Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BDQfYL99b2.exe

Overview

General Information

Sample name:BDQfYL99b2.exe
renamed because original name is a hash value
Original sample name:a2dcc2e9dd81e3a5f6440ed7027a86da.exe
Analysis ID:1467126
MD5:a2dcc2e9dd81e3a5f6440ed7027a86da
SHA1:3518e330ef6c682445bed81d6ae4e167b003ae4b
SHA256:3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c
Tags:64exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BDQfYL99b2.exe (PID: 1596 cmdline: "C:\Users\user\Desktop\BDQfYL99b2.exe" MD5: A2DCC2E9DD81E3A5F6440ED7027A86DA)
    • conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_wp.exe (PID: 4616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • WerFault.exe (PID: 3896 cmdline: C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "bossnacarpet.com:2556:1vegetachcnc.com:2556:1", "Assigned name": "2556", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-6W1HCC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6c4a8:$a1: Remcos restarted by watchdog!
      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
      00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6656c:$str_b2: Executing file:
      • 0x675ec:$str_b3: GetDirectListeningPort
      • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x67118:$str_b7: \update.vbs
      • 0x66594:$str_b9: Downloaded file:
      • 0x66580:$str_b10: Downloading file:
      • 0x66624:$str_b12: Failed to upload file:
      • 0x675b4:$str_b13: StartForward
      • 0x675d4:$str_b14: StopForward
      • 0x67070:$str_b15: fso.DeleteFile "
      • 0x67004:$str_b16: On Error Resume Next
      • 0x670a0:$str_b17: fso.DeleteFolder "
      • 0x66614:$str_b18: Uploaded file:
      • 0x665d4:$str_b19: Unable to delete:
      • 0x67038:$str_b20: while fso.FileExists("
      • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
      00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6637c:$s1: CoGetObject
      • 0x66390:$s1: CoGetObject
      • 0x663ac:$s1: CoGetObject
      • 0x70338:$s1: CoGetObject
      • 0x6633c:$s2: Elevation:Administrator!new:
      Click to see the 12 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.aspnet_wp.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        3.2.aspnet_wp.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          3.2.aspnet_wp.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6aaa8:$a1: Remcos restarted by watchdog!
          • 0x6b020:$a3: %02i:%02i:%02i:%03i
          3.2.aspnet_wp.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x64b6c:$str_b2: Executing file:
          • 0x65bec:$str_b3: GetDirectListeningPort
          • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x65718:$str_b7: \update.vbs
          • 0x64b94:$str_b9: Downloaded file:
          • 0x64b80:$str_b10: Downloading file:
          • 0x64c24:$str_b12: Failed to upload file:
          • 0x65bb4:$str_b13: StartForward
          • 0x65bd4:$str_b14: StopForward
          • 0x65670:$str_b15: fso.DeleteFile "
          • 0x65604:$str_b16: On Error Resume Next
          • 0x656a0:$str_b17: fso.DeleteFolder "
          • 0x64c14:$str_b18: Uploaded file:
          • 0x64bd4:$str_b19: Unable to delete:
          • 0x65638:$str_b20: while fso.FileExists("
          • 0x650b1:$str_c0: [Firefox StoredLogins not found]
          3.2.aspnet_wp.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x6497c:$s1: CoGetObject
          • 0x64990:$s1: CoGetObject
          • 0x649ac:$s1: CoGetObject
          • 0x6e938:$s1: CoGetObject
          • 0x6493c:$s2: Elevation:Administrator!new:
          Click to see the 28 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: bossnacarpet.comAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "bossnacarpet.com:2556:1vegetachcnc.com:2556:1", "Assigned name": "2556", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-6W1HCC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for submitted file
          Source: BDQfYL99b2.exeReversingLabs: Detection: 34%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_00433837
          Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b3498c3a-c

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR

          Privilege Escalation

          barindex
          Contains functionality to bypass UAC (CMSTPLUA)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004074FD _wcslen,CoGetObject,3_2_004074FD
          Source: unknownHTTPS traffic detected: 52.168.117.173:443 -> 192.168.2.6:54066 version: TLS 1.2
          Source: BDQfYL99b2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D56B2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbean) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*F source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.Drawing.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb\b) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Users\user\Desktop\.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Desktop\BDQfYL99b2.PDB@ source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.pdbW source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.pdbp source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: mscorlib.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb0. source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.Drawing.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: mscorlib.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: izpC:\Users\user\Desktop\BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407C97

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: bossnacarpet.com
          Source: global trafficTCP traffic: 192.168.2.6:49710 -> 173.255.204.62:2556
          Source: global trafficTCP traffic: 192.168.2.6:49713 -> 107.173.4.18:2556
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 52.168.117.173 52.168.117.173
          Source: Joe Sandbox ViewIP Address: 173.255.204.62 173.255.204.62
          Source: Joe Sandbox ViewIP Address: 107.173.4.18 107.173.4.18
          Source: Joe Sandbox ViewIP Address: 107.173.4.18 107.173.4.18
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownTCP traffic detected without corresponding DNS query: 52.168.117.173
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_0041B380
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: bossnacarpet.com
          Source: global trafficDNS traffic detected: DNS query: vegetachcnc.com
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: unknownHTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket: t=EwCwAlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAQ7UsXLAS98HwRFo3wk0kdDuCyropDm7LcPUtYsXLo4HpHhm6MIqJTtAjlDQqRL0Q+F02xOMDg/t8gKZ0IFYAzLzMtk2bIgmmoMql8D/EALKpyBW4s5BLj2CEjNdjXTr/8aOvbHjmD7bxHla+4WffRqMlPJQazJxFHiw49AkDEzb/YqsBeEkMN3ZM7BNvzCSswFGLvnGqDNYclbAKUiGZ9AvRmILxY5JyMfa7tbWcqVafb6IxEnu90hTizP9htXZf1SlOzFT1CPeGfA78vKn4DFI48DCjyZUV7eGbKwusTlt2WtA6wdSUNOsxJcJAR2bpXpRuU2RhlLpWggzThddKaUDZgAACPWcP8PJUP0sgAEb401qTfgzav13/8m32w4Ohl2DRLF7B7r37jErtHj4ZexGVQMoudN1cGHqKrtgEFl2b0a8izrE5UhSkhREv+WJeHANYlZdedzhmtNhpw3JLw0CAvDpCkoEf20dlKhDXIp1/JeaeNo/i9pYOVxWK2GILWr8wV5kQk8eqtcaQ1mTyhpsv3MXJp/dMP+hDQBsmCJrN4AJ4ucDZ8X0pfjPDV8sxbr4K6OR4nF0WM+FRqaRQk71h2uPxik5AzzHzQJZFC2RYnAzYOpeMjzyrCMkj6GhLa4C/x/7PkgL7b6XsHrCIUSVPd2TU1x+ikS7jECZhrw9G0kAhSr6EkIDQ/B1gbWhm98fRHD7Zg6ienQpkTZq53+Cjcpvs6yviZSD/PJxG1nPmBu5W9ncXUfws+UVPeW4G7R5qGpctSr7t5oaIrd6SKoE8TLHOVka8LZ9CfnoO31zM2incLQRjoMO6nBAVWG14UGqJ+thPkOh+ujVQ3ydrJP1BLlQPmtred7bmNWean61AQ==&p=Content-Length: 4828Host: umwatson.events.data.microsoft.com
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/
          Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpG
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpal
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpc
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpr&
          Source: aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpr2
          Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54066
          Source: unknownNetwork traffic detected: HTTP traffic on port 54066 -> 443
          Source: unknownHTTPS traffic detected: 52.168.117.173:443 -> 192.168.2.6:54066 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000003_2_0040A2B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B70E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004168C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B70E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_0040A3E0

