Hash: 57a8e9ac62772070c6acfe2b475cc7285daefe16687098b94389ce663526e5ff
            • Instruction Fuzzy Hash: 961194343043049FDB28D665D894FABB397FBC5321F14C86AD5198B294CBB4F846C740
            Function 078F726C Relevance: .1, Instructions: 62COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d9fb52dca7d99b8789f37951e876e050f67d1cf8c599f266b456a68b9a48f18a
            • Instruction ID: ef6eb3fb6ddc15ba7340897e791693ee58a9af04bde5b0d6332a87013ea8b4aa
            • Opcode Fuzzy Hash: d9fb52dca7d99b8789f37951e876e050f67d1cf8c599f266b456a68b9a48f18a
            • Instruction Fuzzy Hash: CD1127F0E093449FEB05CBB48D5577E3BB4DF51101F1444EAE906C7291EA34CD058762
            Function 078F4D70 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f19df8bbb837db936bbad89fbf98dd09f685dd53923637299e5285081637c2a
            • Instruction ID: 47b5d421228d59274656420c0ad3e9fc9df9aa1035d03013ee906e161fc51de7
            • Opcode Fuzzy Hash: 2f19df8bbb837db936bbad89fbf98dd09f685dd53923637299e5285081637c2a
            • Instruction Fuzzy Hash: D2219374A10508DFD744DF5AE6849AEBBF2FF8C300B6280D5E4489B265DB31DE21DB15
            Function 054E3590 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c3e38442bf5713c8c5aa8c31c469f76286cfac9c7a2344c0e1483caa4bef65d
            • Instruction ID: b140ca8cfa89d927018b098c2b629145c6c2eab2e08c26d2e78c072ffb4857d5
            • Opcode Fuzzy Hash: 4c3e38442bf5713c8c5aa8c31c469f76286cfac9c7a2344c0e1483caa4bef65d
            • Instruction Fuzzy Hash: 2821FC71E0020A9F8B04DFADC8448AFFBF9FF98300B10C55AE518E7211E770A952CB90
            Function 054E0C98 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: af85bd1e0355ee86190d9205adb5be7889f035b75a412e56a67186cad08f6412
            • Instruction ID: c4690775a28fe2220e609a635ddc4943d4ea9bacfc3a807d02301a4e4eac1670
            • Opcode Fuzzy Hash: af85bd1e0355ee86190d9205adb5be7889f035b75a412e56a67186cad08f6412
            • Instruction Fuzzy Hash: 161170387043149BDB29D625D864FA7B397FFC4325F14C97AD91A8B398CBB5E8068780
            Function 054E7ED8 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ce2cad01532e5a05fd07cc25395d5436dda0e7a4f5776485492a80171615b539
            • Instruction ID: a7adbd0814c17174ede8a7bd44b0868d36c74b8323d8b884f2092051bf357266
            • Opcode Fuzzy Hash: ce2cad01532e5a05fd07cc25395d5436dda0e7a4f5776485492a80171615b539
            • Instruction Fuzzy Hash: 8801C472B042244FDB1CE7B594143AF7B9AEF84261F108069E50ADB388DF348C4283D5
            Function 078FBD18 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 00e2150844bf7073b7836bcb3c2b89d87dd005c33f43e4ec5a5b5517a1a29acf
            • Instruction ID: 55646d9e3796d6bfcb6e12ec951b0af3658f68fe05a735ca9fb14d981419ef3c
            • Opcode Fuzzy Hash: 00e2150844bf7073b7836bcb3c2b89d87dd005c33f43e4ec5a5b5517a1a29acf
            • Instruction Fuzzy Hash: EE21C7F8E0420DDFCB84DFA9C1859AEBBF5AB59300F60905AD509A7715D730AA41CF61
            Function 078F6908 Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86efbe9837a3b2375b6aec2716fb786f959e47e11f2fdbfc8efb6e35b8166900
            • Instruction ID: 91c1c07ac59cd862daf0d8a30030d6a177960fca70cdb7b109d77505cc7dcee8
            • Opcode Fuzzy Hash: 86efbe9837a3b2375b6aec2716fb786f959e47e11f2fdbfc8efb6e35b8166900
            • Instruction Fuzzy Hash: 42111C71B0021A8BCB54EBB998116EEBBB6EB84311B14416EC515E7344EB728D01CBA1
            Function 078F69D8 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 401e91b8f122569769967bfb19e950de859a22e83bfcb1e1260826fd7ebd86c7
            • Instruction ID: 32628bc2750a0553fd226a3f54f77699a845a2b5dbe6d24fc8f4c12fc239cf5e
            • Opcode Fuzzy Hash: 401e91b8f122569769967bfb19e950de859a22e83bfcb1e1260826fd7ebd86c7
            • Instruction Fuzzy Hash: 2711A0F6A007169B8B15DEB998406BFB6BBEFC4260B158529D519D3344EF30CA058B51
            Function 0111D3D3 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1239726503.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_111d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
            • Instruction ID: 623ac5660fb90b17ad61135107e2e069f020bff110a8327e47f4cea0b70e9f8f
            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
            • Instruction Fuzzy Hash: 2911CD76544240CFCF1ACF44D5C4B56BF62FB84324F2486A9D8090AA5AC33AE456CBA2
            Function 0111D4BF Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1239726503.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_111d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
            • Instruction ID: fd65f9bdf00011157770473c15668c0922ae80dba53d06d3a2250e85833db1ce
            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
            • Instruction Fuzzy Hash: 5C119D76504280CFCF1ACF54E5C4B16BF72FB84324F2486A9D8490B65AC336D456CBA2
            Function 078F72E4 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c06078181b1aabb59214a35324a37b2475233c4d569dd698d03aa14071aa72f9
            • Instruction ID: 65cdcbcd47488127cf387c13bcf32e8730d857e43f31084bf7a4cb7a86c41011
            • Opcode Fuzzy Hash: c06078181b1aabb59214a35324a37b2475233c4d569dd698d03aa14071aa72f9
            • Instruction Fuzzy Hash: A52103B5D0034D9FCB20DF9AC884ADEBBF4FB49310F50842AE918A7210C375A954CFA1
            Function 054E9E52 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8559b62b9295deb63cb87e4b44e372e2c9c17327b86c8fccce2f5fa2eed8180a
            • Instruction ID: 7678b0ba5115a11a2dc86181e0614da7a158ec70d7af0dc627cc7166b1d6819a
            • Opcode Fuzzy Hash: 8559b62b9295deb63cb87e4b44e372e2c9c17327b86c8fccce2f5fa2eed8180a
            • Instruction Fuzzy Hash: 531121B1BA06118FE316DA69C44179FB7DBFB88301F90882ED286D77C4CB70E8408B80
            Function 054E9E60 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4947478810e292319c2e430c1152e76b5c48a6e4f1786c42d6735df8a330a22b
            • Instruction ID: 411e81e9d0210a1ab2650bd1aa7eae09d131d6ffb039cb16bf617e9b5401e2ba
            • Opcode Fuzzy Hash: 4947478810e292319c2e430c1152e76b5c48a6e4f1786c42d6735df8a330a22b
            • Instruction Fuzzy Hash: 3011C4317A46118BD716DA29D45579FB7DBFB88710F90883EE386C77C4CBB1A8418B90
            Function 078F8C69 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 69c725c85a69a35c341cfb5a7b847ee4d6830fac286acc7e24ae77ffbc466e93
            • Instruction ID: 6c9577071164651e5125d21c6fbbc27feec49bfcfd4e9d0e26be0d3dc9e2947a
            • Opcode Fuzzy Hash: 69c725c85a69a35c341cfb5a7b847ee4d6830fac286acc7e24ae77ffbc466e93
            • Instruction Fuzzy Hash: C11102B0A82604CFE3608F29C846BA47FA1EF66324F9A80D6D205CF276D731D802CB05
            Function 0112D1CF Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1240260889.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_112d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
            • Instruction ID: 8a331525f7f05a3e0e7d02661c4bf87f502d9f5b0e86c02b7b8f0f9f5e308779
            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
            • Instruction Fuzzy Hash: A311BB75504280DFDB0ACF54D5C0B15BBA2FB85324F24C6ADD8494B296C33AD41ACB62
            Function 054E4228 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfc038c8cb6eeeb4f532639e09d34cc668d2e8072beec7e5c1829c82ad52e8da
            • Instruction ID: 472361e84f40e1322278de3a33b80a6619d29bc06c426e77dda114f9f10a06b8
            • Opcode Fuzzy Hash: dfc038c8cb6eeeb4f532639e09d34cc668d2e8072beec7e5c1829c82ad52e8da
            • Instruction Fuzzy Hash: 11019230B083148BDF2DEAB685443EB7BEBAF45582F0445AB9D06C3381DF20C802C751
            Function 054E4778 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6f508f9028321f249b54d82dd8d65019f225bb7c343710f83a1b8de8bcb35b7
            • Instruction ID: 23a8dcb7e899297228660cd524c7837fcb0cf65eb156815e075f9c8bca6054bf
            • Opcode Fuzzy Hash: d6f508f9028321f249b54d82dd8d65019f225bb7c343710f83a1b8de8bcb35b7
            • Instruction Fuzzy Hash: 1111F0B5C046089FCB20DF9AC444BDEFBF5EB48224F10842AE859B7310D778A905CFA1
            Function 078FCCB0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02458058aa4b8ab097192d61735d0719587c88c68b0ad7457fdbb4b9b19686a1
            • Instruction ID: 4af6860bf8c855ef07a3d8d161306b2612261d8caca179bcb0b6e14373f65a9d
            • Opcode Fuzzy Hash: 02458058aa4b8ab097192d61735d0719587c88c68b0ad7457fdbb4b9b19686a1
            • Instruction Fuzzy Hash: 5F11EC70D1421CDFD708CF6AD4545AEBBFAAF8A301F54D069E919A7251DB309941CFA0
            Function 054E6518 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 89c97f696dc8d204855fcf3728afa0de699e7884c9e8361db1af0b7576bca561
            • Instruction ID: 90fd65f8de3baa542f80caa4d9feffcc10ed2ada3ea7080fe7a969fbf493daea
            • Opcode Fuzzy Hash: 89c97f696dc8d204855fcf3728afa0de699e7884c9e8361db1af0b7576bca561
            • Instruction Fuzzy Hash: 0E01F931B043146FDB08D7B9A8946EE7FEEDF85221F0084ABE409C7340DD309C428795
            Function 078FBDD0 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f8abed0814b3b5ccff55b1f71be711ab414ed671ee1cb07d4884d06baa586b0e
            • Instruction ID: 7fbf88138c2e0a3cb427f2f039646af293719d22ab725ff3eac48579c7cb3579
            • Opcode Fuzzy Hash: f8abed0814b3b5ccff55b1f71be711ab414ed671ee1cb07d4884d06baa586b0e
            • Instruction Fuzzy Hash: B711E5F4D1820CEFCB04DFA9C540AADBFF9FB5A314F5095969518E7315D730AA418B81
            Function 054E5C31 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfb6d6b92b5447e2db9c4beb6de51d9d3e92ae61d344e1e0d02b43903c2c3fc9
            • Instruction ID: f84db00dd72c8d7d60f4216f46e2019dc571970585448d90bb46935a702a4c22
            • Opcode Fuzzy Hash: dfb6d6b92b5447e2db9c4beb6de51d9d3e92ae61d344e1e0d02b43903c2c3fc9
            • Instruction Fuzzy Hash: A611F0B5C102089FDB20DF9AD444BDEFBF4FB48324F14842AE859A3210D778A505CFA1
            Function 078FC280 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ad74ad1776e449ba0abb679c39bd7203341c59c70044ddd8705ae7fc5266c971
            • Instruction ID: 040d4d57342d1d775f331a9c331aae221db5bae6ef2a6cef4132a4458a45797c
            • Opcode Fuzzy Hash: ad74ad1776e449ba0abb679c39bd7203341c59c70044ddd8705ae7fc5266c971
            • Instruction Fuzzy Hash: 8511AFB1D0061C9BEB18CFABC9557DEBAF7AFC9304F04C06AD509B6264DB7509468FA0
            Function 054E4902 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: deeb2dabbc6708f7170025553b766772df9604e3ff3e06882f6c1d0b00bd1d89
            • Instruction ID: 58b9b8c0d5f099e6b3030d05fec9003e152eaf881a09e70b035b0180ec61afe9
            • Opcode Fuzzy Hash: deeb2dabbc6708f7170025553b766772df9604e3ff3e06882f6c1d0b00bd1d89
            • Instruction Fuzzy Hash: 05113071E002098FEF28EF75D0587EE7BA2EF88712F15456AD101A7384DB744945CBA5
            Function 054E6D1C Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74c2152bf10ff389989a254901b4d8ab58a1994280dceb77d97b501effeee648
            • Instruction ID: 8637c3cd8e9c9fbf2b7e03ced8d1adec555430204d8655a385752a1f515b19a8
            • Opcode Fuzzy Hash: 74c2152bf10ff389989a254901b4d8ab58a1994280dceb77d97b501effeee648
            • Instruction Fuzzy Hash: 3611F2B5D043498FCB20DF9AD485BDEBBF4EB48320F20842AD919A7340D775A945CFA5
            Function 054E6CC8 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d95b855c91d84a6989983181697f89a0c545ac25f7f373677a87f67bd336d162
            • Instruction ID: 6104077359c3aaa97b2535ef44ce7c65188cd01f2b332516e2426040ec4a002c
            • Opcode Fuzzy Hash: d95b855c91d84a6989983181697f89a0c545ac25f7f373677a87f67bd336d162
            • Instruction Fuzzy Hash: F11122B58003488FCB20DF9AC488BDEBBF4EB48320F20842AD919A7300C375A945CFA4
            Function 078F8C78 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a23fef5dff1060950464d01d940f644bf38fd8bfeed89cc12e5a17bf89015de
            • Instruction ID: 6ec508725e2fc54b62a6523fd1099b2c93e0ea87a66d28930e9b61ea52e8d270
            • Opcode Fuzzy Hash: 4a23fef5dff1060950464d01d940f644bf38fd8bfeed89cc12e5a17bf89015de
            • Instruction Fuzzy Hash: 58019E70746349CFE3559F29C805F217BA1AF96314F5980E6E215CF2B2CB22DC01CB01
            Function 054EFE48 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0ce46a1d3087e92e2e9c4313942a04075a7eb6f8f367703b50245d009c2a9831
            • Instruction ID: f41efd24af8493d5f7b0208638eede586d4b71c9c87b02ecba71f5bc806319c6
            • Opcode Fuzzy Hash: 0ce46a1d3087e92e2e9c4313942a04075a7eb6f8f367703b50245d009c2a9831
            • Instruction Fuzzy Hash: CE017B32B04604A7D308CA6E9882657FBBBBBC4612B14C43B9009C7306DF30F80586D1
            Function 0111D759 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1239726503.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_111d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f661658c59b8dc3f8c24a2c3f76b41b0f43f482b26e7e3a8839287b2187f41d
            • Instruction ID: 896f6e24ea1d559b7756d1e8c0cf5652afe8f501d88ac0b0a6bdbbdc0cf559ab
            • Opcode Fuzzy Hash: 7f661658c59b8dc3f8c24a2c3f76b41b0f43f482b26e7e3a8839287b2187f41d
            • Instruction Fuzzy Hash: E40120310047809EEB284A55ECC8766FFD8DF41229F18C439DD080B28AC3799840CB72
            Function 078F07C0 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2c6fa9c12d86a465dad46364ec7dc4d7371aa045291b0aceeabf794e26ca98dc
            • Instruction ID: 354347fb4ad9ae95ee9fc3c2d336219941d91640d6ac5029eb97e4dfdc94391e
            • Opcode Fuzzy Hash: 2c6fa9c12d86a465dad46364ec7dc4d7371aa045291b0aceeabf794e26ca98dc
            • Instruction Fuzzy Hash: C6018F35A10618CFCB188B35D8554AEBBB7FFC8761B10453EE51687390DF72A922CB90
            Function 078F41CF Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1054b2e7734ee0b3c62c6345e7c9df2cd97864c59ac57598738ab8ae9080179
            • Instruction ID: 254339e79a3e9a55661d4856671ebde71e64093556e570ca5a56cb263062fa0f
            • Opcode Fuzzy Hash: d1054b2e7734ee0b3c62c6345e7c9df2cd97864c59ac57598738ab8ae9080179
            • Instruction Fuzzy Hash: F0018FB5B002119FEB01AA79E90977B7AD7EBD9242F05453AE24ACB255DF30DC438781
            Function 054E85C8 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 57129d0c8f9bbba8cded5a4bb63368c9696ba09e39b42192174f3e0a7dbf1c2f
            • Instruction ID: 2bf8fc7925c921500ab56e7d8eddddf23995925c010d4d28ea4ae4cb78d02111
            • Opcode Fuzzy Hash: 57129d0c8f9bbba8cded5a4bb63368c9696ba09e39b42192174f3e0a7dbf1c2f
            • Instruction Fuzzy Hash: BDF05B3275021457EB246179BC55BFF329B97C5B22F14847FE60AD72C0CDB5984283D5
            Function 054E730A Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4790accb7474c5bb314398fccd8da621043099c340f4151c0c487770c84f3dfc
            • Instruction ID: f3a6460eda8b3859e14f26e59efc5a764a4d6613a2769d57039e9bf2c05f8036
            • Opcode Fuzzy Hash: 4790accb7474c5bb314398fccd8da621043099c340f4151c0c487770c84f3dfc
            • Instruction Fuzzy Hash: 541100B5C002498FDB20DF9AC585BDEFBF4EB48320F20841AD919A7340D379A944CFA1
            Function 054EBAD9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9af16d187a577fc597443e2322df89a854558e2fed82d9ca0d431003da9b5928
            • Instruction ID: 791045fb026b891470324285d9300ff5d470d3c746aea0c57d69df970a63bc96
            • Opcode Fuzzy Hash: 9af16d187a577fc597443e2322df89a854558e2fed82d9ca0d431003da9b5928
            • Instruction Fuzzy Hash: 4A01D4307043108FC725DB29D454DA6B7A7FFC1222B14C2AAD146CB7A9DB71DC06CB50
            Function 054EFE58 Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 98ac631eb5370c117df37563f3bf2028f94de8376db312f153204f1157bbb46d
            • Instruction ID: ebfed281812fd221d5deabda93f052bd557ca23c87f86fc9ada88bba17cc7ce4
            • Opcode Fuzzy Hash: 98ac631eb5370c117df37563f3bf2028f94de8376db312f153204f1157bbb46d
            • Instruction Fuzzy Hash: E1F02231B14A19A79318CE2E9981493F6ABBBC4622315C53BA10EC7616DF70FD1986D2
            Function 078F854E Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 038c670ae991e7de0cdb9f50b81804e92ed2e977a098b0c8ab1c1e1487e580c8
            • Instruction ID: dc60e46fe28852b240d31d57e1b74f666e6a4242bbabcf7a7a46f2b79a2135b8
            • Opcode Fuzzy Hash: 038c670ae991e7de0cdb9f50b81804e92ed2e977a098b0c8ab1c1e1487e580c8
            • Instruction Fuzzy Hash: 71F0B4F1300205576B256A1E8D8896F669D8FF85A4B940029EF0AC3340EF24CC4645A7
            Function 054EBAE8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: da4fe610a5e7d9ba9ed7f2c4aa4bb9248dfc0b0ffe9549143efce2cf350c9773
            • Instruction ID: 6703cb74d2ea043b03c933201b880bf5ce594e908a8efe1f60154ae8dee5ffb1
            • Opcode Fuzzy Hash: da4fe610a5e7d9ba9ed7f2c4aa4bb9248dfc0b0ffe9549143efce2cf350c9773
            • Instruction Fuzzy Hash: F9016D346142108FCB24DA29D444E66B3EAFF85222B60C5BAD50ACB768DB71EC02CB90
            Function 078F41E0 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 471c7b030d3a3ed5f9be7a288f2e88ba68ada7464aa21d8bbe664f71cf7bfc93
            • Instruction ID: 4881a792fa6b14f7cfc6d86f044e3591353d129c0f8924049d7e2683028d69ad
            • Opcode Fuzzy Hash: 471c7b030d3a3ed5f9be7a288f2e88ba68ada7464aa21d8bbe664f71cf7bfc93
            • Instruction Fuzzy Hash: 4701A4347001158FDA01AA79E944A7B7BDBEBD9252F054536E20ACB355DF70DD438780
            Function 054E6578 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d7fce934be565e77506b84f423b4c48199fbaf8ab519d7caef781198ab90641
            • Instruction ID: 34e39bc623eac6cc1695051ae55db0a5d56973c47f7d8ec0795e6e1a7edb7e8c
            • Opcode Fuzzy Hash: 3d7fce934be565e77506b84f423b4c48199fbaf8ab519d7caef781198ab90641
            • Instruction Fuzzy Hash: D2F09675F001155B8F16B7B96C545FEBBBAAB88611F00002EE509A7341CA300D0187E5
            Function 078FD100 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f205b02676ed2348048faf540cf634a371a8ba4c3843fffc4561b85c148457d
            • Instruction ID: 7e4320c57bbb49d44a32f2464e3236d0a28773dbc2b3d32a9fa366a81dc5b0e2
            • Opcode Fuzzy Hash: 7f205b02676ed2348048faf540cf634a371a8ba4c3843fffc4561b85c148457d
            • Instruction Fuzzy Hash: 19F0A4B0A1860CDBC704CF65C5519BCFBFDAB6B305F00A2A5D2099B211D7309A85DB60
            Function 078FD178 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 163198a104415252a44614accf0137ff6c34f3c5ea5c0be117b592d9fffaf20b
            • Instruction ID: 6fd2651af1921ca3a20bcb9365967dd224d2c7c8a3aa7d4a9336b0f23b1481b5
            • Opcode Fuzzy Hash: 163198a104415252a44614accf0137ff6c34f3c5ea5c0be117b592d9fffaf20b
            • Instruction Fuzzy Hash: 2701F674A1420CEFD704DFA8C694AADFBF6AF49300F15C095AA099B365DB30DE40EB50
            Function 054E6ED0 Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 76231f5bfcb8bc07b9b6269b5ce7f86c4363ff96a9c557542f5bb853d1324825
            • Instruction ID: a6a42cfa3b539639235224305caf20a2cc9a8d61875aa5a3e32e4b38b227e9e1
            • Opcode Fuzzy Hash: 76231f5bfcb8bc07b9b6269b5ce7f86c4363ff96a9c557542f5bb853d1324825
            • Instruction Fuzzy Hash: 46F082727101256FDB14CA59AC44EFB77EDE784665F12056EE804C3200EA619C0146A0
            Function 078FDF58 Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb7f349774eed13c3d9df5274a2321fc4834966b7dc048b1f0de8b826b332515
            • Instruction ID: 0a2f873fdc239ddfde83d2e62e4f1782f72179cc67792e5004c5f89b1f61396c
            • Opcode Fuzzy Hash: eb7f349774eed13c3d9df5274a2321fc4834966b7dc048b1f0de8b826b332515
            • Instruction Fuzzy Hash: 3101A5B4D00249AFCB40DFA8C551AAEBFF5BB08310F148196EA54E7385D7349A41DFA1
            Function 0111D758 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1239726503.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_111d000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 66d83813abdd03974a6b55a5f1f49fce0f570d519e89d2914f272b7afb8c81e0
            • Instruction ID: 48c2af7857975738d898b7d0466ce272a888a82427e1228af78d95773112bf67
            • Opcode Fuzzy Hash: 66d83813abdd03974a6b55a5f1f49fce0f570d519e89d2914f272b7afb8c81e0
            • Instruction Fuzzy Hash: 66F09C714057449EEB248A15DC88B66FFD8EF41735F18C56AED184B287C3755844CB71
            Function 078F6438 Relevance: .0, Instructions: 34COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4289ac5fc48450f476be9be56aa0ebb9cc83302dedae8a1f879692f335003286
            • Instruction ID: dd3dcbda9742ca043835b11ea2a66a12f68596f4058ea8258628c05b5131027f
            • Opcode Fuzzy Hash: 4289ac5fc48450f476be9be56aa0ebb9cc83302dedae8a1f879692f335003286
            • Instruction Fuzzy Hash: 6AF027F6B101214BDB147EBC9458B7A3BDA8FE82517114577DA05C7359ED34CC038750
            Function 078F6448 Relevance: .0, Instructions: 34COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a49b7e9733dea0f8675c1b66dd77bec38c5c1dd508c248f7f5fc6dee01cffcd7
            • Instruction ID: 7b89046f63a3b9dfdd2c8ac322350838d46a5d0a6ce188fbb98bd47526c8691b
            • Opcode Fuzzy Hash: a49b7e9733dea0f8675c1b66dd77bec38c5c1dd508c248f7f5fc6dee01cffcd7
            • Instruction Fuzzy Hash: E5F02770B101144F8F247E7D941493B3AEB8FD82613600476E60AC7319ED34CC028790
            Function 078F6F58 Relevance: .0, Instructions: 34COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3911ff423ff195f16552705fa0821c28351af26f3e1c9a43048057c69d8d0858
            • Instruction ID: a23008a26dc8304ac9e273dbaf3752b714c9e91eeac0c59320202a69d8d2a341
            • Opcode Fuzzy Hash: 3911ff423ff195f16552705fa0821c28351af26f3e1c9a43048057c69d8d0858
            • Instruction Fuzzy Hash: 4501E8B090021ADFDB14CF6AC4047AEBAF1EF49364F248229E924EA290E7744A40CBD0
            Function 054ECF40 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c6036eaf78cf50c64f288521297450048ca4c8d450c61e438f2b2ed9a8e51bd1
            • Instruction ID: ac17f372078b645cc47226b188bb970dcf9bc08c1e14438157cc76628317f88c
            • Opcode Fuzzy Hash: c6036eaf78cf50c64f288521297450048ca4c8d450c61e438f2b2ed9a8e51bd1
            • Instruction Fuzzy Hash: E5F027B02097444EE7106A6485443263B64EB41209F18C0EBE40CCA6C7C177CC478396
            Function 078F1440 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cce5368d7850d5f48329a56cf7174a78a30187fe8fe5963753e6166d2d2275c6
            • Instruction ID: f2a0e7ce73526c3787be321ce751ffae2739ebfca4d113733b1317ddc0591641
            • Opcode Fuzzy Hash: cce5368d7850d5f48329a56cf7174a78a30187fe8fe5963753e6166d2d2275c6
            • Instruction Fuzzy Hash: 90F027B1B1071A87C3289A2B981852BFBDFEBE5291705C83BE209C7220EB30D9064690
            Function 078F8190 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a634063c3e43727c7cf924436f5df2e870e8348facdaef215a8b565b4d246a9f
            • Instruction ID: 6f1f483bb36c8c2924757e6873927ba0c25d60bafa76373d9698ba7d6e9994e8
            • Opcode Fuzzy Hash: a634063c3e43727c7cf924436f5df2e870e8348facdaef215a8b565b4d246a9f
            • Instruction Fuzzy Hash: BDF0E271608249BFDF05DF58DC4089A7FBAEF05214B0481ABF548DB262EB31A950CB55
            Function 054E3BE1 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e67d0bc987fd79b313774f3e60b2ed15af6ce97f3e153dc774e5422e5e2c68de
            • Instruction ID: aa5972b214c757b793f0c7cc0f1e0c0f87cf771e8002e35bc5c815ea7c124fb3