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041C9E2 SystemParametersInfoW,3_2_0041C9E2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004167B4
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD34714D300_2_00007FFD34714D30
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347015000_2_00007FFD34701500
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD3470BDE90_2_00007FFD3470BDE9
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD34708EF80_2_00007FFD34708EF8
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD34703B180_2_00007FFD34703B18
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347018000_2_00007FFD34701800
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347043EC0_2_00007FFD347043EC
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347014FD0_2_00007FFD347014FD
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD34714D890_2_00007FFD34714D89
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD34708F3F0_2_00007FFD34708F3F
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD3471079A0_2_00007FFD3471079A
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347E00FB0_2_00007FFD347E00FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0043E0CC3_2_0043E0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041F0FA3_2_0041F0FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004541593_2_00454159
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004381683_2_00438168
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004461F03_2_004461F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0043E2FB3_2_0043E2FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0045332B3_2_0045332B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0042739D3_2_0042739D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004374E63_2_004374E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0043E5583_2_0043E558
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004387703_2_00438770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004378FE3_2_004378FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004339463_2_00433946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0044D9C93_2_0044D9C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00427A463_2_00427A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041DB623_2_0041DB62
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00427BAF3_2_00427BAF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00437D333_2_00437D33
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00435E5E3_2_00435E5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00426E0E3_2_00426E0E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0043DE9D3_2_0043DE9D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00413FCA3_2_00413FCA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00436FEA3_2_00436FEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00434E10 appears 54 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00402093 appears 50 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00434770 appears 41 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00401E65 appears 34 times
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064
          Source: BDQfYL99b2.exeStatic PE information: No import functions for PE file found
          Source: BDQfYL99b2.exe, 00000000.00000000.2104241148.00000205BB1EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAtakacipaxelubigetoD vs BDQfYL99b2.exe
          Source: BDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOtodinedexop: vs BDQfYL99b2.exe
          Source: BDQfYL99b2.exeBinary or memory string: OriginalFilenameAtakacipaxelubigetoD vs BDQfYL99b2.exe
          Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: BDQfYL99b2.exe, ----------.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu
          Source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/6@3/4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00417952
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040F474
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041B4A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AA4A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].jsonJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1596
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\chrome-6W1HCC
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\aef5ed17-6ce2-43e8-95e4-1841ea2751b4Jump to behavior
          Source: BDQfYL99b2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: BDQfYL99b2.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: BDQfYL99b2.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeFile read: C:\Users\user\Desktop\BDQfYL99b2.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\BDQfYL99b2.exe "C:\Users\user\Desktop\BDQfYL99b2.exe"
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: BDQfYL99b2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BDQfYL99b2.exeStatic file information: File size 3397673 > 1048576
          Source: BDQfYL99b2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: BDQfYL99b2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D56B2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbean) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*F source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.Drawing.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb\b) source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbu source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB41F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Users\user\Desktop\.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Desktop\BDQfYL99b2.PDB@ source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: Microsoft.VisualBasic.pdbW source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.pdbp source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: mscorlib.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB42C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb0. source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.Drawing.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: mscorlib.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: BDQfYL99b2.exe, 00000000.00000002.2169832312.00000205D5670000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BDQfYL99b2.exe, 00000000.00000002.2165556949.00000205BB39D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER4E1.tmp.dmp.6.dr
          Source: Binary string: izpC:\Users\user\Desktop\BDQfYL99b2.PDB source: BDQfYL99b2.exe, 00000000.00000002.2164969522.0000007A698F2000.00000004.00000010.00020000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347059D5 push ds; retn 0008h0_2_00007FFD347059D6
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeCode function: 0_2_00007FFD347E00FB push esp; retf 4810h0_2_00007FFD347E0312
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00457106 push ecx; ret 3_2_00457119
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0045B11A push esp; ret 3_2_0045B141
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0045E54D push esi; ret 3_2_0045E556
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00457A28 push eax; ret 3_2_00457A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00434E56 push ecx; ret 3_2_00434E69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,3_2_00406EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AA4A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
          Delayed program exit found
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040F7A7 Sleep,ExitProcess,3_2_0040F7A7
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory allocated: 205BB530000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory allocated: 205D4DD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0041A748
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeWindow / User API: threadDelayed 9677Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208Thread sleep count: 315 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208Thread sleep time: -945000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208Thread sleep count: 9677 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe TID: 4208Thread sleep time: -29031000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407C97
          Source: Amcache.hve.6.drBinary or memory string: VMware
          Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
          Source: aspnet_wp.exe, 00000003.00000003.2173688836.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{
          Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
          Source: aspnet_wp.exe, 00000003.00000003.2173688836.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.6.drBinary or memory string: vmci.sys
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
          Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.6.drBinary or memory string: VMware20,1
          Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: BDQfYL99b2.exe, 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeAPI call chain: ExitProcess graph end nodegraph_3-48649
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]3_2_004432B5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00412077 GetProcessHeap,HeapFree,3_2_00412077
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00434B47 SetUnhandledExceptionFilter,3_2_00434B47
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043BB22
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434FDC
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: BDQfYL99b2.exe, ----------.csReference to suspicious API methods: GetProcAddress(_EC76_EE96_EC7C_EEF9_EE2B_EC8E_EE75_08F2_06FE_ECA8, _065F_EE5D_ECA9_08E6_08FF_EE72)
          Source: BDQfYL99b2.exe, ----------.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_08EA_ECA7_EEB7_08D8_0610_EE34.Length, 64u, out var _EE22_EE28_ECBC_EE75_EE52_060F_EE7E_0654_EEC0_08DB_0618_08DE_ECBF)
          Source: BDQfYL99b2.exe, ----------.csReference to suspicious API methods: LoadLibrary(_EE16_EE09_EE00_EE19_0E7C_EE4F_EE1C_060B_EEC8_EE24_EC73_EE87_EC73_EE3F_0E6B(_EC8E_EE42_ECBE_EECA_EECE_EE15_EE77_EE88_06DC_0EBB_ECA9_EE7E_EE24_EE50._EE53_EE0A))
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 459000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 471000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 477000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 478000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47E000Jump to behavior
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4BF4008Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_004120F7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00419627 mouse_event,3_2_00419627
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managero
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerj
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
          Source: aspnet_wp.exe, 00000003.00000002.4567891787.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00434C52 cpuid 3_2_00434C52
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetLocaleInfoA,3_2_0040F8D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: EnumSystemLocalesW,3_2_00452036
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_004520C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetLocaleInfoW,3_2_00452313
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: EnumSystemLocalesW,3_2_00448404
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0045243C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetLocaleInfoW,3_2_00452543
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00452610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: GetLocaleInfoW,3_2_004488ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00451CD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: EnumSystemLocalesW,3_2_00451F50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: EnumSystemLocalesW,3_2_00451F9B
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeQueries volume information: C:\Users\user\Desktop\BDQfYL99b2.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00404F51 GetLocalTime,CreateEventA,CreateThread,3_2_00404F51
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_0041B60D GetComputerNameExW,GetUserNameW,3_2_0041B60D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_00449190
          Source: C:\Users\user\Desktop\BDQfYL99b2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040BA12
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040BB30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: \key3.db3_2_0040BB30