            • Opcode Fuzzy Hash: e67d0bc987fd79b313774f3e60b2ed15af6ce97f3e153dc774e5422e5e2c68de
            • Instruction Fuzzy Hash: 13F04935A001288FCB14EB58D5849DDB7F2FF88721F1541A9E805BB364CB30AD45CF90
            Function 054E4218 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 382e5f3a376c6aed7f0d30e8b255abba4b7a1dba1c5d0d1bc321c252ca550fd9
            • Instruction ID: ff9a249c631fa2d45c442c3d4e2096abd1463de8b4ecc6b1f7a79940bd6b973e
            • Opcode Fuzzy Hash: 382e5f3a376c6aed7f0d30e8b255abba4b7a1dba1c5d0d1bc321c252ca550fd9
            • Instruction Fuzzy Hash: 48F0E53290C314ABDF5ACB95D8807EB7BFAAB45291F1489EBD908C2741E734D440CB61
            Function 054E7F87 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fe8d778e187a3e9421fda2ab2e63dfc9588b3893a2c4f94a3afa309928cfebb5
            • Instruction ID: ef87ed63a1407f1eb3c5ceaca17cee3d049e653f24328147209ffc3ce5fffed2
            • Opcode Fuzzy Hash: fe8d778e187a3e9421fda2ab2e63dfc9588b3893a2c4f94a3afa309928cfebb5
            • Instruction Fuzzy Hash: B2F0A7B29012469FEB00CFA6DE027EA77A4EF00265F0400A6E405DB2D4EB35DA46DB00
            Function 054ECE28 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ae8424faf143df6d4a3f034f8b66af8a8367536b0a3f2a80f2b7f026f432da35
            • Instruction ID: a6a7282a5704518799e999804aab6d4da0fed72b0cc3d128ea26214f72f0b99e
            • Opcode Fuzzy Hash: ae8424faf143df6d4a3f034f8b66af8a8367536b0a3f2a80f2b7f026f432da35
            • Instruction Fuzzy Hash: 21F09E322043986FC7038B69D800AAB7FE9DFCA210F09858BF588C7163C7759C11D761
            Function 054E7E70 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5d7122cee79f0f0ae688eb17cda465d5d0d9978bd193f8b721e259d4bc7893ed
            • Instruction ID: 0557eebc98ec67a6eb5bd6376ee1c08304e438720af223cbdfac5fdba7041eeb
            • Opcode Fuzzy Hash: 5d7122cee79f0f0ae688eb17cda465d5d0d9978bd193f8b721e259d4bc7893ed
            • Instruction Fuzzy Hash: 81E092F36082504FE70187D1E855B963F64EF15362B0741A7E804CB2F2DA25CC058740
            Function 054EB8A0 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f6398d3cfa5ea946aa5b29e6d647fa3fb630886ef947d0265b18f3abe5d409b9
            • Instruction ID: 010e98560b7b342718efdcf89b612d510b24bab85c97a642738c447e7e0d2438
            • Opcode Fuzzy Hash: f6398d3cfa5ea946aa5b29e6d647fa3fb630886ef947d0265b18f3abe5d409b9
            • Instruction Fuzzy Hash: 38F0E23660025CABCF119E54CC049EA3B60FF4A227F0985B3EAA4D6241D378D5248792
            Function 054EDB8C Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2cce0707ff7bed902bec12ee2ea7484ab77218b97d25a4d493b0dc9c87066ba3
            • Instruction ID: bf67f4580b526a70cd42d13c0bb00e64d1881f7083309bf52cc5f674406d9218
            • Opcode Fuzzy Hash: 2cce0707ff7bed902bec12ee2ea7484ab77218b97d25a4d493b0dc9c87066ba3
            • Instruction Fuzzy Hash: 02F0F435E44105CFDB50DF69D48D7EA33E2BB44327F4404AAD00AA72A0EB748986CB60
            Function 078F07B2 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e18763833ddb0bdae377fd54fe9dab87cbcd6767b98cbb49246c7dd559415045
            • Instruction ID: 990c08f58feedd187285e23791caf2748d8fdc581b80d71dc3ef5fa75a04ef6d
            • Opcode Fuzzy Hash: e18763833ddb0bdae377fd54fe9dab87cbcd6767b98cbb49246c7dd559415045
            • Instruction Fuzzy Hash: 2AF02EF5A102144FD7084A65C81566E79A7AFD8350F05413AD801D73D5DFB0CC1186C0
            Function 054E495D Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eaf83cfbbe320eab94ed7326c3ce48014ad29b39b094952cf0b3a3efcff02eb0
            • Instruction ID: 712a0feec664e464578c03fbea142e014a3bd2faa924c29ee9bb7e9b4d8f8aae
            • Opcode Fuzzy Hash: eaf83cfbbe320eab94ed7326c3ce48014ad29b39b094952cf0b3a3efcff02eb0
            • Instruction Fuzzy Hash: 58F03070E402098BDF28EF75D4157EEBBA2EF84716F01896DD102A7280DF744445CFA5
            Function 078F503C Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d46fda0b18643c2665c86dd2f208465bd95386c1df06added2a1aba2b24b8892
            • Instruction ID: cc2b0b47d67f1d72dc3584dbd736999f1b268b909ecababdab66c054581b5c37
            • Opcode Fuzzy Hash: d46fda0b18643c2665c86dd2f208465bd95386c1df06added2a1aba2b24b8892
            • Instruction Fuzzy Hash: 0BF0E7B5E05288EFCF12CFA8D84198CFBB4AF09200F24015AE506A7352EB316952DF51
            Function 054E7F98 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4410d720909a90b1152536a627403a9fa34eeedcbba30088509d29257f0e4121
            • Instruction ID: 32b420069a34fbb956a0c810c300183ea8be5b761abe1b104875c7f03b0e5bf7
            • Opcode Fuzzy Hash: 4410d720909a90b1152536a627403a9fa34eeedcbba30088509d29257f0e4121
            • Instruction Fuzzy Hash: ECF0653151524ADFEB00DF76CD02BAA77A9EF01259B1440B5E405D72A4FB35DA11DB04
            Function 054E9F3A Relevance: .0, Instructions: 26COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b594556c4d5cb89f665d38ea005ff6ffa72eac7f01b966bcbc39e2de92b35c63
            • Instruction ID: 6b33b53be4652914caef89c9ddd0f84b7ffb5076203d6bc276eb11983b3fdb81
            • Opcode Fuzzy Hash: b594556c4d5cb89f665d38ea005ff6ffa72eac7f01b966bcbc39e2de92b35c63
            • Instruction Fuzzy Hash: 2BF0A776E001158FCB10DA69D4097DEB7F4FF84356F00486AD945D3344E730A50ACF80
            Function 078FBE90 Relevance: .0, Instructions: 26COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aa0f124114dd5a4394f8e6e3cce748c35aead0d68d8e20cd832559f371fbe15f
            • Instruction ID: 1a968d6c418b9ba123a04ed376893ec792e871bb6291c87197efce9bf82dc2f6
            • Opcode Fuzzy Hash: aa0f124114dd5a4394f8e6e3cce748c35aead0d68d8e20cd832559f371fbe15f
            • Instruction Fuzzy Hash: C4F015B4D0430CEFCB00DFA8D004AADBFB9EB1A300F1081A9EA0893310D7319A40DF80
            Function 054E9F48 Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e72642bfb40a33478a51a2c9f1cb8794e5726fc9320913b8a975115897d7e96a
            • Instruction ID: 12468b3c3b365299047ca792509bfe6db64e602534ed36351fad7a9eaf65f54a
            • Opcode Fuzzy Hash: e72642bfb40a33478a51a2c9f1cb8794e5726fc9320913b8a975115897d7e96a
            • Instruction Fuzzy Hash: FCE06D35A102199FCB10EA6ED8086DEBBF5FB88315F00496AE956D3344D730AA19CFC0
            Function 054ECE38 Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff0152d0b5d3f546c8cb882b8ab6664a667a83bee86d8eee244ca9824d41e439
            • Instruction ID: 5826c74a467bd9575f9ea49f66bd0335356433aca080c97865e13e1997245202
            • Opcode Fuzzy Hash: ff0152d0b5d3f546c8cb882b8ab6664a667a83bee86d8eee244ca9824d41e439
            • Instruction Fuzzy Hash: FBE092322002686FCB069E4AE800EAF7FDEDFC8211B04851AF959C7121CAB1A81197A1
            Function 078FE600 Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd1b006b90503cfd6f68af9b56d96b5179497b14cee197a31138e6d8efe3b668
            • Instruction ID: 8a8beb5388f39cc53ff8fd1ca8d4c471907fbc797c0766fcc6939d2ebf11f072
            • Opcode Fuzzy Hash: cd1b006b90503cfd6f68af9b56d96b5179497b14cee197a31138e6d8efe3b668
            • Instruction Fuzzy Hash: B5E09BB491520DCFD7246A74D4247AD3ABDAB56201F408514D206D6265DB701545CB63
            Function 078F14B2 Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aba831bdefeb5d59e1133a7f586113ba37b2458743627cdcce302ef35d7ceccd
            • Instruction ID: 9458045dbb2a44b805f1ce5c4e6a254187d6c612189832647820778202858a58
            • Opcode Fuzzy Hash: aba831bdefeb5d59e1133a7f586113ba37b2458743627cdcce302ef35d7ceccd
            • Instruction Fuzzy Hash: 86E068B2B10A1057E31457A69900727A6DBEFC8311F16C06AA419D3784DE30DC028290
            Function 054E2B2A Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 265e871352e49fb98a0bccb37b7a6c369a6572279166ddcb061c96687d96739e
            • Instruction ID: 84730f671400821b50c820c3dac0e86236b5439fbcd3f4b4195442ce7a0f3b4a
            • Opcode Fuzzy Hash: 265e871352e49fb98a0bccb37b7a6c369a6572279166ddcb061c96687d96739e
            • Instruction Fuzzy Hash: 4DE09A747100288FE314EF59F4A2BAB23AAFBC4650F804124E205CB388CBB08C004B81
            Function 078F14C0 Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 442ea0990a258fd1ecc7097508e520bfb4abbf90e43a39765b1963c9c52d7f18
            • Instruction ID: 148a90b994e11119870a202399afa05f37c57a4beb58f2f2894b83bdecb467b7
            • Opcode Fuzzy Hash: 442ea0990a258fd1ecc7097508e520bfb4abbf90e43a39765b1963c9c52d7f18
            • Instruction Fuzzy Hash: DBE08631B10A1457D618676B9800B6BBAEFEFC9620714C069E51993744DD60AC0286D4
            Function 078F4182 Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3f32d42935f73b578c5f6713959b1090a093771d951a8bcb266c179be74a99c7
            • Instruction ID: 5b6cc6cf9e2086539474627b3ea095b8363e904bdc8024581a90dadebee541f0
            • Opcode Fuzzy Hash: 3f32d42935f73b578c5f6713959b1090a093771d951a8bcb266c179be74a99c7
            • Instruction Fuzzy Hash: D1E0D8B57006145FC744EBA9D408A373BFAEB8C9627118168F84AC7354FE31DC028B90
            Function 054EF424 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2baa59cbe11aea1cc718010f69952110959da92eb2f4fcc13dbedf1badfbc4ab
            • Instruction ID: e771bc6ac0ddfb47e0d5a833c97930d810284a165c33a3fd88cc31ee58018672
            • Opcode Fuzzy Hash: 2baa59cbe11aea1cc718010f69952110959da92eb2f4fcc13dbedf1badfbc4ab
            • Instruction Fuzzy Hash: 4AF03074A207108FCB14EF34E5898AE7BF2FF942117108A69D0169F668DF71ED0A8F95
            Function 054E68C6 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 77e1b04eceadc9e89fed9b0cbcd8b6133207e5ada79a09f755e46bcbf31c4a44
            • Instruction ID: 47e02ef6309e451f6fe8fb581ace349eec47f519c400e3c7ea0c62df00c8caf9
            • Opcode Fuzzy Hash: 77e1b04eceadc9e89fed9b0cbcd8b6133207e5ada79a09f755e46bcbf31c4a44
            • Instruction Fuzzy Hash: ADE04FB1D5121DDACF149B91F6047FDBFB1FB5429BF210427E116B1550C7710590CB90
            Function 078FFAB8 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68212038d2589b834cc2539d2cdfdeb4c6364a131483c00474ea8090e02071c7
            • Instruction ID: a2b42bcf13209de9e213b69da2fcc49d00533b4120bfef04f05fb921f0d8bf27
            • Opcode Fuzzy Hash: 68212038d2589b834cc2539d2cdfdeb4c6364a131483c00474ea8090e02071c7
            • Instruction Fuzzy Hash: BAF03974D0120CEFCF04EFA9D50469DBBB5EB88311F1081A9E914A3350D7305A51DF51
            Function 054E2B38 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5da7da0bcce3edaf95007d3974351317b86dad0cf1af7826963f89f304cf40d1
            • Instruction ID: 411e33db2a6add91dc9b6f7907a743142008dcf1db6b0d7b611634b2f293952c
            • Opcode Fuzzy Hash: 5da7da0bcce3edaf95007d3974351317b86dad0cf1af7826963f89f304cf40d1
            • Instruction Fuzzy Hash: DCE08C6075412C5BD208AA9AB422BAB37DEFBC59A4F814135E205CF3C8DEB19C000BD2
            Function 078F4190 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1a2dedf04352ddfbf10dcc4199a4d529ee3482ccdcc411b83fad93ae4164b81
            • Instruction ID: 5b7e6fb3174cabbb8dfcbbe145d4cd249b15f062a954c55fc39ca866b902b82e
            • Opcode Fuzzy Hash: d1a2dedf04352ddfbf10dcc4199a4d529ee3482ccdcc411b83fad93ae4164b81
            • Instruction Fuzzy Hash: 83E08C757506249F8744EBA9E40493B3BFAEB8C9613208168F90AC7314EE30DC068B90
            Function 054E8318 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32d11fe7ad83bc4159f9b6abeb9de04138af10c8a9a3f52f390ab732d2151336
            • Instruction ID: 8aa5eb557425343e39ac447fffa562b72c267264aeb54dd08e936ed5cf26f59a
            • Opcode Fuzzy Hash: 32d11fe7ad83bc4159f9b6abeb9de04138af10c8a9a3f52f390ab732d2151336
            • Instruction Fuzzy Hash: 4CD01232704711178625E659E88084BFAD6EED46207448A2AA5198F218DE606D4686E5
            Function 054EDB50 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bfb3b161cc276c13345fb0bba8f98027b4ba485b15fffd1ff8daa54c79b5a5e4
            • Instruction ID: e979ee6d113b62c63c28b9e1960e427417aaace37e7a146c48f2cb20ceee25da
            • Opcode Fuzzy Hash: bfb3b161cc276c13345fb0bba8f98027b4ba485b15fffd1ff8daa54c79b5a5e4
            • Instruction Fuzzy Hash: EFE0E5366100158FCB40DF69E4487E933F1BB48327F4040A9E00A9B2A1DB349986CB10
            Function 054E2B00 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7a77133e5c9b1e8252d709c21ffccf7703b4501213fc3d6fd3ebef7a8e86a63c
            • Instruction ID: e7d4bd80f4b5c64632610dbee339e5db3365d345bbe3ce5d33c524b286a61e63
            • Opcode Fuzzy Hash: 7a77133e5c9b1e8252d709c21ffccf7703b4501213fc3d6fd3ebef7a8e86a63c
            • Instruction Fuzzy Hash: F4D05E323541248FC300DFB8F849E937BECEB48665F0540A6F20CCB221DAA2D80087C0
            Function 054E8749 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 38746e36e93c90e8a2a41eb47f0f992f7bdf7599245ac0e95aa8871c4f7c1d0d
            • Instruction ID: 513bd8fe6eb20c1ed71a40a6250b007a3da9080aaa061ecac146c8d52e1d6fe7
            • Opcode Fuzzy Hash: 38746e36e93c90e8a2a41eb47f0f992f7bdf7599245ac0e95aa8871c4f7c1d0d
            • Instruction Fuzzy Hash: 5ED02EF38082000BEB08CB29DA893897BC69BB8264F08E83AC24186140F638C087C223
            Function 054E2C30 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e3993725dd6c6ee1c66b02302a12276e5416397a86862dea8469e872a05718f3
            • Instruction ID: 3abd27fda1835724111d7c8ab30110107073cf7bc2e98f8d88ab57fe98b96d5a
            • Opcode Fuzzy Hash: e3993725dd6c6ee1c66b02302a12276e5416397a86862dea8469e872a05718f3
            • Instruction Fuzzy Hash: 85D05E322400147FC60167819C95B9A7BEDFB49658F658089E3048B002C267A892DB80
            Function 078F6EB4 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d25470dd3a967f9ec2ec600511b29bd269a3105949b9284fa70a4dcc50bb19e
            • Instruction ID: aac4da04b107199c74085c7722882e1e692f2b04976f17fda7016d164b972949
            • Opcode Fuzzy Hash: 0d25470dd3a967f9ec2ec600511b29bd269a3105949b9284fa70a4dcc50bb19e
            • Instruction Fuzzy Hash: 3BD017B3D40129878B11AEE4DA052EFFB74EB14A50F528252E911E7610E3728A21DBC1
            Function 078F6EC0 Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
            • Instruction ID: 7510e17102d3506131b9d84fb13f545485b5599a8567d81cad13352e542b9dfd
            • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
            • Instruction Fuzzy Hash: 78D09EB2D0013D978B10AFE9DC054DFFF78EF15650F418126E915A7100D3715A21DBD1
            Function 054E7EA0 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96c2d04a4a67c79b8cc96b93996fa3efa1076e0b09f46bb737f0298be90baf62
            • Instruction ID: 41da4cf1babeba499a2f8c3e4a65aed9cef04a3a59f18f0e38c850f00a8a9c3c
            • Opcode Fuzzy Hash: 96c2d04a4a67c79b8cc96b93996fa3efa1076e0b09f46bb737f0298be90baf62
            • Instruction Fuzzy Hash: 3FD0C9363501289F87089B69E408CA97BADEB5D66530141A6F909C7371CE71DC51DBD4
            Function 054EBAA8 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d62a3e9ab688e06c8ecb33d0928980c31834f7c06230ae32b678175a657e2602
            • Instruction ID: 136d9ffe538590cf7f831fe1c1c2d883c2836f7cb1e86f7267e2414f1d0dacb9
            • Opcode Fuzzy Hash: d62a3e9ab688e06c8ecb33d0928980c31834f7c06230ae32b678175a657e2602
            • Instruction Fuzzy Hash: 7DD05EB63443847FD7439BF08841D963F36AF2A250B15918AED88CF193C166C817CB11
            Function 078F8169 Relevance: .0, Instructions: 14COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd7f588025486d3083151d52d30d9a97062f9a181f05493f6c63ca94032c8a07
            • Instruction ID: 665107b648c10b1bba63cde980792219955c37d0f277e07d5b9eb81185bd6855
            • Opcode Fuzzy Hash: cd7f588025486d3083151d52d30d9a97062f9a181f05493f6c63ca94032c8a07
            • Instruction Fuzzy Hash: 13D05ED2849BC0CEF30652708D667192E204F72340F0A00D68F41DA1E2D108C84886A3
            Function 054E2C40 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e43d2f4afbdd79c7abc756b9b62a7e6ad5137626c569c17a8dfbe574b091d306
            • Instruction ID: a457a0552d7c0acdea6826a3d56951f8d6788340ce3abf580d53022388c539d3
            • Opcode Fuzzy Hash: e43d2f4afbdd79c7abc756b9b62a7e6ad5137626c569c17a8dfbe574b091d306
            • Instruction Fuzzy Hash: 3DC012323001247BCA01368498059AABB2EBB89AA8B28409AE7080E102D6A3AC1387D0
            Function 054E49D0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74235bf1e47b4bdad5b25dbae2c5bca55a715de70ea41798b5c5d8dda084eb9f
            • Instruction ID: 2702a8ca4cb08a9ece1b3a979cacee60b9dc48610926649fd8844563a974e607
            • Opcode Fuzzy Hash: 74235bf1e47b4bdad5b25dbae2c5bca55a715de70ea41798b5c5d8dda084eb9f
            • Instruction Fuzzy Hash: 42E0E27494020ACFCB00DF68D099AEDBBB0BB08305F20855AE412B7260CB305804CFA0
            Function 078F8A47 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c4512ab429548a29e84f83c6f2feabf119b2fa2bc6daae1a38f45a1a52a54581
            • Instruction ID: ad2644c306a193cb304164cc1c5b38a9d1f36d1a9425dccc6474f178e2d9ae52
            • Opcode Fuzzy Hash: c4512ab429548a29e84f83c6f2feabf119b2fa2bc6daae1a38f45a1a52a54581
            • Instruction Fuzzy Hash: 6BD01778E1862C8FCB10DF60C84079AB6B0BF66304F005094C19AA7204E3704A40CE42
            Function 078F3ADC Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6b49223bdb0866bd338b38ed6dc6d012a3a4d695eb5825aa85ab3759946d31a7
            • Instruction ID: 8b21655cfc25978de1ea0209484e6f9e2db7a27d26a7e50df39aca57140a0496
            • Opcode Fuzzy Hash: 6b49223bdb0866bd338b38ed6dc6d012a3a4d695eb5825aa85ab3759946d31a7
            • Instruction Fuzzy Hash: 69D0A971020202DE8600DB60C588D4ABBA8BFA0744B00C80AC1808A020C330D01FAB23
            Function 054E4430 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b7cbe20a983790c9bb52c783ea7b0be7ec2d15e0703266521f10e02834ec312
            • Instruction ID: e1984ab3667177a9bc556c5d0de736d709f204506972e0d1317d95829c5b023c
            • Opcode Fuzzy Hash: 7b7cbe20a983790c9bb52c783ea7b0be7ec2d15e0703266521f10e02834ec312
            • Instruction Fuzzy Hash: C7D0C93580111A8FEF50EB22F486B8537E2F384305F505752E0058635CC7B4A8C5DF01
            Function 054EBAB8 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8ef9e1ba42c089a438529704ad8ab4f656ca256b1a94d8d4839455a75f8a400a
            • Instruction ID: 822c8e46cf39143a8b4e78dcfa04c00cfc3f40cd289fd316b224672f477b5ead
            • Opcode Fuzzy Hash: 8ef9e1ba42c089a438529704ad8ab4f656ca256b1a94d8d4839455a75f8a400a
            • Instruction Fuzzy Hash: F8C08C3A300208BFDB80AFD4C800D567B6EBB08714F50D045FE080E201C272EC62DBA0
            Function 054EEF39 Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 18e9ca0014dbceb67580bd1c5f01df24d6a56a6afb67284ae8f13387d5d2e548
            • Instruction ID: 16528282f994602cb88320bd9481223a06d684f8258f3f4a323fcb9597f14295
            • Opcode Fuzzy Hash: 18e9ca0014dbceb67580bd1c5f01df24d6a56a6afb67284ae8f13387d5d2e548
            • Instruction Fuzzy Hash: 42C092F3859A0487F7201BE7EB463A62B5ADB226A3B272405784AC3381EB56C0025526
            Function 078FA978 Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ae6dda693da74a2c614a76f5292b506c4d145280a5017e487473180a55c6d964
            • Instruction ID: a24165bc967449ada602f445e3cc81f099779739ff5e321d0ef4c79419908a10
            • Opcode Fuzzy Hash: ae6dda693da74a2c614a76f5292b506c4d145280a5017e487473180a55c6d964
            • Instruction Fuzzy Hash: 61C08C7004070C9BC2142BA4B81E33CBB69A703313F840220E20D420708F600410C6B6
            Function 054EB388 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c037cda2167a2f83a8e795382d3f04707b7288fb6422528cae7b7e6fcd8c94b
            • Instruction ID: 7b7c6a486b97d65e6d83a010f54d17707a93133fc022e9f77d470b0a0324b5f4
            • Opcode Fuzzy Hash: 9c037cda2167a2f83a8e795382d3f04707b7288fb6422528cae7b7e6fcd8c94b
            • Instruction Fuzzy Hash: 84C09B5534934057D141E3B544C57A95FA09BD1702F54DC4B75444D585C5218C179717
            Function 054E9F1B Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a9803706de4342a14f57e4438fcbce5bf083efb49795ff21f29fe41194a7d60
            • Instruction ID: 07b3e0410b3d27ab1e6251967b8f2fb9c0badaba3c0e763bd5fc5a73a3ef3d08
            • Opcode Fuzzy Hash: 4a9803706de4342a14f57e4438fcbce5bf083efb49795ff21f29fe41194a7d60
            • Instruction Fuzzy Hash: 00C022B20003288ACB20AF28A2002C3A2E2CFE0200F00C82FA08883308C23088008380
            Function 078F5470 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 585f67a9382f4adc30e2630213e257b1e7af139dfa447e4e61cd9921ead25c3a
            • Instruction ID: 042b4a1c4096b9159b0512413058448967e7fa6fafcee3b00e638bc6f81c96f4
            • Opcode Fuzzy Hash: 585f67a9382f4adc30e2630213e257b1e7af139dfa447e4e61cd9921ead25c3a
            • Instruction Fuzzy Hash: 35D0EAB4D18209CFCB00DF94D5596ADBBB6AB5A316F209015E51AE2240CB74AA528F40
            Function 078F68D0 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 69311d5d4f0a24c6e9926ff5c0a3bdb9806f35382ef45b8917f4cf7c7b76ca99
            • Instruction ID: 73249b51e79cbc5a0d015cfa62fb96384510749d7c8a1e6d6b9c6b291c6381b6
            • Opcode Fuzzy Hash: 69311d5d4f0a24c6e9926ff5c0a3bdb9806f35382ef45b8917f4cf7c7b76ca99
            • Instruction Fuzzy Hash: A2C08CFA004248AFD7029B91CA06B42BBA0BFA5300F0680A9D980EB472C321C026EF02
            Function 054ED8B0 Relevance: .0, Instructions: 8COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 676b657b4e2ce0d7066d98f106e6190a4151ccd63a1f74e92ea6ee9841c7a8db
            • Instruction ID: b509ccc0e41f4c3734c0340a6a1735b126841b7a8c54762ffbf1371eb39c0e90
            • Opcode Fuzzy Hash: 676b657b4e2ce0d7066d98f106e6190a4151ccd63a1f74e92ea6ee9841c7a8db
            • Instruction Fuzzy Hash: A3B012D7C601085BED00CA20CC0D7C31355D332311FE5B041C410C1300DDA041029830
            Function 078F728C Relevance: .0, Instructions: 8COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f126bd71a4064ef49ca191b5f882f7b7dac082bc692b0235f66c1932b88fccae
            • Instruction ID: cda3f038c7b349614495c2f1197e8c59ef32dfed2801c2c90b676e14f2054371
            • Opcode Fuzzy Hash: f126bd71a4064ef49ca191b5f882f7b7dac082bc692b0235f66c1932b88fccae
            • Instruction Fuzzy Hash: 1AB012A52A4704E6A50933B84CC0F3F6C10EBB2701FC08D16B30684040C470446D961F
            Function 054EF555 Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 238a1cc4747427b44fa2bafc22b9aec14dad9e5ce6e9bea10ec43fe335d89cda
            • Instruction ID: 4335565769c6deedf1845c67029cecdac18cd87225a5cb1b93fc84762760cdef
            • Opcode Fuzzy Hash: 238a1cc4747427b44fa2bafc22b9aec14dad9e5ce6e9bea10ec43fe335d89cda
            • Instruction Fuzzy Hash: ADC02B70507408CAC708E7A0C1E00DFED7BB7C4310B306117C0127534CE1248B428309
            Function 054E4200 Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24ee43bc48a5600ffc927960631415e41b960a86c1ecf053414f1accaee9d10b
            • Instruction ID: d0fa704c28a38802c053888ecc864770cc1a0c9a7581eb8da378a836e461e82a
            • Opcode Fuzzy Hash: 24ee43bc48a5600ffc927960631415e41b960a86c1ecf053414f1accaee9d10b
            • Instruction Fuzzy Hash: 43B092329800108ACF01CB26ECAB34A3660AB04704F104D50D000CB695DB26D461DA81
            Function 054E9E30 Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abbbf34fa79a7b9402b5912636da3fd76e82e73637838c902c2891af6b0f68b0