          Remote Access Functionality

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3fddf0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd3851a8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.BDQfYL99b2.exe.205cd2b8770.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BDQfYL99b2.exe PID: 1596, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 4616, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: cmd.exe3_2_0040569A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services12
          Archive Collected Data          		12
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          Windows Service          		1
          Bypass User Account Control          		11
          Deobfuscate/Decode Files or Information          		111
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol111
          Input Capture          		21
          Encrypted Channel          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts2
          Service Execution          		Logon Script (Windows)1
          Access Token Manipulation          		2
          Obfuscated Files or Information          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Windows Service          		1
          DLL Side-Loading          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script322
          Process Injection          		1
          Bypass User Account Control          		LSA Secrets33
          System Information Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials141
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
          Virtualization/Sandbox Evasion          		DCSync3
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt322
          Process Injection          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467126 Sample: BDQfYL99b2.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 21 vegetachcnc.com 2->21 23 bossnacarpet.com 2->23 25 geoplugin.net 2->25 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 7 other signatures 2->41 7 BDQfYL99b2.exe 3 2->7         started        signatures3 process4 signatures5 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->43 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 49 Injects a PE file into a foreign processes 7->49 10 aspnet_wp.exe 3 13 7->10         started        14 WerFault.exe 22 16 7->14         started        17 conhost.exe 7->17         started        process6 dnsIp7 27 bossnacarpet.com 173.255.204.62, 2556, 49710 LINODE-APLinodeLLCUS United States 10->27 29 vegetachcnc.com 107.173.4.18, 2556, 49713 AS-COLOCROSSINGUS United States 10->29 31 geoplugin.net 178.237.33.50, 54068, 80 ATOM86-ASATOM86NL Netherlands 10->31 51 Contains functionality to bypass UAC (CMSTPLUA) 10->51 53 Contains functionalty to change the wallpaper 10->53 55 Contains functionality to steal Chrome passwords or cookies 10->55 57 3 other signatures 10->57 33 52.168.117.173, 443, 54066 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->33 19 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->19 dropped file8 signatures9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BDQfYL99b2.exe34%ReversingLabsByteCode-MSIL.Trojan.Zilla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://geoplugin.net/json.gp0%URL Reputationsafe
          http://upx.sf.net0%URL Reputationsafe
          http://geoplugin.net/json.gp/C0%URL Reputationsafe
          bossnacarpet.com100%Avira URL Cloudmalware
          http://geoplugin.net/json.gpal0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpr20%Avira URL Cloudsafe
          http://geoplugin.net/json.gpG0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpc0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpr&0%Avira URL Cloudsafe
          http://geoplugin.net/json.gp.0%Avira URL Cloudsafe
          http://geoplugin.net/json.gp/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          vegetachcnc.com
          		107.173.4.18
          		truetrue
            		unknown
            bossnacarpet.com
            		173.255.204.62
            		truetrue
              		unknown
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                bossnacarpet.comtrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpalaspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpcaspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://upx.sf.netAmcache.hve.6.drfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gpGaspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/CBDQfYL99b2.exe, 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gplaspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpr&aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpr2aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/aspnet_wp.exe, 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp.aspnet_wp.exe, 00000003.00000003.2173592542.0000000004EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                52.168.117.173
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                173.255.204.62
                		bossnacarpet.comUnited States
                		63949LINODE-APLinodeLLCUStrue
                107.173.4.18
                		vegetachcnc.comUnited States
                		36352AS-COLOCROSSINGUStrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1467126
                Start date and time:2024-07-03 18:22:57 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 43s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:BDQfYL99b2.exe
                renamed because original name is a hash value
                Original Sample Name:a2dcc2e9dd81e3a5f6440ed7027a86da.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@5/6@3/4
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 82%
                • Number of executed functions: 53
                • Number of non-executed functions: 191
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: BDQfYL99b2.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:23:52API Interceptor1x Sleep call for process: WerFault.exe modified
                12:24:25API Interceptor4909453x Sleep call for process: aspnet_wp.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                52.168.117.173SecuriteInfo.com.Trojan.InstallCore.4086.24549.19610.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                  E5440A24.exeGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.BackDoor.SpyBotNET.62.21177.12908.exeGet hashmaliciousEICAR, PureLog Stealer, zgRATBrowse
                      payment.pdf.exeGet hashmaliciousApollo AgentBrowse
                        DHL- CBJ520818836689.exeGet hashmaliciousUnknownBrowse
                          XmlPad-Installer_273425.exeGet hashmaliciousUnknownBrowse
                            Shift - Recipes_spn7g.exeGet hashmaliciousUnknownBrowse
                              https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z&X-Amz-Expires=86400&X-Amz-Signature=e44f950daf1a1a2004947d6b8b5f8aa77838142684691288964d6f5027abcb41&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousVidarBrowse
                                SecuriteInfo.com.Win32.Evo-gen.26431.15713.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, StealcBrowse
                                  1cEhV3HjIY.exeGet hashmaliciousUnknownBrowse
                                    173.255.204.62Quotation.xlsGet hashmaliciousRemcosBrowse
                                      cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                          alr9GXGR1j.dllGet hashmaliciousUnknownBrowse
                                            Opdopbsaed.dll.dllGet hashmaliciousUnknownBrowse
                                              Inquiry[2023.10.11_08-07].vbsGet hashmaliciousIcedIDBrowse
                                                DOCUMENT[2023.10.11_08-07]_2.vbsGet hashmaliciousIcedIDBrowse
                                                  Document[2023.10.11_08-07]_1.vbsGet hashmaliciousIcedIDBrowse
                                                    information[2023.10.11_08-07]_2.vbsGet hashmaliciousIcedIDBrowse
                                                      Document[2023.10.11_08-07].vbsGet hashmaliciousIcedIDBrowse
                                                        107.173.4.18PO_CEE-2340975.xlsGet hashmaliciousUnknownBrowse
                                                        • 107.173.4.18/800/audiodgse.exe
                                                        Purchase_Order_9000011644.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 107.173.4.18/220/audiodgse.exe
                                                        order_sheet.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 107.173.4.18/230/audiodgse.exe
                                                        PO-210.xlsGet hashmaliciousUnknownBrowse
                                                        • 107.173.4.18/210/sihost.exe
                                                        SOA.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 107.173.4.18/200/sihost.exe
                                                        PO#SWASA2200157.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 107.173.4.18/170/sihost.exe
                                                        SISF23208BP_1.xlsGet hashmaliciousUnknownBrowse
                                                        • 107.173.4.18/180/sihost.exe
                                                        Shipping_bill_documents.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 107.173.4.18/154/ishost.exe
                                                        PO-58101.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 107.173.4.18/160/ishost.exe