            • Instruction ID: 1f2e477734cd4866ed0264ed1156d4bbc869ebbf5ae167d038625f20f6d690aa
            • Opcode Fuzzy Hash: abbbf34fa79a7b9402b5912636da3fd76e82e73637838c902c2891af6b0f68b0
            • Instruction Fuzzy Hash: DDC04C599092C40AD641576148497D93A617B52605FD940FFC0840E557D79A000B8746
            Function 078F0DA9 Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9089eb9173c2620b7f732ea8b3f8ba8e42c03bb961f51a745a61b2086e6dfd0f
            • Instruction ID: 7f0bcdf56693f7236c4dfa760395f7bb7709343c18b6453910d8113abaf72874
            • Opcode Fuzzy Hash: 9089eb9173c2620b7f732ea8b3f8ba8e42c03bb961f51a745a61b2086e6dfd0f
            • Instruction Fuzzy Hash: 86C08C70200208CFCB01CB50C20447EBBB3FF0820A7300018E10252310C732EC02CF00
            Function 078F2C34 Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 810b3c105931b36182454ec6dd8c5cb5a329e656f5bc97b5eee8cbf7e94d3ac8
            • Instruction ID: 1ae06565cd89c5c6598d1e156d299474622a73a08daf36461d7260d012fa8556
            • Opcode Fuzzy Hash: 810b3c105931b36182454ec6dd8c5cb5a329e656f5bc97b5eee8cbf7e94d3ac8
            • Instruction Fuzzy Hash: 8CC09B30D251389AC744E7B1D940C5C67A1FB816417004B2940055A0A6D6707D1D5541
            Function 078F4AD1 Relevance: .0, Instructions: 7COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1a1aa89ecb1c447aa1a138553232a054fc1ae5916ea71da6ece5c875d693efea
            • Instruction ID: 359816eabaa73c2fc29964c082bb8ed1d612bad76a8287375e877ded9fad2871
            • Opcode Fuzzy Hash: 1a1aa89ecb1c447aa1a138553232a054fc1ae5916ea71da6ece5c875d693efea
            • Instruction Fuzzy Hash: AFA011CF8200A20AFE8038088CA23880AA0A3B0320FC83080C02083202E0888208023A
            Function 054EEF48 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3a08a235cdefe9419f827b22f6d4e769c05f67ab097b9915790c94cc6440929
            • Instruction ID: eda56c597c2ab1ce32da552a834191163edefd0c800a99a4d07b62568d992a12
            • Opcode Fuzzy Hash: a3a08a235cdefe9419f827b22f6d4e769c05f67ab097b9915790c94cc6440929
            • Instruction Fuzzy Hash: ECA0243101450CCFD3403F71F50F03C3F7DD5143013400010F40D431014F1034014550
            Function 054E7901 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248142420.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54e0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3578167130279cdded450d44a52a61cf2bfce9e163ee4c2a82b5cfe96b420077
            • Instruction ID: 90255fb7918f4e1df4d61546549dcdc1967248b8f554259218668b3b06ed8cfe
            • Opcode Fuzzy Hash: 3578167130279cdded450d44a52a61cf2bfce9e163ee4c2a82b5cfe96b420077
            • Instruction Fuzzy Hash: A4B012EBC644480FDF014B20DEA63843F30DB6120DF980486C080C0183D11980438211

            Non-executed Functions

            Function 078F877B Relevance: 1.4, Strings: 1, Instructions: 118COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: T(z
            • API String ID: 0-3184255237
            • Opcode ID: e0db700b7dc1f9f6c24dbdbd73e53764901a5071ac495b968ed3d7d531976629
            • Instruction ID: 9def81e6505d7bf71c31b73a990e640a8e046ce1f6f9a961cb92b0bd094dc809
            • Opcode Fuzzy Hash: e0db700b7dc1f9f6c24dbdbd73e53764901a5071ac495b968ed3d7d531976629
            • Instruction Fuzzy Hash: 16412C71F24209CBDB588AB988517BFB6B7EBD9614F108436D612FB388DA308D418B52
            Function 078F8788 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: T(z
            • API String ID: 0-3184255237
            • Opcode ID: eb237541275bd659ebb50989093315e57afbeefff8bfd780d3b725564ffbb8d5
            • Instruction ID: 357cd554fa5bec8473cc96f2c4805a81fd98a242fd8e5832c49e664c2e477070
            • Opcode Fuzzy Hash: eb237541275bd659ebb50989093315e57afbeefff8bfd780d3b725564ffbb8d5
            • Instruction Fuzzy Hash: 24414E71F24209CBDB188AB989517BFB6B7EBD9604F10C436D602FB388CA30DD418B52
            Function 078F2450 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: ax^
            • API String ID: 0-994873808
            • Opcode ID: b23c993fa4aa829c55b8f7c1758a138afd9e81d19f97f39fbf92bcd552226201
            • Instruction ID: e06bd151638d72c80d59398559787f1d6eb8c0ea4f546acdfe8a5616fa804881
            • Opcode Fuzzy Hash: b23c993fa4aa829c55b8f7c1758a138afd9e81d19f97f39fbf92bcd552226201
            • Instruction Fuzzy Hash: 1C41D0B5F2420E8FCB40DFA9C8819AEFBF5BBA9204F158166D605EB351C274D901CB96
            Function 078F2460 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID: ax^
            • API String ID: 0-994873808
            • Opcode ID: a988d6490c8a02944799e26bfefef761fac497e24fb34ccb4138c01a31a62ddf
            • Instruction ID: a720dcd13bb67a43481e8e0a077c91ea61c73813d526b9ac381186f4c03bc1e7
            • Opcode Fuzzy Hash: a988d6490c8a02944799e26bfefef761fac497e24fb34ccb4138c01a31a62ddf
            • Instruction Fuzzy Hash: 5D41A0B5F2420E8FCB40DF99C8819AEFBF5BBA9204F158126D609EB350D274D9018B96
            Function 02CF5998 Relevance: .4, Instructions: 379COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 77799776884726d981f564b59bea43f927686956417adb5aa8c5d5e6b3c309f5
            • Instruction ID: 5f823add7bc99ab63e2036a64aaa00c53b77e9ceb08111ec65523998b0d69a0d
            • Opcode Fuzzy Hash: 77799776884726d981f564b59bea43f927686956417adb5aa8c5d5e6b3c309f5
            • Instruction Fuzzy Hash: 1ED1BB717016108FDBA9DB75C460B6ABBE7AFC8344FA4856DE7468B390DB34E902CB50
            Function 053C0040 Relevance: .3, Instructions: 315COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47be878d6a4ec04359191e091e947ebc03facb955309c655227e4262793e1da9
            • Instruction ID: 804c75ac4d82a43300258f9d874daa717efef96c7fb85a1f8a14ca1ddc74a6fd
            • Opcode Fuzzy Hash: 47be878d6a4ec04359191e091e947ebc03facb955309c655227e4262793e1da9
            • Instruction Fuzzy Hash: C81295B0DC17458AD352DF66E94C18B3BB2BB86319FD04B09D2612B2E5DBB411EACF44
            Function 078FF680 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 79974364452e55476945c2b2c703965ba20c3b131df04ba3b6a6b11345853d17
            • Instruction ID: 35276e982ef4acef25c819f6be33b713fb8a006984b82635c97b8047b4243a57
            • Opcode Fuzzy Hash: 79974364452e55476945c2b2c703965ba20c3b131df04ba3b6a6b11345853d17
            • Instruction Fuzzy Hash: 8CE1E6B4E002198FDB14DFA9C580AAEFBB2FF89304F248169D554AB359D730AD42CF60
            Function 078FF248 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c3687ba9878d50f2e73f975bdff78df47e7ec04ed9b164c69b72e3b77339616
            • Instruction ID: f4c22e97c2e359e50bd86bd835f4eda53c50093daf9c531d7083d0ffb67a7fff
            • Opcode Fuzzy Hash: 7c3687ba9878d50f2e73f975bdff78df47e7ec04ed9b164c69b72e3b77339616
            • Instruction Fuzzy Hash: C2E1C6B4E002198FDB14DFA9C580AAEFBB2FF89304F248269D555AB355D730AD41CFA1
            Function 02CF16C0 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c3ed538e5e24429c466863be0adc69e698bb48bd6ff74dcfc12ab42acb25fe3
            • Instruction ID: 146f8c33ac6fc41f3896b2bbdbde873dae498540718b80cf9712e2e9d893850a
            • Opcode Fuzzy Hash: 9c3ed538e5e24429c466863be0adc69e698bb48bd6ff74dcfc12ab42acb25fe3
            • Instruction Fuzzy Hash: A8E1C674E00219CFDB54DFA9C580AAEBBB2FF89304F248169D958AB355D770AD42CF60
            Function 02CF0D90 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47fad9d5b2124af28de6b011eea0d40979b8f9fd9b9366f5228095a7115bfbcd
            • Instruction ID: fa9863be26b36b590243138972c25dfb9e4445420e7e17e6fff40c2629ff151c
            • Opcode Fuzzy Hash: 47fad9d5b2124af28de6b011eea0d40979b8f9fd9b9366f5228095a7115bfbcd
            • Instruction Fuzzy Hash: C6E11974E002198FDB54DFA9C980AAEFBB2FF89304F248169D554AB35AD731AD41CF60
            Function 02CF68B8 Relevance: .3, Instructions: 298COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e5fb1e5179a3f6f289e353ea153eb75ec10580da350a21d182b5065f73e7a36a
            • Instruction ID: 1af95a52397a43f75873d03b6ef7b48c50d9ccfd2f34a57694cc5acbf96812dd
            • Opcode Fuzzy Hash: e5fb1e5179a3f6f289e353ea153eb75ec10580da350a21d182b5065f73e7a36a
            • Instruction Fuzzy Hash: 72D1E634B00608CFDB98DF69C598AA9B7F5BF8C305F2580A8E555AB361DB31AD40CF60
            Function 078F7967 Relevance: .3, Instructions: 270COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d55ca46be9d8d85bf0dde0cd4c38a0d5f0d0e455f6d3632ba759ee1402cdd00e
            • Instruction ID: 4bd92a59121e27ba808e54ce5d79dc2565b30c7047c4735c2e589b480fc86ae8
            • Opcode Fuzzy Hash: d55ca46be9d8d85bf0dde0cd4c38a0d5f0d0e455f6d3632ba759ee1402cdd00e
            • Instruction Fuzzy Hash: 0CD1F835D2071A8ACB14EBA4D890A99F7B1FFD5310F50C79AE5493B214EB706AC5CF81
            Function 02E5D364 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9722183f36be58f5f0e277acaa43b8b002f3c4f671bd8c76bbf5542752b4e12f
            • Instruction ID: 987465638b3ab4994dab5425c492b64bf7391792b9b73223c05fd27d7bcac10d
            • Opcode Fuzzy Hash: 9722183f36be58f5f0e277acaa43b8b002f3c4f671bd8c76bbf5542752b4e12f
            • Instruction Fuzzy Hash: 3FA19D36E502298FCF05DFB5C88059EB7B2FF86304B14956AE901AB261DB71E956CF80
            Function 078F7978 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b8a66dd3797ff310afc5f5983a2335fe4e21f2ddadc92de0d3f46b12aa73fd97
            • Instruction ID: c9965c21a070c41d41b46314b7503c87f215a579be47ca0adbbfb05a313c93af
            • Opcode Fuzzy Hash: b8a66dd3797ff310afc5f5983a2335fe4e21f2ddadc92de0d3f46b12aa73fd97
            • Instruction Fuzzy Hash: 48D10835D2071A8ACB14EBA4D890A99F7B1FFD5310F50C79AE5493B214EB706AC5CF81
            Function 053C0006 Relevance: .2, Instructions: 239COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248030131.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_53c0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0f33568bdf3675a7216182e6425b71a9a5fab3df144c68bb3bef15db7b387da
            • Instruction ID: d65b15922d42a792a7b8de4b3a10391b09ad55b02dd0cc3be1bdfa9aa37ef85d
            • Opcode Fuzzy Hash: b0f33568bdf3675a7216182e6425b71a9a5fab3df144c68bb3bef15db7b387da
            • Instruction Fuzzy Hash: 08D116B0DC07458BD712DF66E84818B3BB2BB86325FD54B09D2616B2E1DBB414AACF44
            Function 02E5B4C8 Relevance: .2, Instructions: 190COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1244049008.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e50000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8d4d011d26c53f5586ca7772103bdc6a883f8610d404f33c8207c88c22abac15
            • Instruction ID: d35e5c6f9bcd04095d6f19c949d322678d80350e14c3a4630cbca744586d9bfb
            • Opcode Fuzzy Hash: 8d4d011d26c53f5586ca7772103bdc6a883f8610d404f33c8207c88c22abac15
            • Instruction Fuzzy Hash: 51514931C252588BD7119F7598427EE7FA4EF5A368F05D45EEA8897259C2308806CFD3
            Function 078F1A98 Relevance: .1, Instructions: 136COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f36df16f56e8bda79565c4b6168169d452d03b0d53f98a03f7d77b9796b91689
            • Instruction ID: f1533360b62fb42801689f3584e87a938846e10ed401a70b041995d8c47dfc3f
            • Opcode Fuzzy Hash: f36df16f56e8bda79565c4b6168169d452d03b0d53f98a03f7d77b9796b91689
            • Instruction Fuzzy Hash: EB4136B2B2070ECFC310CA7AD84965AB7E6EBD2365F548537D25ACBA60D234E851CB41
            Function 078F1918 Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73c948665d25ae3999dcb716811e3c8da4cc058d3ffcafa6c2282e5a477bcce5
            • Instruction ID: 8f2add1fcb9a4ebcd84ddebc918378665342014fd89ba604d80e934622ad099e
            • Opcode Fuzzy Hash: 73c948665d25ae3999dcb716811e3c8da4cc058d3ffcafa6c2282e5a477bcce5
            • Instruction Fuzzy Hash: DB41F371B10709CFC710CB7AC889A5ABBF6EF85354F44C82AE25ACB664D234E951CF41
            Function 078F190A Relevance: .1, Instructions: 103COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1248735444.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_78f0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14a2e4b57358377b8ca22d1f38b1d7bd93fafe83a605fe447492f74c4ff5a433
            • Instruction ID: d8bb8d5e40fde6c126b83c6ec20fed9728c33fdee8f3acdecc82b29009557738
            • Opcode Fuzzy Hash: 14a2e4b57358377b8ca22d1f38b1d7bd93fafe83a605fe447492f74c4ff5a433
            • Instruction Fuzzy Hash: E841D3B1B2060ACFC710CB7AC889A5ABBF6FF85350F44C82AD15ACB664D234E955CF41
            Function 02CF351C Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1243938732.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_BANK LETTER INDICATION.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8a44516210117c7fb4ddd01716e81d879e01395d8908aeeea3f8fb7642fe0499
            • Instruction ID: cb9d0258abe8b5a54bacbea5765a0e2215c909b7a642f029b80eedaca5347f46
            • Opcode Fuzzy Hash: 8a44516210117c7fb4ddd01716e81d879e01395d8908aeeea3f8fb7642fe0499
            • Instruction Fuzzy Hash: 2FC04C2A95D8C4F686C01D96B4050F8F73CA28F122F107191D71FA3141462252E58554

            Execution Graph

            Execution Coverage:2.7%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:13.1%
            Total number of Nodes:822
            Total number of Limit Nodes:27
            execution_graph 47104 434887 47105 434893 ___FrameUnwindToState 47104->47105 47130 434596 47105->47130 47107 43489a 47109 4348c3 47107->47109 47424 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47107->47424 47117 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47109->47117 47425 444251 5 API calls TranslatorGuardHandler 47109->47425 47111 4348dc 47113 4348e2 ___FrameUnwindToState 47111->47113 47426 4441f5 5 API calls TranslatorGuardHandler 47111->47426 47114 434962 47141 434b14 47114->47141 47117->47114 47427 4433e7 35 API calls 5 library calls 47117->47427 47125 43498e 47127 434997 47125->47127 47428 4433c2 28 API calls _Atexit 47125->47428 47429 43470d 13 API calls 2 library calls 47127->47429 47131 43459f 47130->47131 47430 434c52 IsProcessorFeaturePresent 47131->47430 47133 4345ab 47431 438f31 10 API calls 4 library calls 47133->47431 47135 4345b0 47140 4345b4 47135->47140 47432 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47135->47432 47137 4345bd 47138 4345cb 47137->47138 47433 438f5a 8 API calls 3 library calls 47137->47433 47138->47107 47140->47107 47434 436e90 47141->47434 47144 434968 47145 4441a2 47144->47145 47436 44f059 47145->47436 47147 4441ab 47148 434971 47147->47148 47440 446815 35 API calls 47147->47440 47150 40e9c5 47148->47150 47442 41cb50 LoadLibraryA GetProcAddress 47150->47442 47152 40e9e1 GetModuleFileNameW 47447 40f3c3 47152->47447 47154 40e9fd 47462 4020f6 47154->47462 47157 4020f6 28 API calls 47158 40ea1b 47157->47158 47468 41be1b 47158->47468 47162 40ea2d 47494 401e8d 47162->47494 47164 40ea36 47165 40ea93 47164->47165 47166 40ea49 47164->47166 47500 401e65 47165->47500 47661 40fbb3 116 API calls 47166->47661 47169 40eaa3 47173 401e65 22 API calls 47169->47173 47170 40ea5b 47171 401e65 22 API calls 47170->47171 47172 40ea67 47171->47172 47662 410f37 36 API calls __EH_prolog 47172->47662 47174 40eac2 47173->47174 47505 40531e 47174->47505 47177 40ead1 47510 406383 47177->47510 47178 40ea79 47663 40fb64 77 API calls 47178->47663 47182 40ea82 47664 40f3b0 70 API calls 47182->47664 47188 401fd8 11 API calls 47189 40eefb 47188->47189 47419 4432f6 GetModuleHandleW 47189->47419 47190 401fd8 11 API calls 47191 40eafb 47190->47191 47192 401e65 22 API calls 47191->47192 47193 40eb04 47192->47193 47527 401fc0 47193->47527 47195 40eb0f 47196 401e65 22 API calls 47195->47196 47197 40eb28 47196->47197 47198 401e65 22 API calls 47197->47198 47199 40eb43 47198->47199 47200 40ebae 47199->47200 47665 406c1e 28 API calls 47199->47665 47201 401e65 22 API calls 47200->47201 47208 40ebbb 47201->47208 47203 40eb70 47204 401fe2 28 API calls 47203->47204 47205 40eb7c 47204->47205 47206 401fd8 11 API calls 47205->47206 47209 40eb85 47206->47209 47207 40ec02 47534 40d069 47207->47534 47208->47207 47531 413549 RegOpenKeyExA 47208->47531 47214 413549 3 API calls 47209->47214 47211 40ec08 47213 40ea8b 47211->47213 47537 41b2c3 47211->47537 47213->47188 47216 40eba4 47214->47216 47216->47200 47218 40f34f 47216->47218 47217 40ec23 47220 40ec76 47217->47220 47554 407716 47217->47554 47709 4139a9 30 API calls 47218->47709 47219 40ebe6 47219->47207 47666 4139a9 30 API calls 47219->47666 47222 401e65 22 API calls 47220->47222 47225 40ec7f 47222->47225 47234 40ec90 47225->47234 47235 40ec8b 47225->47235 47227 40f365 47710 412475 65 API calls ___scrt_get_show_window_mode 47227->47710 47228 40ec42 47667 407738 30 API calls 47228->47667 47229 40ec4c 47232 401e65 22 API calls 47229->47232 47243 40ec55 47232->47243 47233 41bc5e 28 API calls 47237 40f37f 47233->47237 47240 401e65 22 API calls 47234->47240 47670 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47235->47670 47236 40ec47 47668 407260 97 API calls 47236->47668 47711 413a23 RegOpenKeyExW RegDeleteValueW 47237->47711 47241 40ec99 47240->47241 47558 41bc5e 47241->47558 47243->47220 47247 40ec71 47243->47247 47244 40eca4 47562 401f13 47244->47562 47669 407260 97 API calls 47247->47669 47248 40f392 47251 401f09 11 API calls 47248->47251 47253 40f39c 47251->47253 47255 401f09 11 API calls 47253->47255 47257 40f3a5 47255->47257 47256 401e65 22 API calls 47258 40ecc1 47256->47258 47712 40dd42 27 API calls 47257->47712 47262 401e65 22 API calls 47258->47262 47260 40f3aa 47713 414f2a 167 API calls _strftime 47260->47713 47264 40ecdb 47262->47264 47265 401e65 22 API calls 47264->47265 47266 40ecf5 47265->47266 47267 401e65 22 API calls 47266->47267 47269 40ed0e 47267->47269 47268 40ed7b 47271 40ed8a 47268->47271 47277 40ef06 ___scrt_get_show_window_mode 47268->47277 47269->47268 47270 401e65 22 API calls 47269->47270 47275 40ed23 _wcslen 47270->47275 47272 40ed93 47271->47272 47299 40ee0f ___scrt_get_show_window_mode 47271->47299 47273 401e65 22 API calls 47272->47273 47274 40ed9c 47273->47274 47276 401e65 22 API calls 47274->47276 47275->47268 47279 401e65 22 API calls 47275->47279 47278 40edae 47276->47278 47673 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47277->47673 47282 401e65 22 API calls 47278->47282 47280 40ed3e 47279->47280 47283 401e65 22 API calls 47280->47283 47284 40edc0 47282->47284 47285 40ed53 47283->47285 47287 401e65 22 API calls 47284->47287 47671 40da34 31 API calls 47285->47671 47286 40ef51 47288 401e65 22 API calls 47286->47288 47291 40ede9 47287->47291 47289 40ef76 47288->47289 47674 402093 47289->47674 47296 401e65 22 API calls 47291->47296 47292 40ed66 47293 401f13 28 API calls 47292->47293 47295 40ed72 47293->47295 47300 401f09 11 API calls 47295->47300 47297 40edfa 47296->47297 47672 40cdf9 45 API calls _wcslen 47297->47672 47298 40ef88 47680 41376f RegCreateKeyA 47298->47680 47574 413947 47299->47574 47300->47268 47304 40ee0a 47304->47299 47306 40eea3 ctype 47309 401e65 22 API calls 47306->47309 47307 401e65 22 API calls 47308 40efaa 47307->47308 47686 43baac 39 API calls _strftime 47308->47686 47312 40eeba 47309->47312 47311 40efb7 47314 40efe4 47311->47314 47687 41cd9b 86 API calls ___scrt_get_show_window_mode 47311->47687 47312->47286 47315 401e65 22 API calls 47312->47315 47319 402093 28 API calls 47314->47319 47317 40eed7 47315->47317 47320 41bc5e 28 API calls 47317->47320 47318 40efc8 CreateThread 47318->47314 48045 41d45d 10 API calls 47318->48045 47321 40eff9 47319->47321 47322 40eee3 47320->47322 47323 402093 28 API calls 47321->47323 47584 40f474 GetModuleFileNameW 47322->47584 47325 40f008 47323->47325 47688 41b4ef 79 API calls 47325->47688 47328 40f00d 47329 401e65 22 API calls 47328->47329 47330 40f019 47329->47330 47331 401e65 22 API calls 47330->47331 47332 40f02b 47331->47332 47333 401e65 22 API calls 47332->47333 47334 40f04b 47333->47334 47689 43baac 39 API calls _strftime 47334->47689 47336 40f058 47337 401e65 22 API calls 47336->47337 47338 40f063 47337->47338 47339 401e65 22 API calls 47338->47339 47340 40f074 47339->47340 47341 401e65 22 API calls 47340->47341 47342 40f089 47341->47342 47343 401e65 22 API calls 47342->47343 47344 40f09a 47343->47344 47345 40f0a1 StrToIntA 47344->47345 47690 409de4 169 API calls _wcslen 47345->47690 47347 40f0b3 47348 401e65 22 API calls 47347->47348 47349 40f0bc 47348->47349 47350 40f101 47349->47350 47691 4344ea 47349->47691 47353 401e65 22 API calls 47350->47353 47358 40f111 47353->47358 47354 401e65 22 API calls 47355 40f0e4 47354->47355 47356 40f0eb CreateThread 47355->47356 47356->47350 48048 419fb4 102 API calls 2 library calls 47356->48048 47357 40f159 47359 401e65 22 API calls 47357->47359 47358->47357 47360 4344ea new 22 API calls 47358->47360 47365 40f162 47359->47365 47361 40f126 47360->47361 47362 401e65 22 API calls 47361->47362 47363 40f138 47362->47363 47366 40f13f CreateThread 47363->47366 47364 40f1cc 47367 401e65 22 API calls 47364->47367 47365->47364 47368 401e65 22 API calls 47365->47368 47366->47357 48046 419fb4 102 API calls 2 library calls 47366->48046 47370 40f1d5 47367->47370 47369 40f17e 47368->47369 47372 401e65 22 API calls 47369->47372 47371 40f21a 47370->47371 47375 401e65 22 API calls 47370->47375 47701 41b60d 79 API calls 47371->47701 47373 40f193 47372->47373 47698 40d9e8 31 API calls 47373->47698 47376 40f1ea 47375->47376 47381 401e65 22 API calls 47376->47381 47377 40f223 47378 401f13 28 API calls 47377->47378 47380 40f22e 47378->47380 47383 401f09 11 API calls 47380->47383 47385 40f1ff 47381->47385 47382 40f1a6 47386 401f13 28 API calls 47382->47386 47384 40f237 CreateThread 47383->47384 47389 40f264 47384->47389 47390 40f258 CreateThread 47384->47390 48047 40f7a7 120 API calls 47384->48047 47699 43baac 39 API calls _strftime 47385->47699 47388 40f1b2 47386->47388 47391 401f09 11 API calls 47388->47391 47392 40f279 47389->47392 47393 40f26d CreateThread 47389->47393 47390->47389 48049 4120f7 144 API calls 47390->48049 47395 40f1bb CreateThread 47391->47395 47397 40f2cc 47392->47397 47399 402093 28 API calls 47392->47399 47393->47392 48043 4126db 38 API calls ___scrt_get_show_window_mode 47393->48043 47395->47364 48044 401be9 49 API calls _strftime 47395->48044 47396 40f20c 47700 40c162 7 API calls 47396->47700 47703 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47397->47703 47400 40f29c 47399->47400 47702 4052fd 28 API calls 47400->47702 47403 40f2e4 47403->47257 47407 41bc5e 28 API calls 47403->47407 47409 40f2fd 47407->47409 47704 41361b RegOpenKeyExW 47409->47704 47414 401f09 11 API calls 47417 40f31e 47414->47417 47415 40f346 DeleteFileW 47416 40f34d 47415->47416 47415->47417 47416->47233 47417->47415 47417->47416 47418 40f334 Sleep 47417->47418 47418->47417 47420 434984 47419->47420 47420->47125 47421 44341f 47420->47421 48051 44319c 47421->48051 47424->47107 47425->47111 47426->47117 47427->47114 47428->47127 47429->47113 47430->47133 47431->47135 47432->47137 47433->47140 47435 434b27 GetStartupInfoW 47434->47435 47435->47144 47437 44f06b 47436->47437 47438 44f062 47436->47438 47437->47147 47441 44ef58 48 API calls 4 library calls 47438->47441 47440->47147 47441->47437 47443 41cb8f LoadLibraryA GetProcAddress 47442->47443 47444 41cb7f GetModuleHandleA GetProcAddress 47442->47444 47445 41cbb8 44 API calls 47443->47445 47446 41cba8 LoadLibraryA GetProcAddress 47443->47446 47444->47443 47445->47152 47446->47445 47714 41b4a8 FindResourceA 47447->47714 47451 40f3ed ctype 47724 4020b7 47451->47724 47454 401fe2 28 API calls 47455 40f413 47454->47455 47456 401fd8 11 API calls 47455->47456 47457 40f41c 47456->47457 47458 43bd51 new 21 API calls 47457->47458 47459 40f42d ctype 47458->47459 47730 406dd8 47459->47730 47461 40f460 47461->47154 47463 40210c 47462->47463 47464 4023ce 11 API calls 47463->47464 47465 402126 47464->47465 47466 402569 28 API calls 47465->47466 47467 402134 47466->47467 47467->47157 47794 4020df 47468->47794 47470 41be9e 47471 401fd8 11 API calls 47470->47471 47472 41bed0 47471->47472 47474 401fd8 11 API calls 47472->47474 47473 41bea0 47810 4041a2 28 API calls 47473->47810 47477 41bed8 47474->47477 47479 401fd8 11 API calls 47477->47479 47478 41beac 47481 401fe2 28 API calls 47478->47481 47480 40ea24 47479->47480 47490 40fb17 47480->47490 47483 41beb5 47481->47483 47482 401fe2 28 API calls 47489 41be2e 47482->47489 47484 401fd8 11 API calls 47483->47484 47486 41bebd 47484->47486 47485 401fd8 11 API calls 47485->47489 47487 41ce34 28 API calls 47486->47487 47487->47470 47489->47470 47489->47473 47489->47482 47489->47485 47798 4041a2 28 API calls 47489->47798 47799 41ce34 47489->47799 47491 40fb23 47490->47491 47493 40fb2a 47490->47493 47836 402163 11 API calls 47491->47836 47493->47162 47495 402163 47494->47495 47499 40219f 47495->47499 47837 402730 11 API calls 47495->47837 47497 402184 47838 402712 11 API calls std::_Deallocate 47497->47838 47499->47164 47501 401e6d 47500->47501 47502 401e75 47501->47502 47839 402158 22 API calls 47501->47839 47502->47169 47506 4020df 11 API calls 47505->47506 47507 40532a 47506->47507 47840 4032a0 47507->47840 47509 405346 47509->47177 47844 4051ef 47510->47844 47512 406391 47848 402055 47512->47848 47515 401fe2 47516 401ff1 47515->47516 47523 402039 47515->47523 47517 4023ce 11 API calls 47516->47517 47518 401ffa 47517->47518 47519 40203c 47518->47519 47521 402015 47518->47521 47520 40267a 11 API calls 47519->47520 47520->47523 47863 403098 28 API calls 47521->47863 47524 401fd8 47523->47524 47525 4023ce 11 API calls 47524->47525 47526 401fe1 47525->47526 47526->47190 47528 401fd2 47527->47528 47529 401fc9 47527->47529 47528->47195 47864 4025e0 28 API calls 47529->47864 47532 4135a0 47531->47532 47533 413573 RegQueryValueExA RegCloseKey 47531->47533 47532->47219 47533->47532 47865 401fab 47534->47865 47536 40d073 CreateMutexA GetLastError 47536->47211 47866 41bfb7 47537->47866 47542 401fe2 28 API calls 47543 41b2ff 47542->47543 47544 401fd8 11 API calls 47543->47544 47545 41b307 47544->47545 47546 4135a6 31 API calls 47545->47546 47548 41b35d 47545->47548 47547 41b330 47546->47547 47549 41b33b StrToIntA 47547->47549 47548->47217 47550 41b349 47549->47550 47553 41b352 47549->47553 47874 41cf69 22 API calls 47550->47874 47552 401fd8 11 API calls 47552->47548 47553->47552 47555 40772a 47554->47555 47556 413549 3 API calls 47555->47556 47557 407731 47556->47557 47557->47228 47557->47229 47559 41bc72 47558->47559 47875 40b904 47559->47875 47561 41bc7a 47561->47244 47563 401f22 47562->47563 47564 401f6a 47562->47564 47565 402252 11 API calls 47563->47565 47571 401f09 47564->47571 47566 401f2b 47565->47566 47567 401f6d 47566->47567 47568 401f46 47566->47568 47914 402336 11 API calls 47567->47914 47913 40305c 28 API calls 47568->47913 47572 402252 11 API calls 47571->47572 47573 401f12 47572->47573 47573->47256 47575 413965 47574->47575 47576 406dd8 28 API calls 47575->47576 47577 41397a 47576->47577 47578 4020f6 28 API calls 47577->47578 47579 41398a 47578->47579 47580 41376f 14 API calls 47579->47580 47581 413994 47580->47581 47582 401fd8 11 API calls 47581->47582 47583 4139a1 47582->47583 47583->47306 47585 40f4a5 47584->47585 47586 40f62e 47585->47586 47915 401f86 47585->47915 47934 41b68a 47586->47934 47591 40f54b Process32NextW 47593 40f562 CloseHandle 47591->47593 47600 40f4dd 47591->47600 47592 401f13 28 API calls 47594 40f644 47592->47594 47595 40f577 47593->47595 47597 401f09 11 API calls 47594->47597 47599 40f583 47595->47599 47638 40f625 47595->47638 47598 40f64d 47597->47598 47603 40f668 CloseHandle 47598->47603 47636 40f5d6 47598->47636 47602 401f09 11 API calls 47599->47602 47610 40f58d 47600->47610 47611 401f09 11 API calls 47600->47611 47919 40417e 47600->47919 47601 401f09 11 API calls 47601->47586 47604 40f588 47602->47604 47605 4020df 11 API calls 47603->47605 47604->47603 47608 40f67d 47605->47608 47606 401f09 11 API calls 47607 40eee8 47606->47607 47607->47213 47607->47286 47957 41c485 CreateFileW 47608->47957 47925 41c1dd OpenProcess 47610->47925 47611->47591 47612 40f692 47965 418568 47612->47965 47616 401f13 28 API calls 47618 40f5a7 47616->47618 47617 40f6b2 47619 40f767 47617->47619 47622 40417e 28 API calls 47617->47622 47620 401f09 11 API calls 47618->47620 47968 413877 RegCreateKeyA 47619->47968 47621 40f5b0 47620->47621 47626 40f5c4 47621->47626 47634 40f5db 47621->47634 47623 40f6cc 47622->47623 47973 40915b 28 API calls 47623->47973 47625 40f75c 47629 401fd8 11 API calls 47625->47629 47628 401f09 11 API calls 47626->47628 47631 40f5cd 47628->47631 47629->47636 47630 40f6e9 47639 418568 31 API calls 47630->47639 47632 401f09 11 API calls 47631->47632 47632->47636 47633 40f61c 47635 401f09 11 API calls 47633->47635 47634->47633 47971 41bfe5 OpenProcess 47634->47971 47635->47638 47636->47606 47638->47601 47641 40f6fa 47639->47641 47640 40f5f9 47640->47633 47642 40f5fd 47640->47642 47643 401f09 11 API calls 47641->47643 47972 40b96c 28 API calls 47642->47972 47650 40f707 47643->47650 47645 40f60e 47646 401f09 11 API calls 47645->47646 47648 40f617 47646->47648 47647 40f75e 47649 401f09 11 API calls 47647->47649 47648->47593 47649->47619 47650->47647 47974 40915b 28 API calls 47650->47974 47652 40f72a 47653 418568 31 API calls 47652->47653 47654 40f73b 47653->47654 47655 401f09 11 API calls 47654->47655 47656 40f748 47655->47656 47656->47647 47657 40f74e 47656->47657 47658 40d069 2 API calls 47657->47658 47659 40f753 47658->47659 47660 401f09 11 API calls 47659->47660 47660->47625 47661->47170 47662->47178 47663->47182 47665->47203 47666->47207 47667->47236 47668->47229 47669->47220 47670->47234 47671->47292 47672->47304 47673->47286 47675 40209b 47674->47675 47676 4023ce 11 API calls 47675->47676 47677 4020a6 47676->47677 48035 4024ed 47677->48035 47681 4137bf 47680->47681 47684 413788 47680->47684 47682 401fd8 11 API calls 47681->47682 47683 40ef9e 47682->47683 47683->47307 47685 41379a RegSetValueExA RegCloseKey 47684->47685 47685->47681 47686->47311 47687->47318 47688->47328 47689->47336 47690->47347 47695 4344ef 47691->47695 47692 43bd51 new 21 API calls 47692->47695 47693 40f0d1 47693->47354 47695->47692 47695->47693 48039 442f80 7 API calls 2 library calls 47695->48039 48040 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47695->48040 48041 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47695->48041 47698->47382 47699->47396 47700->47371 47701->47377 47703->47403 47705 413674 47704->47705 47706 413647 RegQueryValueExW RegCloseKey 47704->47706 47707 40417e 28 API calls 47705->47707 47706->47705 47708 40f313 47707->47708 47708->47414 47709->47227 47711->47248 47712->47260 48042 41ad17 104 API calls 47713->48042 47715 41b4c5 LoadResource LockResource SizeofResource 47714->47715 47716 40f3de 47714->47716 47715->47716 47717 43bd51 47716->47717 47722 446137 ___crtLCMapStringA 47717->47722 47718 446175 47734 4405dd 20 API calls __dosmaperr 47718->47734 47720 446160 RtlAllocateHeap 47721 446173 47720->47721 47720->47722 47721->47451 47722->47718 47722->47720 47733 442f80 7 API calls 2 library calls 47722->47733 47725 4020bf 47724->47725 47735 4023ce 47725->47735 47727 4020ca 47739 40250a 47727->47739 47729 4020d9 47729->47454 47731 4020b7 28 API calls 47730->47731 47732 406dec 47731->47732 47732->47461 47733->47722 47734->47721 47736 402428 47735->47736 47737 4023d8 47735->47737 47736->47727 47737->47736 47746 4027a7 47737->47746 47740 40251a 47739->47740 47741 402520 47740->47741 47742 402535 47740->47742 47757 402569 47741->47757 47767 4028e8 47742->47767 47745 402533 47745->47729 47747 402e21 47746->47747 47750 4016b4 47747->47750 47749 402e30 47749->47736 47751 4016cb 47750->47751 47752 4016c6 47750->47752 47751->47752 47753 4016f3 47751->47753 47756 43bd19 11 API calls _Atexit 47752->47756 47753->47749 47755 43bd18 47756->47755 47778 402888 47757->47778 47759 40257d 47760 402592 47759->47760 47761 4025a7 47759->47761 47783 402a34 22 API calls 47760->47783 47763 4028e8 28 API calls 47761->47763 47766 4025a5 47763->47766 47764 40259b 47784 4029da 22 API calls 47764->47784 47766->47745 47768 4028f1 47767->47768 47769 402953 47768->47769 47770 4028fb 47768->47770 47792 4028a4 22 API calls 47769->47792 47773 402904 47770->47773 47774 402917 47770->47774 47786 402cae 47773->47786 47776 402915 47774->47776 47777 4023ce 11 API calls 47774->47777 47776->47745 47777->47776 47779 402890 47778->47779 47780 402898 47779->47780 47785 402ca3 22 API calls 47779->47785 47780->47759 47783->47764 47784->47766 47787 402cb8 __EH_prolog 47786->47787 47793 402e54 22 API calls 47787->47793 47789 4023ce 11 API calls 47791 402d92 47789->47791 47790 402d24 47790->47789 47791->47776 47793->47790 47795 4020e7 47794->47795 47796 4023ce 11 API calls 47795->47796 47797 4020f2 47796->47797 47797->47489 47798->47489 47800 41ce41 47799->47800 47801 41cea0 47800->47801 47805 41ce51 47800->47805 47802 41ceba 47801->47802 47803 41cfe0 28 API calls 47801->47803 47820 41d146 28 API calls 47802->47820 47803->47802 47806 41ce89 47805->47806 47811 41cfe0 47805->47811 47819 41d146 28 API calls 47806->47819 47807 41ce9c 47807->47489 47810->47478 47813 41cfe8 47811->47813 47812 41d01a 47812->47806 47813->47812 47814 41d01e 47813->47814 47817 41d002 47813->47817 47831 402725 22 API calls 47814->47831 47821 41d051 47817->47821 47819->47807 47820->47807 47822 41d05b __EH_prolog 47821->47822 47832 402717 22 API calls 47822->47832 47824 41d06e 47833 41d15d 11 API calls 47824->47833 47826 41d094 47827 41d0cc 47826->47827 47834 402730 11 API calls 47826->47834 47827->47812 47829 41d0b3 47835 402712 11 API calls std::_Deallocate 47829->47835 47832->47824 47833->47826 47834->47829 47835->47827 47836->47493 47837->47497 47838->47499 47842 4032aa 47840->47842 47841 4032c9 47841->47509 47842->47841 47843 4028e8 28 API calls 47842->47843 47843->47841 47845 4051fb 47844->47845 47854 405274 47845->47854 47847 405208 47847->47512 47849 402061 47848->47849 47850 4023ce 11 API calls 47849->47850 47851 40207b 47850->47851 47859 40267a 47851->47859 47855 405282 47854->47855 47858 4028a4 22 API calls 47855->47858 47860 40268b 47859->47860 47861 4023ce 11 API calls 47860->47861 47862 40208d 47861->47862 47862->47515 47863->47523 47864->47528 47867 41bfc4 GetCurrentProcess 47866->47867 47868 41b2d1 47866->47868 47867->47868 47869 4135a6 RegOpenKeyExA 47868->47869 47870 4135d4 RegQueryValueExA RegCloseKey 47869->47870 47871 4135fe 47869->47871 47870->47871 47872 402093 28 API calls 47871->47872 47873 413613 47872->47873 47873->47542 47874->47553 47876 40b90c 47875->47876 47881 402252 47876->47881 47878 40b917 47885 40b92c 47878->47885 47880 40b926 47880->47561 47882 4022ac 47881->47882 47883 40225c 47881->47883 47882->47878 47883->47882 47892 402779 11 API calls std::_Deallocate 47883->47892 47886 40b966 47885->47886 47887 40b938 47885->47887 47904 4028a4 22 API calls 47886->47904 47893 4027e6 47887->47893 47891 40b942 47891->47880 47892->47882 47894 4027ef 47893->47894 47895 402851 47894->47895 47896 4027f9 47894->47896 47911 4028a4 22 API calls 47895->47911 47899 402802 47896->47899 47900 402815 47896->47900 47905 402aea 47899->47905 47902 402813 47900->47902 47903 402252 11 API calls 47900->47903 47902->47891 47903->47902 47906 402af4 __EH_prolog 47905->47906 47912 402e45 22 API calls 47906->47912 47908 402252 11 API calls 47910 402bce 47908->47910 47909 402b60 47909->47908 47910->47902 47912->47909 47913->47564 47914->47564 47916 401f8e 47915->47916 47917 402252 11 API calls 47916->47917 47918 401f99 CreateToolhelp32Snapshot Process32FirstW 47917->47918 47918->47591 47920 404186 47919->47920 47921 402252 11 API calls 47920->47921 47922 404191 47921->47922 47975 4041bc 47922->47975 47926 41c201 OpenProcess 47925->47926 47927 41c21b K32GetProcessImageFileNameW 47925->47927 47926->47927 47930 41c214 47926->47930 47928 41c233 CloseHandle 47927->47928 47929 41c23b FindCloseChangeNotification 47927->47929 47928->47930 47987 41c01b lstrlenW 47929->47987 47932 40417e 28 API calls 47930->47932 47933 40f59d 47932->47933 47933->47616 47935 41361b 31 API calls 47934->47935 47936 41b6a6 47935->47936 48004 4457a4 37 API calls 2 library calls 47936->48004 47938 41b6b5 48005 40900e 28 API calls 47938->48005 47940 41b6d2 47941 401f13 28 API calls 47940->47941 47942 41b6da 47941->47942 47943 401f09 11 API calls 47942->47943 47944 41b6e2 47943->47944 48006 40905c 28 API calls 47944->48006 47946 41b6ed 48007 41bd42 28 API calls 47946->48007 47948 41b6f6 47949 401f13 28 API calls 47948->47949 47950 41b701 47949->47950 47951 401f09 11 API calls 47950->47951 47952 41b709 47951->47952 47953 41bfb7 GetCurrentProcess 47952->47953 47955 41b744 _wcslen 47953->47955 47954 40f637 47954->47592 47955->47954 48008 41cf44 28 API calls 47955->48008 47958 41c4ab 47957->47958 47959 41c4af GetFileSize 47957->47959 47958->47612 48009 40244e 47959->48009 47961 41c4c3 47962 41c4d5 ReadFile 47961->47962 47963 41c4e2 47962->47963 47964 41c4e4 FindCloseChangeNotification 47962->47964 47963->47964 47964->47958 48014 4180ef 47965->48014 47969 4138b9 47968->47969 47970 41388f RegSetValueExA RegCloseKey 47968->47970 47969->47625 47970->47969 47971->47640 47972->47645 47973->47630 47974->47652 47976 4041c8 47975->47976 47979 4041d9 47976->47979 47978 40419c 47978->47600 47980 4041e9 47979->47980 47981 404206 47980->47981 47982 4041ef 47980->47982 47983 4027e6 28 API calls 47981->47983 47986 404267 28 API calls 47982->47986 47985 404204 47983->47985 47985->47978 47986->47985 47988 41c077 ctype 47987->47988 47990 41c040 _memcmp 47987->47990 47989 41c095 FindFirstVolumeW 47988->47989 47991 41c0b5 GetLastError 47989->47991 47994 41c0c2 _wcslen 47989->47994 47990->47988 47992 41c060 lstrlenW 47990->47992 47993 41c168 47991->47993 47992->47988 47992->47990 47993->47930 47996 41c0e3 QueryDosDeviceW 47994->47996 48003 41c152 47994->48003 47995 41c157 FindVolumeClose 47995->47993 47997 41c1d0 GetLastError 47996->47997 47998 41c10b lstrcmpW 47996->47998 47997->47995 47999 41c182 GetVolumePathNamesForVolumeNameW 47998->47999 48000 41c11e FindNextVolumeW 47998->48000 47999->47997 48002 41c1aa lstrcatW lstrcpyW 47999->48002 48000->47994 48001 41c173 GetLastError 48000->48001 48001->47995 48001->48003 48002->47995 48003->47995 48004->47938 48005->47940 48006->47946 48007->47948 48008->47954 48010 402456 48009->48010 48012 402460 48010->48012 48013 402a51 28 API calls 48010->48013 48012->47961 48013->48012 48015 41811c 8 API calls 48014->48015 48016 418440 CloseHandle CloseHandle 48015->48016 48017 418189 ___scrt_get_show_window_mode 48015->48017 48016->47617 48017->48016 48018 4181ef CreateProcessW 48017->48018 48019 418225 VirtualAlloc Wow64GetThreadContext 48018->48019 48020 41847a GetLastError 48018->48020 48021 418253 ReadProcessMemory 48019->48021 48022 418444 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 48019->48022 48020->48016 48021->48022 48023 418279 NtCreateSection 48021->48023 48022->48016 48023->48022 48024 4182a1 48023->48024 48025 4182c1 NtMapViewOfSection 48024->48025 48026 4182b0 NtUnmapViewOfSection 48024->48026 48027 4182e5 VirtualFree NtClose TerminateProcess 48025->48027 48028 41832d GetCurrentProcess NtMapViewOfSection 48025->48028 48026->48025 48027->48015 48029 418328 48027->48029 48028->48022 48030 41835a ctype 48028->48030 48029->48016 48031 4183f6 WriteProcessMemory 48030->48031 48032 418419 Wow64SetThreadContext 48030->48032 48031->48022 48034 418415 48031->48034 48032->48022 48033 418432 ResumeThread 48032->48033 48033->48016 48033->48022 48034->48032 48036 4024f9 48035->48036 48037 40250a 28 API calls 48036->48037 48038 4020b1 48037->48038 48038->47298 48039->47695 48050 4127ee 61 API calls 48049->48050 48052 4431a8 FindHandlerForForeignException 48051->48052 48053 4431c0 48052->48053 48054 4432f6 _Atexit GetModuleHandleW 48052->48054 48073 445888 EnterCriticalSection 48053->48073 48056 4431b4 48054->48056 48056->48053 48085 44333a GetModuleHandleExW 48056->48085 48057 443266 48074 4432a6 48057->48074 48061 44323d 48064 443255 48061->48064 48094 4441f5 5 API calls TranslatorGuardHandler 48061->48094 48062 443283 48077 4432b5 48062->48077 48063 4432af 48096 457729 5 API calls TranslatorGuardHandler 48063->48096 48095 4441f5 5 API calls TranslatorGuardHandler 48064->48095 48065 4431c8 48065->48057 48065->48061 48093 443f50 20 API calls _Atexit 48065->48093 48073->48065 48097 4458d0 LeaveCriticalSection 48074->48097 48076 44327f 48076->48062 48076->48063 48098 448cc9 48077->48098 48080 4432e3 48083 44333a _Atexit 8 API calls 48080->48083 48081 4432c3 GetPEB 48081->48080 48082 4432d3 GetCurrentProcess TerminateProcess 48081->48082 48082->48080 48084 4432eb ExitProcess 48083->48084 48086 443364 GetProcAddress 48085->48086 48087 443387 48085->48087 48090 443379 48086->48090 48088 443396 48087->48088 48089 44338d FreeLibrary 48087->48089 48091 434fcb TranslatorGuardHandler 5 API calls 48088->48091 48089->48088 48090->48087 48092 4433a0 48091->48092 48092->48053 48093->48061 48094->48064 48095->48057 48097->48076 48099 448ce4 48098->48099 48100 448cee 48098->48100 48111 434fcb 48099->48111 48104 4484ca 48100->48104 48103 4432bf 48103->48080 48103->48081 48105 4484fa 48104->48105 48108 4484f6 48104->48108 48105->48099 48106 44851a 48106->48105 48109 448526 GetProcAddress 48106->48109 48108->48105 48108->48106 48118 448566 48108->48118 48110 448536 __crt_fast_encode_pointer 48109->48110 48110->48105 48112 434fd6 IsProcessorFeaturePresent 48111->48112 48113 434fd4 48111->48113 48115 435018 48112->48115 48113->48103 48125 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48115->48125 48117 4350fb 48117->48103 48119 448587 LoadLibraryExW 48118->48119 48120 44857c 48118->48120 48121 4485a4 GetLastError 48119->48121 48122 4485bc 48119->48122 48120->48108 48121->48122 48123 4485af LoadLibraryExW 48121->48123 48122->48120 48124 4485d3 FreeLibrary 48122->48124 48123->48122 48124->48120 48125->48117 48126 404e26 WaitForSingleObject 48127 404e40 SetEvent FindCloseChangeNotification 48126->48127 48128 404e57 closesocket 48126->48128 48129 404ed8 48127->48129 48130 404e64 48128->48130 48131 404e7a 48130->48131 48139 4050e4 83 API calls 48130->48139 48133 404e8c WaitForSingleObject 48131->48133 48134 404ece SetEvent CloseHandle 48131->48134 48140 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48133->48140 48134->48129 48136 404e9b SetEvent WaitForSingleObject 48141 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48136->48141 48138 404eb3 SetEvent CloseHandle CloseHandle 48138->48134 48139->48131 48140->48136 48141->48138 48142 446782 48143 44678d RtlFreeHeap 48142->48143 48147 4467b6 _free 48142->48147 48144 4467a2 48143->48144 48143->48147 48148 4405dd 20 API calls __dosmaperr 48144->48148 48146 4467a8 GetLastError 48146->48147 48148->48146 48149 40165e 48150 401666 48149->48150 48151 401669 48149->48151 48152 4016a8 48151->48152 48155 401696 48151->48155 48153 4344ea new 22 API calls 48152->48153 48154 40169c 48153->48154 48156 4344ea new 22 API calls 48155->48156 48156->48154

            Executed Functions

            Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
            • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
            • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
            • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
            • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
            • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
            • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
            • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
            • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
            • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
            • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
            • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
            • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
            • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
            • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
            • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
            • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
            • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
            • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
            • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
            • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
            • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
            • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
            • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$LibraryLoad$HandleModule
            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
            • API String ID: 4236061018-3687161714
            • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
            • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
            • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
            • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
            Function 004180EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 448 4180ef-418118 449 41811c-418183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 418480 449->450 451 418189-418190 449->451 452 418482-41848c 450->452 451->450 453 418196-41819d 451->453 453->450 454 4181a3-4181a5 453->454 454->450 455 4181ab-4181d8 call 436e90 * 2 454->455 455->450 460 4181de-4181e9 455->460 460->450 461 4181ef-41821f CreateProcessW 460->461 462 418225-41824d VirtualAlloc Wow64GetThreadContext 461->462 463 41847a GetLastError 461->463 464 418253-418273 ReadProcessMemory 462->464 465 418444-418478 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->465 463->450 464->465 466 418279-41829b NtCreateSection 464->466 465->450 466->465 467 4182a1-4182ae 466->467 468 4182c1-4182e3 NtMapViewOfSection 467->468 469 4182b0-4182bb NtUnmapViewOfSection 467->469 470 4182e5-418322 VirtualFree NtClose TerminateProcess 468->470 471 41832d-418354 GetCurrentProcess NtMapViewOfSection 468->471 469->468 470->449 472 418328 470->472 471->465 473 41835a-41835e 471->473 472->450 474 418360-418364 473->474 475 418367-418385 call 436910 473->475 474->475 478 4183c7-4183d0 475->478 479 418387-418395 475->479 481 4183f0-4183f4 478->481 482 4183d2-4183d8 478->482 480 418397-4183ba call 436910 479->480 492 4183bc-4183c3 480->492 485 4183f6-418413 WriteProcessMemory 481->485 486 418419-418430 Wow64SetThreadContext 481->486 482->481 484 4183da-4183ed call 418503 482->484 484->481 485->465 490 418415 485->490 486->465 487 418432-41843e ResumeThread 486->487 487->465 491 418440-418442 487->491 490->486 491->452 492->478