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        vegetachcnc.comQuotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        bossnacarpet.comQuotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 173.255.204.62
                                                        cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                                                        • 173.255.204.62
                                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 173.255.204.62
                                                        3tBnHytMM4.exeGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        mkHTu6LjYc.exeGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        qkAfLpWvQu.exeGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        Quotation.exeGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        Shipping Document.P.df.exeGet hashmaliciousPrivateLoader, RemcosBrowse
                                                        • 107.173.4.18
                                                        geoplugin.netQuotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        Payment Advice__Swift-MT103.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        file.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 178.237.33.50
                                                        172001946670b1e83321a2b0b2afa526495dda6118492d61c1dbccf1f24b87b00c0e2fc524979.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        PO#2195112.vbsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        LINODE-APLinodeLLCUSQuotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 173.255.204.62
                                                        https://iwahadxi.hosted.phplist.com/lists/lt.php/?tid=eU1SAFEEUlZTABhUAVAGGAZWVFsfXVQLWkkDBQIAUAwCAgcAAldPWwdaBlNRVAgYVwEEXh9QClxcSQcAUlcbWgQGAAJVVwRXBAoBSQcBAVALVA8LHwIEXVtJUg8GVxsAVVMHGA5SB1EBC1YDAQQBDAGet hashmaliciousUnknownBrowse
                                                        • 45.33.29.14
                                                        https://lnkd.in/e4hHCn_zGet hashmaliciousHTMLPhisherBrowse
                                                        • 173.255.231.96
                                                        http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CxFHH8i5A3U7lzl-2BTzhlR6ei7mav1762I-2BKvT-2Fk6a5kLUgUMy5HF64b8WrTGY5vFuTce1vV41Ab4MyQrOplI7tU5VMylICgXEGMOcA3lDJVs2-2BVa-2BmXMPQdZkUiKRaSMtyb23BSU13fAy94eMgbbpWGHvMycQlWPfPxKMDzYSeE5kVyJwAD8pphYTNvERMYMmCwKiJ4MAAmjiqW4JLB-2FG-2FQ-3D-3D7yf0_p4A4YQt8epDIK9HlKea9sV-2FOtqGPyWoKM4LjM22Z6dbxuq3iGRjCzJ5YebtyuIEIvPEZ2Hi95MwGR7xtnodhDM8Iaj1NIu5u9A6c7A4CmoLtPLA1AYBR71m8begekekKFtQMeZCPuBYlMudBl33wvV-2Fu39N8kuAyCAOxmPkHrWSpXaxCDYANLX8xWXDor5baRk0uk-2FQ6kftnlL1vkLQkwQ-3D-3DGet hashmaliciousUnknownBrowse
                                                        • 50.116.55.211
                                                        https://lnkd.in/e7UhDEpWGet hashmaliciousHTMLPhisherBrowse
                                                        • 96.126.106.143
                                                        https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                        • 178.79.169.182
                                                        https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                        • 178.79.169.182
                                                        https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                        • 178.79.169.182
                                                        94.156.79.133-mips-2024-07-01T19_26_38.elfGet hashmaliciousMirai, GafgytBrowse
                                                        • 139.162.103.222
                                                        List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                        • 139.162.152.24
                                                        MICROSOFT-CORP-MSN-AS-BLOCKUShttps://eplogisticademexico-my.sharepoint.com/personal/natalyar_eplogistics_com1/_layouts/15/guestaccess.aspx?e=5%3aIF7Pg7&at=9&share=ElyrWNLgmPNHoLatr5CK5xABy6AUzd-VUKQ5lFH-DHWgkAGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.136.10
                                                        https://eplogisticademexico-my.sharepoint.com/personal/natalyar_eplogistics_com1/_layouts/15/guestaccess.aspx?e=5%3aIF7Pg7&at=9&share=ElyrWNLgmPNHoLatr5CK5xABy6AUzd-VUKQ5lFH-DHWgkAGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.136.10
                                                        https://m.exactag.com/ai.aspx?tc=d9550673bc40b07205bbd26a23a8d2e6b6b4f9&url=%68%74%74%70%25%33%41tuskerdigital.com%2Fwinner%2F24968%2F%2FdHJ1bXBzdWNrc2RpY2tAbWFpbC5ydQ==Get hashmaliciousHTMLPhisherBrowse
                                                        • 40.126.32.136
                                                        https://url.us.m.mimecastprotect.com/s/GSubCpYn1pC4mvoJtD-hLP?domain=brileyfinancial-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 52.104.113.41
                                                        https://isothermcx-my.sharepoint.com/:o:/p/m_chiasson/EldSmlva1OBFixvWpubo0mgB0DZQ4Do42riWb9YO1XmP-g?e=5%3av4rvfI&at=9Get hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.136.10
                                                        https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                                                        • 20.82.124.160
                                                        https://m.exactag.com/ai.aspx?tc=d9177038bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atheannapolis250.org%2Fwinner%2F14136%2F%2FYnJhbndlbGwubW9mZmF0QGtwcy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                        • 52.98.243.18
                                                        Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                                        • 52.109.28.46
                                                        https://kdftoiturescom.sharepoint.com/:f:/s/Public/EiJsAXrCZntIvTidUnkdk68B9BO58WCESI-JRSxpXut8mQ?e=5%3aDy13C9&at=9&xsdata=MDV8MDJ8bW5hZGVhdTJAc3FpLmdvdXYucWMuY2F8MTFlZGY3MWU5M2M0NDBjZTRmYzEwOGRjOWFjYmM5MjZ8YzRjZWI1N2Y3ZGY3NDFkMThiOTdhODUwNDhiOGU5NWV8MHwwfDYzODU1NTQ0NzI1ODU2Nzg2NnxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=ZnAvNUFualYyN0tLODVxUFB1eTNHc3hVNWNPU05tK1g1VzQxZ2xJMlhnOD0%3d&clickparams=eyAiWC1BcHBOYW1lIiA6ICJNaWNyb3NvZnQgT3V0bG9vayIsICJYLUFwcFZlcnNpb24iIDogIjE2LjAuMTc1MzEuMjAxOTAiLCAiT1MiIDogIldpbmRvd3MiIH0%3DGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.47.75.156
                                                        https://lnkd.in/exwPeXjcGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.42.14
                                                        AS-COLOCROSSINGUSYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                                        • 107.174.145.78
                                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.18
                                                        Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 198.46.178.144
                                                        Ship particulars.xlsGet hashmaliciousUnknownBrowse
                                                        • 198.46.178.139
                                                        wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                                                        • 107.173.4.16
                                                        cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                                        • 107.175.229.139
                                                        execute_and_cleanup.shGet hashmaliciousUnknownBrowse
                                                        • 108.174.58.28
                                                        4YlwTsmpuZ.rtfGet hashmaliciousUnknownBrowse
                                                        • 23.95.235.16
                                                        Payment_Advice.xlsGet hashmaliciousUnknownBrowse
                                                        • 192.3.179.150
                                                        DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                                        • 23.95.235.16
                                                        ATOM86-ASATOM86NLQuotation.xlsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        Payment Advice__Swift-MT103.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        file.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 178.237.33.50
                                                        172001946670b1e83321a2b0b2afa526495dda6118492d61c1dbccf1f24b87b00c0e2fc524979.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        PO#2195112.vbsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        a0e9f5d64349fb13191bc781f81f42e17EulSGn18e.exeGet hashmaliciousLummaCBrowse
                                                        • 52.168.117.173
                                                        NSLC_Billing_Document_No_0240255100.htmlGet hashmaliciousCVE-2024-21412Browse
                                                        • 52.168.117.173
                                                        d8gZVaN0ms.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, VidarBrowse
                                                        • 52.168.117.173
                                                        Adjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 52.168.117.173
                                                        ZAM#U00d3WIENIE Nr.240702117398203XLS.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 52.168.117.173
                                                        #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        • 52.168.117.173
                                                        pago pendientes.xlsGet hashmaliciousUnknownBrowse
                                                        • 52.168.117.173
                                                        fechas de pago.xlsGet hashmaliciousUnknownBrowse
                                                        • 52.168.117.173
                                                        457525.xlsGet hashmaliciousUnknownBrowse
                                                        • 52.168.117.173
                                                        0cjB1Kh8zU.msiGet hashmaliciousUnknownBrowse
                                                        • 52.168.117.173