            APIs
            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
            • GetProcAddress.KERNEL32(00000000), ref: 00418139
            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
            • GetProcAddress.KERNEL32(00000000), ref: 0041814D
            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
            • GetProcAddress.KERNEL32(00000000), ref: 00418161
            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
            • GetProcAddress.KERNEL32(00000000), ref: 00418175
            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0041822F
            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418245
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 0041826B
            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
            • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
            • NtClose.NTDLL(?), ref: 004182F7
            • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
            • NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0041840B
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418428
            • ResumeThread.KERNELBASE(?), ref: 00418435
            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
            • GetCurrentProcess.KERNEL32(?), ref: 00418457
            • NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
            • NtClose.NTDLL(?), ref: 00418468
            • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
            • GetLastError.KERNEL32 ref: 0041847A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
            • API String ID: 3150337530-3035715614
            • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
            • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
            • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
            • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
            Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 542 40f474-40f4a7 GetModuleFileNameW call 4077c6 545 40f4ad-40f4db call 401f86 CreateToolhelp32Snapshot Process32FirstW 542->545 546 40f62e-40f632 call 41b68a 542->546 551 40f54b-40f55c Process32NextW 545->551 550 40f637-40f662 call 401f13 call 401f09 call 411155 546->550 570 40f668-40f6b8 CloseHandle call 4020df call 401f04 call 41c485 call 401fab call 401f04 call 418568 550->570 571 40f78e-40f7a6 call 401f09 550->571 553 40f562-40f57d CloseHandle call 4077c6 551->553 554 40f4dd-40f540 call 40417e call 402305 call 4022ca call 402305 call 409bdb call 40b9cc 551->554 562 40f583-40f588 call 401f09 553->562 563 40f629 call 401f09 553->563 590 40f542-40f546 call 401f09 554->590 591 40f58d-40f598 call 41c1dd 554->591 562->570 563->546 602 40f767-40f77a call 401fab call 413877 570->602 603 40f6be-40f70b call 40417e call 401fab call 40915b call 401f04 call 418568 call 401f09 570->603 590->551 597 40f59d-40f5c2 call 401f13 call 401f09 call 4077c6 591->597 616 40f5c4-40f5d6 call 401f09 * 2 597->616 617 40f5db-40f5eb call 4077c6 597->617 614 40f77f-40f784 602->614 644 40f70d-40f74c call 401fab call 40915b call 401f04 call 418568 call 401f09 603->644 645 40f75e-40f762 call 401f09 603->645 618 40f785-40f789 call 401fd8 614->618 616->571 628 40f61c-40f625 call 401f09 617->628 629 40f5ed-40f5fb call 41bfe5 617->629 618->571 628->563 629->628 638 40f5fd-40f617 call 40b96c call 401f09 629->638 638->553 644->645 658 40f74e-40f75c call 40d069 call 401f09 644->658 645->602 658->618
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
            • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
            • API String ID: 3756808967-1743721670
            • Opcode ID: 2b1159e4bf76d907ff299e2ebae75353fef0fa170d651369a5b1a7f908ba5249
            • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
            • Opcode Fuzzy Hash: 2b1159e4bf76d907ff299e2ebae75353fef0fa170d651369a5b1a7f908ba5249
            • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
            Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 752 4432b5-4432c1 call 448cc9 755 4432e3-4432ef call 44333a ExitProcess 752->755 756 4432c3-4432d1 GetPEB 752->756 756->755 757 4432d3-4432dd GetCurrentProcess TerminateProcess 756->757 757->755
            APIs
            • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
            • TerminateProcess.KERNEL32(00000000), ref: 004432DD
            • ExitProcess.KERNEL32 ref: 004432EF
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID: PkGNG
            • API String ID: 1703294689-263838557
            • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
            • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
            • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
            • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
            Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebe1 call 401fab call 413549 70->81 90 40ec13-40ec1a 80->90 91 40ec0c-40ec0e 80->91 92 40ebe6-40ebea 81->92 95 40ec1c 90->95 96 40ec1e-40ec2a call 41b2c3 90->96 94 40eef1 91->94 92->80 98 40ebec-40ec02 call 401fab call 4139a9 92->98 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 98->80 123 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->123 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 128 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 129 40ec8b call 407755 107->129 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 141 40ec61-40ec67 121->141 157 40f3a5-40f3af call 40dd42 call 414f2a 123->157 177 40ed80-40ed84 128->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 128->178 129->128 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 192 40ee1e-40ee42 call 40247c call 434798 184->192 185->192 212 40ee51 192->212 213 40ee44-40ee4f call 436e90 192->213 205->177 215 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->215 213->215 215->236 286 40eece-40eee3 call 401e65 call 41bc5e call 40f474 215->286 287 40efc1 236->287 288 40efdc-40efde 236->288 304 40eee8-40eeed 286->304 289 40efc3-40efda call 41cd9b CreateThread 287->289 290 40efe0-40efe2 288->290 291 40efe4 288->291 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 304->236 306 40eeef 304->306 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->428 418->416 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->123 445->123 446 40f334-40f341 Sleep call 401f04 445->446 446->443
            APIs
              • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BANK LETTER INDICATION.exe,00000104), ref: 0040E9EE
              • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
            • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\BANK LETTER INDICATION.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
            • API String ID: 2830904901-4148781280
            • Opcode ID: 6a4b4de7fd42a8c10dc4126d0235b60c25fc058cc793c05499efd096ea40fb39
            • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
            • Opcode Fuzzy Hash: 6a4b4de7fd42a8c10dc4126d0235b60c25fc058cc793c05499efd096ea40fb39
            • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
            Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 494 41c01b-41c03e lstrlenW 495 41c040-41c042 494->495 496 41c079-41c0af call 436910 FindFirstVolumeW 494->496 498 41c046-41c058 call 436fea 495->498 502 41c0b5-41c0bd GetLastError 496->502 503 41c136-41c14c call 43bad6 496->503 504 41c060-41c06f lstrlenW 498->504 505 41c05a-41c05e 498->505 507 41c168-41c172 502->507 511 41c0c2-41c0c7 503->511 512 41c152 503->512 504->496 510 41c071-41c075 504->510 505->504 508 41c077 505->508 508->496 510->498 511->512 514 41c0cd-41c0d3 511->514 513 41c157-41c165 FindVolumeClose 512->513 513->507 514->512 515 41c0d5-41c0da 514->515 515->512 516 41c0dc-41c0e1 515->516 516->512 517 41c0e3-41c105 QueryDosDeviceW 516->517 518 41c1d0-41c1d8 GetLastError 517->518 519 41c10b-41c11c lstrcmpW 517->519 518->513 520 41c182-41c1a8 GetVolumePathNamesForVolumeNameW 519->520 521 41c11e-41c134 FindNextVolumeW 519->521 520->518 523 41c1aa-41c1ce lstrcatW lstrcpyW 520->523 521->503 522 41c173-41c17e GetLastError 521->522 522->513 524 41c180 522->524 523->513 524->512
            APIs
            • lstrlenW.KERNEL32(?), ref: 0041C036
            • _memcmp.LIBVCRUNTIME ref: 0041C04E
            • lstrlenW.KERNEL32(?), ref: 0041C067
            • FindFirstVolumeW.KERNELBASE(?,00000104,?), ref: 0041C0A2
            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
            • lstrcmpW.KERNELBASE(?,?), ref: 0041C114
            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
            • _wcslen.LIBCMT ref: 0041C13B
            • FindVolumeClose.KERNEL32(?), ref: 0041C15B
            • GetLastError.KERNEL32 ref: 0041C173
            • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,?,?), ref: 0041C1A0
            • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
            • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
            • GetLastError.KERNEL32 ref: 0041C1D0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
            • String ID: ?
            • API String ID: 3941738427-1684325040
            • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
            • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
            • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
            • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
            Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
            • SetEvent.KERNEL32(?), ref: 00404E43
            • FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
            • closesocket.WS2_32(?), ref: 00404E5A
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
            • SetEvent.KERNEL32(?), ref: 00404EA2
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
            • SetEvent.KERNEL32(?), ref: 00404EBA
            • CloseHandle.KERNEL32(?), ref: 00404EBF
            • CloseHandle.KERNEL32(?), ref: 00404EC4
            • SetEvent.KERNEL32(?), ref: 00404ED1
            • CloseHandle.KERNEL32(?), ref: 00404ED6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
            • String ID: PkGNG
            • API String ID: 2403171778-263838557
            • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
            • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
            • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
            • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
            Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 0041361B: RegOpenKeyExW.KERNELBASE(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
              • Part of subcall function 0041361B: RegQueryValueExW.KERNELBASE(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
              • Part of subcall function 0041361B: RegCloseKey.KERNELBASE(?), ref: 00413665
              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
            • _wcslen.LIBCMT ref: 0041B763
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
            • API String ID: 37874593-122982132
            • Opcode ID: c4bf0a1bcabf991af54f6e4bc84134b94c60c4d07c01344186802c80d2ab03a9
            • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
            • Opcode Fuzzy Hash: c4bf0a1bcabf991af54f6e4bc84134b94c60c4d07c01344186802c80d2ab03a9
            • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
            Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
            • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCurrentOpenProcessQueryValue
            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 1866151309-2070987746
            • Opcode ID: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
            • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
            • Opcode Fuzzy Hash: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
            • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
            Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
            • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
            • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 0041C23B
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$CloseOpen$ChangeFileFindHandleImageNameNotification
            • String ID:
            • API String ID: 1364656778-0
            • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
            • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
            • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
            • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
            Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 742 41376f-413786 RegCreateKeyA 743 413788-4137bd call 40247c call 401fab RegSetValueExA RegCloseKey 742->743 744 4137bf 742->744 745 4137c1-4137cf call 401fd8 743->745 744->745
            APIs
            • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
            • RegSetValueExA.KERNELBASE(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
            • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateValue
            • String ID: Control Panel\Desktop
            • API String ID: 1818849710-27424756
            • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
            • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
            • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
            • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
            Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 760 448566-44857a 761 448587-4485a2 LoadLibraryExW 760->761 762 44857c-448585 760->762 764 4485a4-4485ad GetLastError 761->764 765 4485cb-4485d1 761->765 763 4485de-4485e0 762->763 766 4485bc 764->766 767 4485af-4485ba LoadLibraryExW 764->767 768 4485d3-4485d4 FreeLibrary 765->768 769 4485da 765->769 770 4485be-4485c0 766->770 767->770 768->769 771 4485dc-4485dd 769->771 770->765 772 4485c2-4485c9 770->772 771->763 772->771
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
            • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
            • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
            • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
            • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
            Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 773 41c485-41c4a9 CreateFileW 774 41c4ab-41c4ad 773->774 775 41c4af-41c4e0 GetFileSize call 40244e call 401fab ReadFile 773->775 776 41c4ed-41c4f1 774->776 781 41c4e2 775->781 782 41c4e4-41c4eb FindCloseChangeNotification 775->782 781->782 782->776
            APIs
            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
            • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$ChangeCloseCreateFindNotificationReadSize
            • String ID:
            • API String ID: 2135649906-0
            • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
            • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
            • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
            • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
            Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 783 40d069-40d095 call 401fab CreateMutexA GetLastError
            APIs
            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
            • GetLastError.KERNEL32 ref: 0040D083
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CreateErrorLastMutex
            • String ID: SG
            • API String ID: 1925916568-3189917014
            • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
            • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
            • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
            • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
            Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 786 4135a6-4135d2 RegOpenKeyExA 787 4135d4-4135fc RegQueryValueExA RegCloseKey 786->787 788 413607 786->788 789 413609 787->789 790 4135fe-413605 787->790 788->789 791 41360e-41361a call 402093 789->791 790->791
            APIs
            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
            • RegCloseKey.KERNELBASE(?), ref: 004135F2
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID:
            • API String ID: 3677997916-0
            • Opcode ID: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
            • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
            • Opcode Fuzzy Hash: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
            • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
            Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
            • RegCloseKey.ADVAPI32(00000000), ref: 00413592
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID:
            • API String ID: 3677997916-0
            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
            • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
            • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
            Function 0041361B Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
            • RegQueryValueExW.KERNELBASE(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
            • RegCloseKey.KERNELBASE(?), ref: 00413665
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID:
            • API String ID: 3677997916-0
            • Opcode ID: 1fc720c5af09767de5d5cc7bb63512f3198692daef6ba2e2d38df8188ddc2fef
            • Instruction ID: f34a781dc69553a1478c4d1e38e8143fd29b0d6f10a6f19acb5bd71dd86b2662
            • Opcode Fuzzy Hash: 1fc720c5af09767de5d5cc7bb63512f3198692daef6ba2e2d38df8188ddc2fef
            • Instruction Fuzzy Hash: 00F04F75600218FBDF209B90DC05FDD77BCEB04B11F1040A2BA45B5291DB749F849BA8
            Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
            • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
            • RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateValue
            • String ID:
            • API String ID: 1818849710-0
            • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
            • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
            • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
            • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
            Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc__crt_fast_encode_pointer
            • String ID:
            • API String ID: 2279764990-0
            • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
            • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
            • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
            • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
            Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
            • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
            • Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
            • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
            Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
            • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
            • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
            • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
            Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • std::_Deallocate.LIBCONCRT ref: 00402E2B
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Deallocatestd::_
            • String ID:
            • API String ID: 1323251999-0
            • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
            • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
            • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
            • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647

            Non-executed Functions

            Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(?,?), ref: 00407CB9
            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
            • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
              • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
              • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
              • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
            • DeleteFileA.KERNEL32(?), ref: 00408652
              • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
              • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
              • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
              • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
            • Sleep.KERNEL32(000007D0), ref: 004086F8
            • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
              • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
            • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
            • API String ID: 1067849700-181434739
            • Opcode ID: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
            • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
            • Opcode Fuzzy Hash: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
            • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
            Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 004056E6
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            • __Init_thread_footer.LIBCMT ref: 00405723
            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
            • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
            • CloseHandle.KERNEL32 ref: 00405A23
            • CloseHandle.KERNEL32 ref: 00405A2B
            • CloseHandle.KERNEL32 ref: 00405A3D
            • CloseHandle.KERNEL32 ref: 00405A45
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
            • API String ID: 2994406822-18413064
            • Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
            • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
            • Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
            • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
            Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 00412106
              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
              • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
              • Part of subcall function 00413877: RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