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BDQfYL99b2.exe_7bbe5769bc74a17327a538bebd597bc1fc5fff7_5d7df1a8_a3bb7f14-0094-4484-b8c1-c1187a5af28d\Report.wer

                                                        Download File
                                                        Process:C:\Windows\System32\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.0511747411361483
                                                        Encrypted:false
                                                        SSDEEP:192:RuygQ0Ack+i0VeWphaWxey+XfzuiFfZ24lO8K:yQ0AcpVBphaGkXfzuiFfY4lO8K
                                                        MD5:FD0C40B2B490389351EEFBE876BEE3D3
                                                        SHA1:645F9901924B50217ADFEF471134F51499EA10AC
                                                        SHA-256:FE7B5B8877B2009AD86C4BB21275A0C698386F6CF6B199DB3B04117EB2816ACD
                                                        SHA-512:E74F1A99DE1257FF1E766E2ADEA3B5C6CB4C812364C755AAE8DC9F1C2E21A306C40EE1CEF152978154FC23700B725331AE915F299F87E558F65728C2BBAC4B62
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.9.7.4.2.9.4.0.2.6.6.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.9.7.4.3.0.1.3.7.0.5.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.b.b.7.f.1.4.-.0.0.9.4.-.4.4.8.4.-.b.8.c.1.-.c.1.1.8.7.a.5.a.f.2.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.7.c.b.5.0.1.-.c.1.f.3.-.4.2.9.a.-.9.7.5.c.-.8.5.c.a.e.e.6.1.7.c.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.D.Q.f.Y.L.9.9.b.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.t.a.k.a.c.i.p.a.x.e.l.u.b.i.g.e.t.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.c.-.0.0.0.1.-.0.0.1.5.-.a.0.c.2.-.2.6.6.1.6.5.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.a.5.3.c.2.9.0.3.7.b.7.5.1.f.4.8.0.7.3.b.6.8.f.a.f.8.5.f.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.5.1.8.e.3.3.0.e.f.6.c.6.8.2.4.4.5.b.e.d.8.1.d.6.a.e.4.e.1.6.7.b.0.0.3.a.e.4.b.!.B.D.Q.f.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E1.tmp.dmp

                                                        Download File
                                                        Process:C:\Windows\System32\WerFault.exe
                                                        File Type:Mini DuMP crash report, 16 streams, Wed Jul 3 16:23:49 2024, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):418192
                                                        Entropy (8bit):3.330822188410937
                                                        Encrypted:false
                                                        SSDEEP:3072:JyG1+l8W0u82FLcm1CCq6Fv3+vn+D8m4lIVxzcSk:JyGcbq6Fv3Q+oad
                                                        MD5:B6211397D3D69378C173C9255029CC8C
                                                        SHA1:3966A41D0316B86CEA5C31FEE97C72DB1D19A5D1
                                                        SHA-256:18478EBA40FE051B5EFD2E4D85DE3E7A4A393EE85E129147B7E90079794CFB31
                                                        SHA-512:49C7D72F5E6B69B88F2157E0FE1575ED8A2A5CA2A330E9628388862B862BCA41928AA77CB9392CE62A422E0FB669B759CF51B12CB7D8FDFD5A887B9B737E7018
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:MDMP..a..... ........{.f........................D...........$...H...........l........H...w..........l.......8...........T............)...7...........9..........t;..............................................................................eJ.......<......Lw......................T.......<....{.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER697.tmp.WERInternalMetadata.xml

                                                        Download File
                                                        Process:C:\Windows\System32\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):8818
                                                        Entropy (8bit):3.710969356968757
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJWSb6Y2D3igmfZLH0oprH89bZB0f0snzm:R6lXJbb6Yqigmf1kZifk
                                                        MD5:6EDD64963A6E0D88198F598499E8630A
                                                        SHA1:B2C752385CB8E633B2F9408959029282FD43D915
                                                        SHA-256:7AB2E6971B84137BED1E6A13D4B59269176693617FC33E7B063F63217F2272C0
                                                        SHA-512:B5BCFB52C59262DFE9140113E25B91C181C6B92A5AFA99F5BD6DD1C2C15FC70EEDE078B3613EA371BB0ADD88FA9667D22FDEB0F3286BF4934EC8219EF7C33801
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.6.<./.P.i.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C7.tmp.xml

                                                        Download File
                                                        Process:C:\Windows\System32\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4824
                                                        Entropy (8bit):4.518270633933075
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zsNXJg771I9FSWpW8VYZvYm8M4J382EE6Fwfjyq8vo2EEk1E8tNCd:uIjfzI7yz7VVJ/JPjW7JkyECd
                                                        MD5:53772D61CDC003CBABE25228734A1CEB
                                                        SHA1:CFF704D712FCBB3E2F6ED912A824CFBCF70DE220
                                                        SHA-256:9D993EA560E32F8F6525A2260693622C3895D4E9A27580C3327BA4D63E06D6C7
                                                        SHA-512:DE8993A7E5B8F23D87A4670D92BA38682517668F5F7246B4E7A4223A98A18D7EA45C0217BBFF33C86C56F1A7A8A5E7E0247AD60C8A273C12AB7160ECD41DDEDF
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="395006" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):962
                                                        Entropy (8bit):5.013811273052389
                                                        Encrypted:false
                                                        SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                        MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                        SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                        SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                        SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                        Download File
                                                        Process:C:\Windows\System32\WerFault.exe
                                                        File Type:MS Windows registry file, NT/2000 or above
                                                        Category:dropped
                                                        Size (bytes):1835008
                                                        Entropy (8bit):4.469059449419846
                                                        Encrypted:false
                                                        SSDEEP:6144:EzZfpi6ceLPx9skLmb0fuZWSP3aJG8nAgeiJRMMhA2zX4WABluuNjjDH5S:qZHtuZWOKnMM6bFpBj4
                                                        MD5:CB113A058142B521BF1A606A4A46DBDD
                                                        SHA1:17F5E38DDBFB66CFFD616BA980385716EBDAD967
                                                        SHA-256:A61E186E7B893024388B9CFE8042CF6F40BA9F058BD183C08627E7ADBD12DA5B
                                                        SHA-512:78961EBFFA4839D8A090BDBD929FCFCCACBB2903F153D277913C67DDE51FBD8E5713BC479021F5F8CE58125CA348E2938740D005C991C34205FE02597949B925
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.,.be.................................................................................................................................................................................................................................................................................................................................................V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):4.854329136763004
                                                        TrID:
                                                        • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                        • Win64 Executable Console (202006/5) 47.64%
                                                        • Win64 Executable (generic) (12005/4) 2.83%
                                                        • Generic Win/DOS Executable (2004/3) 0.47%
                                                        • DOS Executable Generic (2002/1) 0.47%
                                                        File name:BDQfYL99b2.exe
                                                        File size:3'397'673 bytes
                                                        MD5:a2dcc2e9dd81e3a5f6440ed7027a86da
                                                        SHA1:3518e330ef6c682445bed81d6ae4e167b003ae4b
                                                        SHA256:3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c
                                                        SHA512:974da06cf41da5d6e65bf834394ec0e478df55745c922cc7d5b3f8ec6501b1dff5a0b866b8c53c01519f53bee1bf7aeec54e1e6515b105d24f7f5c4a2ec97d9e
                                                        SSDEEP:24576:Q785OVnJmAZaTGTFh98WK3vFLkjKsxnerYU:958BI0FhiKj7nerYU
                                                        TLSH:BAF52209B7871E63FD584979D9D232F886FCEE63B0F6A68FEF815C62855A53C4210270
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X.f.........."...0.................. ....@...... ....................................`................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x400000
                                                        Entrypoint Section:
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows cui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66845801 [Tue Jul 2 19:41:53 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:

                                                        Entrypoint Preview

                                                        Instruction
                                                        dec ebp
                                                        pop edx
                                                        nop
                                                        add byte ptr [ebx], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax+eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x94c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xa1800x1c.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x821a0x8400d15bce266203201bcde836781e36d6bfFalse0.6218039772727273data6.401224493840407IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xc0000x94c0xa00d9e50c9bae0ee9db8a337b6b80e0e56eFalse0.3015625data4.34200337006138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0xc0b80x354data0.49295774647887325
                                                        RT_VERSION0xc40c0x354dataEnglishUnited States0.49295774647887325
                                                        RT_MANIFEST0xc7600x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 3, 2024 18:23:49.840590000 CEST497102556192.168.2.6173.255.204.62
                                                        Jul 3, 2024 18:23:49.854367018 CEST255649710173.255.204.62192.168.2.6
                                                        Jul 3, 2024 18:23:49.854459047 CEST497102556192.168.2.6173.255.204.62
                                                        Jul 3, 2024 18:23:49.860152960 CEST497102556192.168.2.6173.255.204.62
                                                        Jul 3, 2024 18:23:49.888123989 CEST255649710173.255.204.62192.168.2.6
                                                        Jul 3, 2024 18:23:51.273969889 CEST255649710173.255.204.62192.168.2.6
                                                        Jul 3, 2024 18:23:51.274060965 CEST497102556192.168.2.6173.255.204.62
                                                        Jul 3, 2024 18:23:51.274408102 CEST497102556192.168.2.6173.255.204.62
                                                        Jul 3, 2024 18:23:51.279272079 CEST255649710173.255.204.62192.168.2.6
                                                        Jul 3, 2024 18:23:51.669696093 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:51.674642086 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:51.674725056 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:51.679076910 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:51.684470892 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.162998915 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.207493067 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:52.296348095 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.300503016 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:52.305525064 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.305586100 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:52.310734034 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.310791016 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:52.315608978 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.470298052 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:52.470334053 CEST4435406652.168.117.173192.168.2.6
                                                        Jul 3, 2024 18:23:52.470411062 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:52.472063065 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:52.472079992 CEST4435406652.168.117.173192.168.2.6
                                                        Jul 3, 2024 18:23:52.751934052 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.753418922 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:52.758658886 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.848371029 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:52.894923925 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:53.056610107 CEST4435406652.168.117.173192.168.2.6
                                                        Jul 3, 2024 18:23:53.056679964 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:53.061501980 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:53.061516047 CEST4435406652.168.117.173192.168.2.6
                                                        Jul 3, 2024 18:23:53.061996937 CEST4435406652.168.117.173192.168.2.6
                                                        Jul 3, 2024 18:23:53.113693953 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:53.118166924 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:53.119170904 CEST54066443192.168.2.652.168.117.173
                                                        Jul 3, 2024 18:23:53.472390890 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:23:53.479872942 CEST8054068178.237.33.50192.168.2.6
                                                        Jul 3, 2024 18:23:53.482372999 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:23:53.482587099 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:23:53.487611055 CEST8054068178.237.33.50192.168.2.6
                                                        Jul 3, 2024 18:23:54.099636078 CEST8054068178.237.33.50192.168.2.6
                                                        Jul 3, 2024 18:23:54.099714994 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:23:54.125747919 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:23:54.130959034 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:23:55.099380016 CEST8054068178.237.33.50192.168.2.6
                                                        Jul 3, 2024 18:23:55.099503040 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:24:17.058356047 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:24:17.060362101 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:24:17.065490961 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:24:47.103502035 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:24:47.105113983 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:24:47.111633062 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:25:17.168597937 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:25:17.170353889 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:25:17.185528040 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:25:43.410823107 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:25:43.723113060 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:25:44.332531929 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:25:45.535626888 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:25:47.213154078 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:25:47.214498043 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:25:47.219316959 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:25:47.941899061 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:25:52.754394054 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:26:02.363795996 CEST5406880192.168.2.6178.237.33.50
                                                        Jul 3, 2024 18:26:17.200203896 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:26:17.201591015 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:26:17.208736897 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:26:47.242168903 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:26:47.243578911 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:26:47.248769999 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:27:17.271544933 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:27:17.272944927 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:27:17.295492887 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:27:47.321290016 CEST255649713107.173.4.18192.168.2.6
                                                        Jul 3, 2024 18:27:47.322837114 CEST497132556192.168.2.6107.173.4.18
                                                        Jul 3, 2024 18:27:47.328975916 CEST255649713107.173.4.18192.168.2.6