            • CloseHandle.KERNEL32(00000000), ref: 00412155
            • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
            • API String ID: 3018269243-13974260
            • Opcode ID: 59c89dd61e45a3077bd52359665c40678f4cb35258650c9785bce6b29461495c
            • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
            • Opcode Fuzzy Hash: 59c89dd61e45a3077bd52359665c40678f4cb35258650c9785bce6b29461495c
            • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
            Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
            • FindClose.KERNEL32(00000000), ref: 0040BBC9
            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
            • FindClose.KERNEL32(00000000), ref: 0040BD12
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Find$CloseFile$FirstNext
            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
            • API String ID: 1164774033-3681987949
            • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
            • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
            • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
            • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
            Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32 ref: 004168C2
            • EmptyClipboard.USER32 ref: 004168D0
            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
            • GlobalLock.KERNEL32(00000000), ref: 004168F9
            • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
            • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
            • CloseClipboard.USER32 ref: 00416955
            • OpenClipboard.USER32 ref: 0041695C
            • GetClipboardData.USER32(0000000D), ref: 0041696C
            • GlobalLock.KERNEL32(00000000), ref: 00416975
            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
            • CloseClipboard.USER32 ref: 00416984
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
            • String ID: !D@
            • API String ID: 3520204547-604454484
            • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
            • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
            • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
            • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
            Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
            • FindClose.KERNEL32(00000000), ref: 0040BDC9
            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
            • FindClose.KERNEL32(00000000), ref: 0040BEAF
            • FindClose.KERNEL32(00000000), ref: 0040BED0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Find$Close$File$FirstNext
            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
            • API String ID: 3527384056-432212279
            • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
            • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
            • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
            • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
            Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: 0$1$2$3$4$5$6$7$VG
            • API String ID: 0-1861860590
            • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
            • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
            • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
            • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
            Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00407521
            • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Object_wcslen
            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • API String ID: 240030777-3166923314
            • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
            • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
            • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
            • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
            Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
            • GetLastError.KERNEL32 ref: 0041A7BB
            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: EnumServicesStatus$ErrorLastManagerOpen
            • String ID:
            • API String ID: 3587775597-0
            • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
            • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
            • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
            • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
            Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
            • IsValidCodePage.KERNEL32(00000000), ref: 00452777
            • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
            • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
            • String ID: lJD$lJD$lJD
            • API String ID: 745075371-479184356
            • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
            • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
            • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
            • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
            Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
            • FindClose.KERNEL32(00000000), ref: 0040C47D
            • FindClose.KERNEL32(00000000), ref: 0040C4A8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Find$CloseFile$FirstNext
            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
            • API String ID: 1164774033-405221262
            • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
            • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
            • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
            • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
            Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
            • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
            • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
            • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
            • String ID:
            • API String ID: 2341273852-0
            • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
            • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
            • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
            • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
            Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$Find$CreateFirstNext
            • String ID: 8SG$PXG$PXG$NG$PG
            • API String ID: 341183262-3812160132
            • Opcode ID: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
            • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
            • Opcode Fuzzy Hash: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
            • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
            Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
            • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
            • GetLastError.KERNEL32 ref: 0040A2ED
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
            • TranslateMessage.USER32(?), ref: 0040A34A
            • DispatchMessageA.USER32(?), ref: 0040A355
            Strings
            • Keylogger initialization failure: error , xrefs: 0040A301
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
            • String ID: Keylogger initialization failure: error
            • API String ID: 3219506041-952744263
            • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
            • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
            • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
            • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
            Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 0040A416
            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
            • GetKeyboardLayout.USER32(00000000), ref: 0040A429
            • GetKeyState.USER32(00000010), ref: 0040A433
            • GetKeyboardState.USER32(?), ref: 0040A43E
            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
            • String ID:
            • API String ID: 1888522110-0
            • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
            • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
            • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
            • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
            Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
            • GetProcAddress.KERNEL32(00000000), ref: 00414271
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressCloseCreateLibraryLoadProcsend
            • String ID: SHDeleteKeyW$Shlwapi.dll
            • API String ID: 2127411465-314212984
            • Opcode ID: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
            • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
            • Opcode Fuzzy Hash: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
            • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
            Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00449212
            • _free.LIBCMT ref: 00449236
            • _free.LIBCMT ref: 004493BD
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
            • _free.LIBCMT ref: 00449589
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ByteCharMultiWide$InformationTimeZone
            • String ID:
            • API String ID: 314583886-0
            • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
            • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
            • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
            • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
            Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
              • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
              • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
              • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
              • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
            • GetProcAddress.KERNEL32(00000000), ref: 00416872
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
            • String ID: !D@$PowrProf.dll$SetSuspendState
            • API String ID: 1589313981-2876530381
            • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
            • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
            • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
            • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
            Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
            • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
            • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: InfoLocale
            • String ID: ACP$OCP$['E
            • API String ID: 2299586839-2532616801
            • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
            • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
            • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
            • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
            Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
            • InternetCloseHandle.WININET(00000000), ref: 0041B41C
            • InternetCloseHandle.WININET(00000000), ref: 0041B41F
            Strings
            • http://geoplugin.net/json.gp, xrefs: 0041B3B7
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Internet$CloseHandleOpen$FileRead
            • String ID: http://geoplugin.net/json.gp
            • API String ID: 3121278467-91888290
            • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
            • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
            • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
            • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
            Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
            Download Yara Rule
            APIs
            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
            • GetLastError.KERNEL32 ref: 0040BA58
            Strings
            • UserProfile, xrefs: 0040BA1E
            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
            • [Chrome StoredLogins not found], xrefs: 0040BA72
            • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: DeleteErrorFileLast
            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
            • API String ID: 2018770650-1062637481
            • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
            • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
            • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
            • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
            Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
            • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
            • GetLastError.KERNEL32 ref: 0041799D
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
            • String ID: SeShutdownPrivilege
            • API String ID: 3534403312-3733053543
            • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
            • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
            • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
            • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
            Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 00409258
              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
            • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
            • FindClose.KERNEL32(00000000), ref: 004093C1
              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
              • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
              • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
            • FindClose.KERNEL32(00000000), ref: 004095B9
              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
            • String ID:
            • API String ID: 2435342581-0
            • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
            • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
            • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
            • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
            Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ManagerStart
            • String ID:
            • API String ID: 276877138-0
            • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
            • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
            • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
            • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
            Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
            • _wcschr.LIBVCRUNTIME ref: 00451E4A
            • _wcschr.LIBVCRUNTIME ref: 00451E58
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
            • String ID: sJD
            • API String ID: 4212172061-3536923933
            • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
            • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
            • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
            • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
            Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
              • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
              • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
            • Sleep.KERNEL32(00000BB8), ref: 0040F85B
            • ExitProcess.KERNEL32 ref: 0040F8CA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseExitOpenProcessQuerySleepValue
            • String ID: 5.1.0 Pro$override$pth_unenc
            • API String ID: 2281282204-182549033
            • Opcode ID: 4e903ea124b299fad782a08e8768850b9c3ef0dc11401a80aa78cd5f22d12669
            • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
            • Opcode Fuzzy Hash: 4e903ea124b299fad782a08e8768850b9c3ef0dc11401a80aa78cd5f22d12669
            • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
            Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
            • wsprintfW.USER32 ref: 0040B1F3
              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: EventLocalTimewsprintf
            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
            • API String ID: 1497725170-248792730
            • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
            • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
            • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
            • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
            Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
            • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
            • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
            • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Resource$FindLoadLockSizeof
            • String ID: SETTINGS
            • API String ID: 3473537107-594951305
            • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
            • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
            • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
            • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
            Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 0040966A
            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
            • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Find$File$CloseFirstH_prologNext
            • String ID:
            • API String ID: 1157919129-0
            • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
            • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
            • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
            • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
            Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 00408811
            • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
            • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
            • String ID:
            • API String ID: 1771804793-0
            • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
            • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
            • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
            • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
            Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: DownloadExecuteFileShell
            • String ID: C:\Users\user\Desktop\BANK LETTER INDICATION.exe$open
            • API String ID: 2825088817-3585539766
            • Opcode ID: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
            • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
            • Opcode Fuzzy Hash: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
            • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
            Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: FileFind$FirstNextsend
            • String ID: XPG$XPG
            • API String ID: 4113138495-1962359302
            • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
            • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
            • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
            • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
            Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
              • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
              • Part of subcall function 0041376F: RegSetValueExA.KERNELBASE(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
              • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateInfoParametersSystemValue
            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
            • API String ID: 4127273184-3576401099
            • Opcode ID: c1cf17afc107d38403827313c77b8842138f590ddb262c3ed212fcd5b1f29f29
            • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
            • Opcode Fuzzy Hash: c1cf17afc107d38403827313c77b8842138f590ddb262c3ed212fcd5b1f29f29
            • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
            Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: PkGNG
            • API String ID: 0-263838557
            • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
            • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
            • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
            • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
            Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorInfoLastLocale$_free$_abort
            • String ID:
            • API String ID: 2829624132-0
            • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
            • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
            • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
            • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
            Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
            • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
            • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
            • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
            • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
            Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Crypt$Context$AcquireRandomRelease
            • String ID:
            • API String ID: 1815803762-0
            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
            • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
            • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
            Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00000000), ref: 0040B711
            • GetClipboardData.USER32(0000000D), ref: 0040B71D
            • CloseClipboard.USER32 ref: 0040B725
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Clipboard$CloseDataOpen
            • String ID:
            • API String ID: 2058664381-0
            • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
            • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
            • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
            • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
            Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: FeaturePresentProcessor
            • String ID:
            • API String ID: 2325560087-3916222277
            • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
            • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
            • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
            • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
            Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: .
            • API String ID: 0-248832578
            • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
            • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
            • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
            • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
            Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
            • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$EnumLocalesSystem_abort_free
            • String ID: lJD
            • API String ID: 1084509184-3316369744
            • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
            • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
            • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
            • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
            Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
            • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$EnumLocalesSystem_abort_free
            • String ID: lJD
            • API String ID: 1084509184-3316369744
            • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
            • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
            • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
            • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
            Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: InfoLocale
            • String ID: GetLocaleInfoEx
            • API String ID: 2299586839-2904428671
            • Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
            • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
            • Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
            • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
            Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
            • HeapFree.KERNEL32(00000000), ref: 004120EE
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Heap$FreeProcess
            • String ID:
            • API String ID: 3859560861-0
            • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
            • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
            • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
            • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
            Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$_free$InfoLocale_abort
            • String ID:
            • API String ID: 1663032902-0
            • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
            • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
            • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
            • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
            Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$InfoLocale_abort_free
            • String ID:
            • API String ID: 2692324296-0
            • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
            • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
            • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
            • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
            Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
            • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
            • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
            • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
            Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
            • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CriticalEnterEnumLocalesSectionSystem
            • String ID:
            • API String ID: 1272433827-0
            • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
            • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
            • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
            • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
            Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
            • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$EnumLocalesSystem_abort_free
            • String ID:
            • API String ID: 1084509184-0
            • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
            • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
            • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
            • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
            Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: InfoLocale
            • String ID:
            • API String ID: 2299586839-0
            • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
            • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
            Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
            • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
            • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
            • Instruction Fuzzy Hash:
            Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
            Download Yara Rule
            APIs
            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
            • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
              • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
            • DeleteDC.GDI32(00000000), ref: 00418F2A
            • DeleteDC.GDI32(00000000), ref: 00418F2D
            • DeleteObject.GDI32(00000000), ref: 00418F30
            • SelectObject.GDI32(00000000,00000000), ref: 00418F51
            • DeleteDC.GDI32(00000000), ref: 00418F62
            • DeleteDC.GDI32(00000000), ref: 00418F65
            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
            • GetIconInfo.USER32(?,?), ref: 00418FBD
            • DeleteObject.GDI32(?), ref: 00418FEC
            • DeleteObject.GDI32(?), ref: 00418FF9
            • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
            • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
            • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
            • DeleteDC.GDI32(?), ref: 0041917C
            • DeleteDC.GDI32(00000000), ref: 0041917F
            • DeleteObject.GDI32(00000000), ref: 00419182
            • GlobalFree.KERNEL32(?), ref: 0041918D
            • DeleteObject.GDI32(00000000), ref: 00419241
            • GlobalFree.KERNEL32(?), ref: 00419248
            • DeleteDC.GDI32(?), ref: 00419258
            • DeleteDC.GDI32(00000000), ref: 00419263
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
            • String ID: DISPLAY
            • API String ID: 479521175-865373369
            • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
            • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
            • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
            • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
            Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
              • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
            • ExitProcess.KERNEL32 ref: 0040D7D0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
            • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
            • API String ID: 1861856835-332907002
            • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
            • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
            • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
            • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
            Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
            • ExitProcess.KERNEL32 ref: 0040D419
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
            • API String ID: 3797177996-2557013105
            • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
            • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
            • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
            • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
            Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
            Download Yara Rule
            APIs
            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
            • ExitProcess.KERNEL32(00000000), ref: 004124A0
            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
            • CloseHandle.KERNEL32(00000000), ref: 0041253B
            • GetCurrentProcessId.KERNEL32 ref: 00412541
            • PathFileExistsW.SHLWAPI(?), ref: 00412572
            • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
            • lstrcatW.KERNEL32(?,.exe), ref: 00412601
              • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
            • Sleep.KERNEL32(000001F4), ref: 00412682
            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
            • CloseHandle.KERNEL32(00000000), ref: 004126A9
            • GetCurrentProcessId.KERNEL32 ref: 004126AF
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
            • String ID: .exe$8SG$WDH$exepath$open$temp_
            • API String ID: 2649220323-436679193
            • Opcode ID: 78d761f1fe0180f6c73b6bf7ae7807ce1a8fb2933e9679f41b24c7c487c598df
            • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
            • Opcode Fuzzy Hash: 78d761f1fe0180f6c73b6bf7ae7807ce1a8fb2933e9679f41b24c7c487c598df
            • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
            Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
            • SetEvent.KERNEL32 ref: 0041B219
            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
            • CloseHandle.KERNEL32 ref: 0041B23A
            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
            • API String ID: 738084811-2094122233
            • Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
            • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
            • Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
            • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
            Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$Write$Create
            • String ID: RIFF$WAVE$data$fmt
            • API String ID: 1602526932-4212202414
            • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
            • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
            • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
            • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
            Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\BANK LETTER INDICATION.exe,00000001,0040764D,C:\Users\user\Desktop\BANK LETTER INDICATION.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
            • GetProcAddress.KERNEL32(00000000), ref: 0040728D
            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
            • GetProcAddress.KERNEL32(00000000), ref: 004072A5
            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
            • GetProcAddress.KERNEL32(00000000), ref: 004072B9
            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
            • GetProcAddress.KERNEL32(00000000), ref: 004072CD
            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
            • GetProcAddress.KERNEL32(00000000), ref: 004072E1
            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
            • GetProcAddress.KERNEL32(00000000), ref: 004072F5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: C:\Users\user\Desktop\BANK LETTER INDICATION.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
            • API String ID: 1646373207-635719194
            • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
            • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
            • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
            • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
            Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0040CE07
            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
            • CopyFileW.KERNEL32(C:\Users\user\Desktop\BANK LETTER INDICATION.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
            • _wcslen.LIBCMT ref: 0040CEE6
            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
            • CopyFileW.KERNEL32(C:\Users\user\Desktop\BANK LETTER INDICATION.exe,00000000,00000000), ref: 0040CF84
            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
            • _wcslen.LIBCMT ref: 0040CFC6
            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
            • ExitProcess.KERNEL32 ref: 0040D062
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
            • String ID: 6$C:\Users\user\Desktop\BANK LETTER INDICATION.exe$del$open
            • API String ID: 1579085052-819901360
            • Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
            • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
            • Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
            • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
            Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
            • LoadLibraryA.KERNEL32(?), ref: 00414E17
            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
            • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
            • LoadLibraryA.KERNEL32(?), ref: 00414E76
            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
            • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
            • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
            • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Library$AddressFreeProc$Load$DirectorySystem
            • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
            • API String ID: 2490988753-1941338355
            • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
            • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
            • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
            • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
            Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$EnvironmentVariable$_wcschr
            • String ID:
            • API String ID: 3899193279-0
            • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
            • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
            • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
            • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
            Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
            • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
            • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
            • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
            • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
            • Sleep.KERNEL32(00000064), ref: 00412E94
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
            • String ID: /stext "$0TG$0TG$NG$NG
            • API String ID: 1223786279-2576077980
            • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
            • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
            • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
            • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
            Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
            • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseEnumOpen
            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
            • API String ID: 1332880857-3714951968
            • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
            • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
            • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
            • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
            Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
            • GetCursorPos.USER32(?), ref: 0041D5E9
            • SetForegroundWindow.USER32(?), ref: 0041D5F2
            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
            • ExitProcess.KERNEL32 ref: 0041D665
            • CreatePopupMenu.USER32 ref: 0041D66B
            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
            • String ID: Close
            • API String ID: 1657328048-3535843008
            • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
            • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
            • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
            • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
            Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$Info
            • String ID:
            • API String ID: 2509303402-0
            • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
            • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
            • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
            • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
            Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
            • __aulldiv.LIBCMT ref: 00408D4D
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
            • CloseHandle.KERNEL32(00000000), ref: 00408F64
            • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
            • CloseHandle.KERNEL32(00000000), ref: 00408FFC
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
            • API String ID: 3086580692-2582957567
            • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
            • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
            • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
            • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
            Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00001388), ref: 0040A740
              • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
              • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
              • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
              • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
            • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
            • String ID: 8SG$8SG$pQG$pQG$PG$PG
            • API String ID: 3795512280-1152054767
            • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
            • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
            • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
            • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
            Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
            Download Yara Rule
            APIs
            • connect.WS2_32(?,?,?), ref: 004048E0
            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
            • WSAGetLastError.WS2_32 ref: 00404A21
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CreateEvent$ErrorLastLocalTimeconnect
            • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
            • API String ID: 994465650-3229884001
            • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
            • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
            • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
            • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
            Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 0045130A
              • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
              • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
              • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
              • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
              • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
              • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
              • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
              • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
              • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
              • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
              • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
              • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
              • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
            • _free.LIBCMT ref: 004512FF
              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
            • _free.LIBCMT ref: 00451321
            • _free.LIBCMT ref: 00451336
            • _free.LIBCMT ref: 00451341
            • _free.LIBCMT ref: 00451363
            • _free.LIBCMT ref: 00451376
            • _free.LIBCMT ref: 00451384
            • _free.LIBCMT ref: 0045138F
            • _free.LIBCMT ref: 004513C7
            • _free.LIBCMT ref: 004513CE
            • _free.LIBCMT ref: 004513EB
            • _free.LIBCMT ref: 00451403
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID:
            • API String ID: 161543041-0
            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
            • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
            • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
            Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 00419FB9
            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
            • Sleep.KERNEL32(000003E8), ref: 0041A0FD
            • GetLocalTime.KERNEL32(?), ref: 0041A105
            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
            • API String ID: 489098229-1431523004
            • Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
            • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
            • Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
            • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
            Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
              • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
              • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
              • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
            • ExitProcess.KERNEL32 ref: 0040D9C4
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
            • API String ID: 1913171305-3159800282
            • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
            • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
            • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
            • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
            Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
            • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
            • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
            • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
            Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
            • GetLastError.KERNEL32 ref: 00455CEF
            • __dosmaperr.LIBCMT ref: 00455CF6
            • GetFileType.KERNEL32(00000000), ref: 00455D02
            • GetLastError.KERNEL32 ref: 00455D0C
            • __dosmaperr.LIBCMT ref: 00455D15
            • CloseHandle.KERNEL32(00000000), ref: 00455D35
            • CloseHandle.KERNEL32(?), ref: 00455E7F
            • GetLastError.KERNEL32 ref: 00455EB1
            • __dosmaperr.LIBCMT ref: 00455EB8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
            • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
            • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
            • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
            Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
            • __alloca_probe_16.LIBCMT ref: 00453EEA
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
            • __alloca_probe_16.LIBCMT ref: 00453F94
            • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
            • __freea.LIBCMT ref: 00454003
            • __freea.LIBCMT ref: 0045400F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
            • String ID: \@E
            • API String ID: 201697637-1814623452
            • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
            • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
            • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
            • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
            Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
            • __alloca_probe_16.LIBCMT ref: 0044ACDB
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
            • __alloca_probe_16.LIBCMT ref: 0044ADC0
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
            • __freea.LIBCMT ref: 0044AE30
              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
            • __freea.LIBCMT ref: 0044AE39
            • __freea.LIBCMT ref: 0044AE5E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
            • String ID: $C$PkGNG
            • API String ID: 3864826663-3740547665
            • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
            • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
            • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
            • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
            Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID: \&G$\&G$`&G
            • API String ID: 269201875-253610517
            • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
            • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
            • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
            • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
            Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: 65535$udp
            • API String ID: 0-1267037602
            • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
            • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
            • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
            • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
            Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 0040AD38
            • Sleep.KERNEL32(000001F4), ref: 0040AD43
            • GetForegroundWindow.USER32 ref: 0040AD49
            • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
            • Sleep.KERNEL32(000003E8), ref: 0040AE54
              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
            • String ID: [${ User has been idle for $ minutes }$]
            • API String ID: 911427763-3954389425
            • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
            • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
            • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
            • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
            Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: LongNamePath
            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
            • API String ID: 82841172-425784914
            • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
            • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
            • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
            • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
            Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
            • __dosmaperr.LIBCMT ref: 0043A8A6
            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
            • __dosmaperr.LIBCMT ref: 0043A8E3
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
            • __dosmaperr.LIBCMT ref: 0043A937
            • _free.LIBCMT ref: 0043A943
            • _free.LIBCMT ref: 0043A94A
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
            • String ID:
            • API String ID: 2441525078-0
            • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
            • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
            • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
            • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
            Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(?,?), ref: 004054BF
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
            • TranslateMessage.USER32(?), ref: 0040557E
            • DispatchMessageA.USER32(?), ref: 00405589
            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
            • String ID: CloseChat$DisplayMessage$GetMessage
            • API String ID: 2956720200-749203953
            • Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
            • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
            • Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
            • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
            Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
            • CloseHandle.KERNEL32(00000000), ref: 00417DE5
            • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
            • String ID: 0VG$0VG$<$@$Temp
            • API String ID: 1704390241-2575729100
            • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
            • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
            • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
            • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
            Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32 ref: 00416941
            • EmptyClipboard.USER32 ref: 0041694F
            • CloseClipboard.USER32 ref: 00416955
            • OpenClipboard.USER32 ref: 0041695C
            • GetClipboardData.USER32(0000000D), ref: 0041696C
            • GlobalLock.KERNEL32(00000000), ref: 00416975
            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
            • CloseClipboard.USER32 ref: 00416984
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
            • String ID: !D@
            • API String ID: 2172192267-604454484
            • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
            • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
            • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
            • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
            Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
            • GetFileSize.KERNEL32(?,00000000), ref: 00413432
            • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
            • CloseHandle.KERNEL32(00000000), ref: 0041345F
            • CloseHandle.KERNEL32(?), ref: 00413465
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
            • String ID:
            • API String ID: 297527592-0
            • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
            • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
            • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
            • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
            Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
            • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
            • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
            • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
            Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00448135
              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
            • _free.LIBCMT ref: 00448141
            • _free.LIBCMT ref: 0044814C
            • _free.LIBCMT ref: 00448157
            • _free.LIBCMT ref: 00448162
            • _free.LIBCMT ref: 0044816D
            • _free.LIBCMT ref: 00448178
            • _free.LIBCMT ref: 00448183
            • _free.LIBCMT ref: 0044818E
            • _free.LIBCMT ref: 0044819C
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
            • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
            • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
            • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
            Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Eventinet_ntoa
            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
            • API String ID: 3578746661-3604713145
            • Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
            • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
            • Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
            • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
            Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: DecodePointer
            • String ID: acos$asin$exp$log$log10$pow$sqrt
            • API String ID: 3527080286-3064271455
            • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
            • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
            • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
            • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
            Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
            • __fassign.LIBCMT ref: 0044B479
            • __fassign.LIBCMT ref: 0044B494
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
            • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID: PkGNG
            • API String ID: 1324828854-263838557
            • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
            • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
            • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
            • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
            Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
            • Sleep.KERNEL32(00000064), ref: 00417521
            • DeleteFileW.KERNEL32(00000000), ref: 00417555
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$CreateDeleteExecuteShellSleep
            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
            • API String ID: 1462127192-2001430897
            • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
            • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
            • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
            • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
            Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\BANK LETTER INDICATION.exe), ref: 0040749E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CurrentProcess
            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
            • API String ID: 2050909247-4242073005
            • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
            • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
            • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
            • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
            Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
            Download Yara Rule
            APIs
            • _strftime.LIBCMT ref: 00401D50
              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
            • API String ID: 3809562944-243156785
            • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
            • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
            • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
            • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
            Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
            • int.LIBCPMT ref: 00410E81
              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
            • std::_Facet_Register.LIBCPMT ref: 00410EC1
            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
            • __Init_thread_footer.LIBCMT ref: 00410F29
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
            • String ID: ,kG$0kG
            • API String ID: 3815856325-2015055088
            • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
            • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
            • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
            • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
            Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
            • waveInStart.WINMM ref: 00401CFE
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
            • String ID: dMG$|MG$PG
            • API String ID: 1356121797-532278878
            • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
            • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
            • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
            • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
            Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
              • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
              • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
              • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
            • TranslateMessage.USER32(?), ref: 0041D4E9
            • DispatchMessageA.USER32(?), ref: 0041D4F3
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
            • String ID: Remcos
            • API String ID: 1970332568-165870891
            • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
            • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
            • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
            • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
            Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
            • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
            • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
            • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
            Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
            • _memcmp.LIBVCRUNTIME ref: 00445423
            • _free.LIBCMT ref: 00445494
            • _free.LIBCMT ref: 004454AD
            • _free.LIBCMT ref: 004454DF
            • _free.LIBCMT ref: 004454E8
            • _free.LIBCMT ref: 004454F4
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorLast$_abort_memcmp
            • String ID: C
            • API String ID: 1679612858-1037565863
            • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
            • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
            • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
            • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
            Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: tcp$udp
            • API String ID: 0-3725065008
            • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
            • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
            • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
            • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
            Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
            • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
            • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
            • SetLastError.KERNEL32(0000000E), ref: 00411DC9
              • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
            • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
            • HeapAlloc.KERNEL32(00000000), ref: 00411E17
            • SetLastError.KERNEL32(0000045A), ref: 00411F2A
              • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
              • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
            • String ID: t^F
            • API String ID: 3950776272-389975521
            • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
            • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
            • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
            • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
            Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 004018BE
            • ExitThread.KERNEL32 ref: 004018F6
            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
            • String ID: PkG$XMG$NG$NG
            • API String ID: 1649129571-3151166067
            • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
            • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
            • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
            • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
            Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
            • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
              • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
            • String ID: .part
            • API String ID: 1303771098-3499674018
            • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
            • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
            • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
            • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
            Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
            • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: InputSend
            • String ID:
            • API String ID: 3431551938-0
            • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
            • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
            • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
            • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
            Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: __freea$__alloca_probe_16_free
            • String ID: a/p$am/pm$zD
            • API String ID: 2936374016-2723203690
            • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
            • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
            • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
            • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
            Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Enum$InfoQueryValue
            • String ID: [regsplt]$xUG$TG
            • API String ID: 3554306468-1165877943
            • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
            • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
            • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
            • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
            Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID: D[E$D[E
            • API String ID: 269201875-3695742444
            • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
            • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
            • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
            • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
            Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
              • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
              • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseEnumInfoOpenQuerysend
            • String ID: xUG$NG$NG$TG
            • API String ID: 3114080316-2811732169
            • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
            • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
            • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
            • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
            Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
            • __alloca_probe_16.LIBCMT ref: 004511B1
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
            • __freea.LIBCMT ref: 0045121D
              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
            • String ID: PkGNG
            • API String ID: 313313983-263838557
            • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
            • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
            • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
            • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
            Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
            • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
            • API String ID: 1133728706-4073444585
            • Opcode ID: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
            • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
            • Opcode Fuzzy Hash: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
            • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
            Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
            • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
            • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
            • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
            Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
            • _free.LIBCMT ref: 00450F48
              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
            • _free.LIBCMT ref: 00450F53
            • _free.LIBCMT ref: 00450F5E
            • _free.LIBCMT ref: 00450FB2
            • _free.LIBCMT ref: 00450FBD
            • _free.LIBCMT ref: 00450FC8
            • _free.LIBCMT ref: 00450FD3
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
            • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
            • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
            Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
            • int.LIBCPMT ref: 00411183
              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
            • std::_Facet_Register.LIBCPMT ref: 004111C3
            • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
            • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
            • String ID: (mG
            • API String ID: 2536120697-4059303827
            • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
            • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
            • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
            • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
            Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
            • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
            • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
            • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
            • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
            Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\BANK LETTER INDICATION.exe), ref: 004075D0
              • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
              • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
            • CoUninitialize.OLE32 ref: 00407629
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: InitializeObjectUninitialize_wcslen
            • String ID: C:\Users\user\Desktop\BANK LETTER INDICATION.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
            • API String ID: 3851391207-1530787175
            • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
            • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
            • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
            • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
            Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
            Download Yara Rule
            APIs
            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
            • GetLastError.KERNEL32 ref: 0040BAE7
            Strings
            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
            • UserProfile, xrefs: 0040BAAD
            • [Chrome Cookies not found], xrefs: 0040BB01
            • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: DeleteErrorFileLast
            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
            • API String ID: 2018770650-304995407
            • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
            • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
            • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
            • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
            Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
            Download Yara Rule
            APIs
            • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
            • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Console$AllocOutputShowWindow
            • String ID: Remcos v$5.1.0 Pro$CONOUT$
            • API String ID: 2425139147-1043272453
            • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
            • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
            • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
            • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
            Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
            • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$PkGNG$mscoree.dll
            • API String ID: 4061214504-213444651
            • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
            • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
            • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
            • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
            Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 0043AC69
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
            • __allrem.LIBCMT ref: 0043AC9C
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
            • __allrem.LIBCMT ref: 0043ACD1
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
            • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
            • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
            • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
            Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000,?), ref: 004044C4
              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: H_prologSleep
            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
            • API String ID: 3469354165-3054508432
            • Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
            • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
            • Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
            • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
            Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: __cftoe
            • String ID:
            • API String ID: 4189289331-0
            • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
            • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
            • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
            • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
            Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ChangeConfigManager
            • String ID:
            • API String ID: 493672254-0
            • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
            • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
            • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
            • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
            Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: __alldvrm$_strrchr
            • String ID: PkGNG
            • API String ID: 1036877536-263838557
            • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
            • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
            • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
            • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
            Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
            • _free.LIBCMT ref: 0044824C
            • _free.LIBCMT ref: 00448274
            • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
            • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
            • _abort.LIBCMT ref: 00448293
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
            • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
            • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
            • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
            Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
            • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
            • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
            • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
            Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
            • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
            • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
            • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
            Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
            • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
            • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
            • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
            Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: PkGNG
            • API String ID: 0-263838557
            • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
            • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
            • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
            • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
            Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
            • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
            • CloseHandle.KERNEL32(?), ref: 00404DDB
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Create$CloseEventHandleObjectSingleThreadWait
            • String ID: PkGNG
            • API String ID: 3360349984-263838557
            • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
            • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
            • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
            • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
            Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
            • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
            • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseCreateHandleSizeSleep
            • String ID: XQG
            • API String ID: 1958988193-3606453820
            • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
            • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
            • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
            • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
            Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
            Download Yara Rule
            APIs
            • RegisterClassExA.USER32(00000030), ref: 0041D55B
            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
            • GetLastError.KERNEL32 ref: 0041D580
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ClassCreateErrorLastRegisterWindow
            • String ID: 0$MsgWindowClass
            • API String ID: 2877667751-2410386613
            • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
            • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
            • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
            • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
            Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
            • CloseHandle.KERNEL32(?), ref: 004077AA
            • CloseHandle.KERNEL32(?), ref: 004077AF
            Strings
            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
            • C:\Windows\System32\cmd.exe, xrefs: 00407796
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle$CreateProcess
            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
            • API String ID: 2922976086-4183131282
            • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
            • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
            • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
            • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
            Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
            Download Yara Rule
            Strings
            • SG, xrefs: 004076DA
            • C:\Users\user\Desktop\BANK LETTER INDICATION.exe, xrefs: 004076C4
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: SG$C:\Users\user\Desktop\BANK LETTER INDICATION.exe
            • API String ID: 0-3325919784
            • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
            • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
            • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
            • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
            Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
            Download Yara Rule
            APIs
            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
            • SetEvent.KERNEL32(?), ref: 0040512C
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
            • CloseHandle.KERNEL32(?), ref: 00405140
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
            • String ID: KeepAlive | Disabled
            • API String ID: 2993684571-305739064
            • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
            • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
            • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
            • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
            Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
            • Sleep.KERNEL32(00002710), ref: 0041AE07
            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: PlaySound$HandleLocalModuleSleepTime
            • String ID: Alarm triggered
            • API String ID: 614609389-2816303416
            • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
            • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
            • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
            • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
            Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
            Strings
            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Console$AttributeText$BufferHandleInfoScreen
            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
            • API String ID: 3024135584-2418719853
            • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
            • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
            • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
            • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
            Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
            • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
            • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
            • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
            Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
            • _free.LIBCMT ref: 00444E06
            • _free.LIBCMT ref: 00444E1D
            • _free.LIBCMT ref: 00444E3C
            • _free.LIBCMT ref: 00444E57
            • _free.LIBCMT ref: 00444E6E
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$AllocateHeap
            • String ID:
            • API String ID: 3033488037-0
            • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
            • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
            • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
            • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
            Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
            • _free.LIBCMT ref: 004493BD
              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
            • _free.LIBCMT ref: 00449589
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
            • String ID:
            • API String ID: 1286116820-0
            • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
            • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
            • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
            • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
            Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
            • CloseHandle.KERNEL32(00000000), ref: 0040FB05
              • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
            • String ID:
            • API String ID: 4269425633-0
            • Opcode ID: 6df9d4b359217581b0df4c9dc59be5fef51975c997283d95430d11e6ab601d8c
            • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
            • Opcode Fuzzy Hash: 6df9d4b359217581b0df4c9dc59be5fef51975c997283d95430d11e6ab601d8c
            • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
            Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
            • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
            • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
            • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
            Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
            • _free.LIBCMT ref: 0044F3BF
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
            • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
            • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
            • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
            Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
            • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandle$CreatePointerWrite
            • String ID:
            • API String ID: 1852769593-0
            • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
            • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
            • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
            • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
            Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
            • _free.LIBCMT ref: 004482D3
            • _free.LIBCMT ref: 004482FA
            • SetLastError.KERNEL32(00000000), ref: 00448307
            • SetLastError.KERNEL32(00000000), ref: 00448310
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
            • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
            • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
            • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
            Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 004509D4
              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
            • _free.LIBCMT ref: 004509E6
            • _free.LIBCMT ref: 004509F8
            • _free.LIBCMT ref: 00450A0A
            • _free.LIBCMT ref: 00450A1C
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
            • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
            • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
            Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00444066
              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
            • _free.LIBCMT ref: 00444078
            • _free.LIBCMT ref: 0044408B
            • _free.LIBCMT ref: 0044409C
            • _free.LIBCMT ref: 004440AD
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
            • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
            • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
            Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: PkGNG
            • API String ID: 0-263838557
            • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
            • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
            • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
            • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
            Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • _strpbrk.LIBCMT ref: 0044E738
            • _free.LIBCMT ref: 0044E855
              • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
              • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
              • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
            • String ID: *?$.
            • API String ID: 2812119850-3972193922
            • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
            • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
            • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
            • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
            Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CountEventTick
            • String ID: !D@$NG
            • API String ID: 180926312-2721294649
            • Opcode ID: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
            • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
            • Opcode Fuzzy Hash: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
            • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
            Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
            Download Yara Rule
            APIs
            • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
              • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CreateFileKeyboardLayoutNameconnectsend
            • String ID: XQG$NG$PG
            • API String ID: 1634807452-3565412412
            • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
            • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
            • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
            • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
            Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: `#D$`#D
            • API String ID: 885266447-2450397995
            • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
            • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
            • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
            • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
            Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\BANK LETTER INDICATION.exe,00000104), ref: 00443475
            • _free.LIBCMT ref: 00443540
            • _free.LIBCMT ref: 0044354A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\Desktop\BANK LETTER INDICATION.exe
            • API String ID: 2506810119-3156011153
            • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
            • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
            • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
            • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
            Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
            • GetLastError.KERNEL32 ref: 0044B931
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharErrorFileLastMultiWideWrite
            • String ID: PkGNG
            • API String ID: 2456169464-263838557
            • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
            • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
            • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
            • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
            Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
            • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
            • String ID: /sort "Visit Time" /stext "$0NG
            • API String ID: 368326130-3219657780
            • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
            • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
            • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
            • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
            Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 004162F5
              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
              • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
              • Part of subcall function 00413877: RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
              • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: _wcslen$CloseCreateValue
            • String ID: !D@$okmode$PG
            • API String ID: 3411444782-3370592832
            • Opcode ID: 0d86145169e4d150a9fd01215b84d4eacf6d48f0dcad2611d30a2f9705b6543e
            • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
            • Opcode Fuzzy Hash: 0d86145169e4d150a9fd01215b84d4eacf6d48f0dcad2611d30a2f9705b6543e
            • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
            Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
            Strings
            • User Data\Default\Network\Cookies, xrefs: 0040C603
            • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
            • API String ID: 1174141254-1980882731
            • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
            • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
            • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
            • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
            Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
            Strings
            • User Data\Default\Network\Cookies, xrefs: 0040C6D2
            • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
            • API String ID: 1174141254-1980882731
            • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
            • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
            • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
            • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
            Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
            • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
            • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CreateThread$LocalTimewsprintf
            • String ID: Offline Keylogger Started
            • API String ID: 465354869-4114347211
            • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
            • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
            • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
            • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
            Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
            • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
            • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CreateThread$LocalTime$wsprintf
            • String ID: Online Keylogger Started
            • API String ID: 112202259-1258561607
            • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
            • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
            • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
            • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
            Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(00000000), ref: 0041B509
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: LocalTime
            • String ID: | $%02i:%02i:%02i:%03i $PkGNG
            • API String ID: 481472006-3277280411
            • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
            • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
            • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
            • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
            Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00404F81
            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
            • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
            Strings
            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Create$EventLocalThreadTime
            • String ID: KeepAlive | Enabled | Timeout:
            • API String ID: 2532271599-1507639952
            • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
            • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
            • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
            • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
            Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
            • GetProcAddress.KERNEL32(00000000), ref: 00406A89
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: CryptUnprotectData$crypt32
            • API String ID: 2574300362-2380590389
            • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
            • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
            • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
            • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
            Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
            • GetLastError.KERNEL32 ref: 0044C296
            • __dosmaperr.LIBCMT ref: 0044C29D
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorFileLastPointer__dosmaperr
            • String ID: PkGNG
            • API String ID: 2336955059-263838557
            • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
            • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
            • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
            • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
            Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
            • CloseHandle.KERNEL32(?), ref: 004051CA
            • SetEvent.KERNEL32(?), ref: 004051D9
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseEventHandleObjectSingleWait
            • String ID: Connection Timeout
            • API String ID: 2055531096-499159329
            • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
            • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
            • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
            • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
            Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Exception@8Throw
            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
            • API String ID: 2005118841-1866435925
            • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
            • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
            • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
            • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
            Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
            Download Yara Rule
            APIs
            • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
            • LocalFree.KERNEL32(?,?), ref: 0041CB2F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: FormatFreeLocalMessage
            • String ID: @J@$PkGNG
            • API String ID: 1427518018-1416487119
            • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
            • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
            • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
            • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
            Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
            • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,771B37E0,?), ref: 0041384D
            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,771B37E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
            Strings
            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateValue
            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
            • API String ID: 1818849710-1051519024
            • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
            • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
            • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
            • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
            Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
            • String ID: bad locale name
            • API String ID: 3628047217-1405518554
            • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
            • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
            • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
            • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
            Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
            • ShowWindow.USER32(00000009), ref: 00416C61
            • SetForegroundWindow.USER32 ref: 00416C6D
              • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
              • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
              • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
            • String ID: !D@
            • API String ID: 3446828153-604454484
            • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
            • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
            • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
            • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
            Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExecuteShell
            • String ID: /C $cmd.exe$open
            • API String ID: 587946157-3896048727
            • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
            • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
            • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
            • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
            Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
            • GetProcAddress.KERNEL32(00000000), ref: 0040141B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: GetCursorInfo$User32.dll
            • API String ID: 1646373207-2714051624
            • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
            • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
            • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
            • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
            Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
            • GetProcAddress.KERNEL32(00000000), ref: 004014C0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetLastInputInfo$User32.dll
            • API String ID: 2574300362-1519888992
            • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
            • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
            • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
            • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
            Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
            Download Yara Rule
            APIs
            Strings
            • Cleared browsers logins and cookies., xrefs: 0040C0F5
            • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
            • API String ID: 3472027048-1236744412
            • Opcode ID: 598ef12901bf93cb63e57e3cd1cbf82e0164e6f3423413e5273e01d934304c67
            • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
            • Opcode Fuzzy Hash: 598ef12901bf93cb63e57e3cd1cbf82e0164e6f3423413e5273e01d934304c67
            • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
            Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
              • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
              • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
            • Sleep.KERNEL32(000001F4), ref: 0040A573
            • Sleep.KERNEL32(00000064), ref: 0040A5FD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Window$SleepText$ForegroundLength
            • String ID: [ $ ]
            • API String ID: 3309952895-93608704
            • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
            • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
            • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
            • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
            Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
            • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
            • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
            • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
            Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
            • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
            • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
            • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
            Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
              • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
            • _UnwindNestedFrames.LIBCMT ref: 00439891
            • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
            • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
            • String ID:
            • API String ID: 2633735394-0
            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
            • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
            • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
            Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • GetSystemMetrics.USER32(0000004C), ref: 004193F0
            • GetSystemMetrics.USER32(0000004D), ref: 004193F6
            • GetSystemMetrics.USER32(0000004E), ref: 004193FC
            • GetSystemMetrics.USER32(0000004F), ref: 00419402
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: MetricsSystem
            • String ID:
            • API String ID: 4116985748-0
            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
            • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
            • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
            Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
              • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
            • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
            • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
            Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00442CED
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorHandling__start
            • String ID: pow
            • API String ID: 3213639722-2276729525
            • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
            • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
            • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
            • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
            Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
            • GetLastError.KERNEL32 ref: 00449F2B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharErrorLastMultiWide
            • String ID: PkGNG
            • API String ID: 203985260-263838557
            • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
            • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
            • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
            • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
            Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
            • __Init_thread_footer.LIBCMT ref: 0040B797
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Init_thread_footer__onexit
            • String ID: [End of clipboard]$[Text copied to clipboard]
            • API String ID: 1881088180-3686566968
            • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
            • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
            • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
            • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
            Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: ACP$OCP
            • API String ID: 0-711371036
            • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
            • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
            • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
            • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
            Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
            • GetLastError.KERNEL32 ref: 0044B804
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorFileLastWrite
            • String ID: PkGNG
            • API String ID: 442123175-263838557
            • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
            • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
            • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
            • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
            Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
            • GetLastError.KERNEL32 ref: 0044B716
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorFileLastWrite
            • String ID: PkGNG
            • API String ID: 442123175-263838557
            • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
            • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
            • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
            • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
            Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
            Strings
            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: LocalTime
            • String ID: KeepAlive | Enabled | Timeout:
            • API String ID: 481472006-1507639952
            • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
            • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
            • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
            • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
            Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32 ref: 00416640
            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: DownloadFileSleep
            • String ID: !D@
            • API String ID: 1931167962-604454484
            • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
            • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
            • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
            • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
            Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: alarm.wav$hYG
            • API String ID: 1174141254-2782910960
            • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
            • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
            • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
            • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
            Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
            • CloseHandle.KERNEL32(?), ref: 0040B0B4
            • UnhookWindowsHookEx.USER32 ref: 0040B0C7
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
            • String ID: Online Keylogger Stopped
            • API String ID: 1623830855-1496645233
            • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
            • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
            • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
            • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
            Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: String
            • String ID: LCMapStringEx$PkGNG
            • API String ID: 2568140703-1065776982
            • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
            • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
            • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
            • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
            Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: wave$BufferHeaderPrepare
            • String ID: XMG
            • API String ID: 2315374483-813777761
            • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
            • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
            Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: LocaleValid
            • String ID: IsValidLocaleName$JD
            • API String ID: 1901932003-2234456777
            • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
            • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
            • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
            • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
            Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: UserProfile$\AppData\Local\Google\Chrome\
            • API String ID: 1174141254-4188645398
            • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
            • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
            • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
            • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
            Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
            • API String ID: 1174141254-2800177040
            • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
            • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
            • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
            • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
            Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: AppData$\Opera Software\Opera Stable\
            • API String ID: 1174141254-1629609700
            • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
            • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
            • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
            • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
            Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyState.USER32(00000011), ref: 0040B64B
              • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
              • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
              • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
              • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
              • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
            • String ID: [AltL]$[AltR]
            • API String ID: 2738857842-2658077756
            • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
            • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
            • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
            • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
            Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
            Download Yara Rule
            APIs
            • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
            • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: uD
            • API String ID: 0-2547262877
            • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
            • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
            • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
            • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
            Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
            Download Yara Rule
            APIs
            • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Time$FileSystem
            • String ID: GetSystemTimePreciseAsFileTime$PkGNG
            • API String ID: 2086374402-949981407
            • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
            • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
            • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
            • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
            Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ExecuteShell
            • String ID: !D@$open
            • API String ID: 587946157-1586967515
            • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
            • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
            • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
            • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
            Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___initconout.LIBCMT ref: 0045555B
              • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
            • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ConsoleCreateFileWrite___initconout
            • String ID: PkGNG
            • API String ID: 3087715906-263838557
            • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
            • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
            • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
            • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
            Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyState.USER32(00000012), ref: 0040B6A5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: State
            • String ID: [CtrlL]$[CtrlR]
            • API String ID: 1649606143-2446555240
            • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
            • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
            • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
            • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
            Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
            • __Init_thread_footer.LIBCMT ref: 00410F29
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: Init_thread_footer__onexit
            • String ID: ,kG$0kG
            • API String ID: 1881088180-2015055088
            • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
            • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
            • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
            • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
            Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
            • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
            Strings
            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: DeleteOpenValue
            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
            • API String ID: 2654517830-1051519024
            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
            • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
            • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
            Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
            • GetLastError.KERNEL32 ref: 00440D35
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast
            • String ID:
            • API String ID: 1717984340-0
            • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
            • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
            • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
            • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
            Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
            Download Yara Rule
            APIs
            • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
            • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
            • SetLastError.KERNEL32(0000007F), ref: 00411C7A
            • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
            Memory Dump Source
            • Source File: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_BANK LETTER INDICATION.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastRead
            • String ID:
            • API String ID: 4100373531-0
            • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
            • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
            • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
            • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99