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 3, 2024 18:23:49.541173935 CEST5056553192.168.2.61.1.1.1
                                                        Jul 3, 2024 18:23:49.805603027 CEST53505651.1.1.1192.168.2.6
                                                        Jul 3, 2024 18:23:51.293663979 CEST6511053192.168.2.61.1.1.1
                                                        Jul 3, 2024 18:23:51.668421984 CEST53651101.1.1.1192.168.2.6
                                                        Jul 3, 2024 18:23:51.982155085 CEST53580871.1.1.1192.168.2.6
                                                        Jul 3, 2024 18:23:53.457401037 CEST5250153192.168.2.61.1.1.1
                                                        Jul 3, 2024 18:23:53.468405962 CEST53525011.1.1.1192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jul 3, 2024 18:23:49.541173935 CEST192.168.2.61.1.1.10x35f1Standard query (0)bossnacarpet.comA (IP address)IN (0x0001)false
                                                        Jul 3, 2024 18:23:51.293663979 CEST192.168.2.61.1.1.10x69d1Standard query (0)vegetachcnc.comA (IP address)IN (0x0001)false
                                                        Jul 3, 2024 18:23:53.457401037 CEST192.168.2.61.1.1.10x9e9fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jul 3, 2024 18:23:49.805603027 CEST1.1.1.1192.168.2.60x35f1No error (0)bossnacarpet.com173.255.204.62A (IP address)IN (0x0001)false
                                                        Jul 3, 2024 18:23:51.668421984 CEST1.1.1.1192.168.2.60x69d1No error (0)vegetachcnc.com107.173.4.18A (IP address)IN (0x0001)false
                                                        Jul 3, 2024 18:23:53.468405962 CEST1.1.1.1192.168.2.60x9e9fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • umwatson.events.data.microsoft.com
                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.654068178.237.33.50804616C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 3, 2024 18:23:53.482587099 CEST71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        Jul 3, 2024 18:23:54.099636078 CEST1170INHTTP/1.1 200 OK
                                                        date: Wed, 03 Jul 2024 16:23:54 GMT
                                                        server: Apache
                                                        content-length: 962
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.65406652.168.117.1734433896C:\Windows\System32\WerFault.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-07-03 16:23:53 UTC1087OUTPOST /Telemetry.Request HTTP/1.1
                                                        Connection: Keep-Alive
                                                        User-Agent: MSDW
                                                        MSA_DeviceTicket: t=EwCwAlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAQ7UsXLAS98HwRFo3wk0kdDuCyropDm7LcPUtYsXLo4HpHhm6MIqJTtAjlDQqRL0Q+F02xOMDg/t8gKZ0IFYAzLzMtk2bIgmmoMql8D/EALKpyBW4s5BLj2CEjNdjXTr/8aOvbHjmD7bxHla+4WffRqMlPJQazJxFHiw49AkDEzb/YqsBeEkMN3ZM7BNvzCSswFGLvnGqDNYclbAKUiGZ9AvRmILxY5JyMfa7tbWcqVafb6IxEnu90hTizP9htXZf1SlOzFT1CPeGfA78vKn4DFI48DCjyZUV7eGbKwusTlt2WtA6wdSUNOsxJcJAR2bpXpRuU2RhlLpWggzThddKaUDZgAACPWcP8PJUP0sgAEb401qTfgzav13/8m32w4Ohl2DRLF7B7r37jErtHj4ZexGVQMoudN1cGHqKrtgEFl2b0a8izrE5UhSkhREv+WJeHANYlZdedzhmtNhpw3JLw0CAvDpCkoEf20dlKhDXIp1/JeaeNo/i9pYOVxWK2GILWr8wV5kQk8eqtcaQ1mTyhpsv3MXJp/dMP+hDQBsmCJrN4AJ4ucDZ8X0pfjPDV8sxbr4K6OR4nF0WM+FRqaRQk71h2uPxik5AzzHzQJZFC2RYnAzYOpeMjzyrCMkj6GhLa4C/x/7PkgL7b6XsHrCIUSVPd2TU1x+ikS7jECZhrw9G0kAhSr6EkIDQ/B1gbWhm98fRHD7Zg6ienQpkTZq53+Cjcpvs6yviZSD/PJxG1nPmBu5W9ncXUfws+UVPeW4G7R5qGpctSr7t5oaIrd6SKoE8TLHOVka8LZ9CfnoO31zM2incLQRjoMO6nBAVWG14UGqJ+thPkOh+ujVQ3ydrJP1BLlQPmtred7bmNWean61AQ==&p=
                                                        Content-Length: 4828
                                                        Host: umwatson.events.data.microsoft.com


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:12:23:46
                                                        Start date:03/07/2024
                                                        Path:C:\Users\user\Desktop\BDQfYL99b2.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\BDQfYL99b2.exe"
                                                        Imagebase:0x205bb1e0000
                                                        File size:3'397'673 bytes
                                                        MD5 hash:A2DCC2E9DD81E3A5F6440ED7027A86DA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2165993017.00000205BCE10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2167087771.00000205CD11F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:12:23:46
                                                        Start date:03/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:12:23:48
                                                        Start date:03/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                                                        Imagebase:0x1e0000
                                                        File size:40'880 bytes
                                                        MD5 hash:EF2DCDFF05E9679F8D0E2895D9A2E3BB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4567891787.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:6
                                                        Start time:12:23:49
                                                        Start date:03/07/2024
                                                        Path:C:\Windows\System32\WerFault.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064
                                                        Imagebase:0x7ff79aad0000
                                                        File size:570'736 bytes
                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:11.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:6
                                                          Total number of Limit Nodes:0
                                                          execution_graph 15287 7ffd347033ea 15288 7ffd347033f9 VirtualProtect 15287->15288 15290 7ffd347034d1 15288->15290 15291 7ffd34700921 15292 7ffd3470094f FreeConsole 15291->15292 15294 7ffd347009ce 15292->15294

                                                          Executed Functions

                                                          Function 00007FFD3470BDE9 Relevance: 5.5, Strings: 4, Instructions: 524COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 32 7ffd3470bde9-7ffd3470be09 34 7ffd3470be53-7ffd3470be6a call 7ffd34707250 call 7ffd347079b0 32->34 35 7ffd3470be0b-7ffd3470be34 32->35 36 7ffd3470befa 34->36 47 7ffd3470be70-7ffd3470be7e 34->47 35->36 37 7ffd3470be3a-7ffd3470be51 35->37 41 7ffd3470befe-7ffd3470bf0b 36->41 37->34 43 7ffd3470bf4d-7ffd3470bf59 41->43 44 7ffd3470bf0d-7ffd3470bf1d 41->44 45 7ffd3470bf5f-7ffd3470bf75 43->45 46 7ffd3470c18c-7ffd3470c19f 43->46 48 7ffd3470bf1f-7ffd3470bf2c 44->48 49 7ffd3470bf76-7ffd3470bfb3 call 7ffd3470b350 * 2 call 7ffd34707250 45->49 57 7ffd3470c1e1-7ffd3470c1ec 46->57 58 7ffd3470c1a1-7ffd3470c1cb 46->58 50 7ffd3470beef-7ffd3470bef9 47->50 51 7ffd3470be80-7ffd3470be82 47->51 48->49 52 7ffd3470bf2e-7ffd3470bf35 48->52 49->46 82 7ffd3470bfb9-7ffd3470bfd4 49->82 51->41 55 7ffd3470be84 51->55 53 7ffd3470bf36-7ffd3470bf4c 52->53 53->43 60 7ffd3470be86-7ffd3470be8f 55->60 61 7ffd3470beca-7ffd3470bed8 55->61 65 7ffd3470c1fd-7ffd3470c21c 57->65 66 7ffd3470c1ee-7ffd3470c1fa 57->66 70 7ffd3470c1cd-7ffd3470c1d6 58->70 71 7ffd3470c1d9-7ffd3470c1df 58->71 62 7ffd3470be91-7ffd3470beae 60->62 63 7ffd3470bee8-7ffd3470beee 60->63 61->36 68 7ffd3470beda-7ffd3470bee6 61->68 62->48 75 7ffd3470beb0-7ffd3470beb5 62->75 63->50 72 7ffd3470c22d-7ffd3470c246 65->72 73 7ffd3470c21e-7ffd3470c22a 65->73 66->65 68->63 70->71 71->57 77 7ffd3470c256-7ffd3470c26b 72->77 78 7ffd3470c248-7ffd3470c253 72->78 73->72 75->53 79 7ffd3470beb7-7ffd3470bec9 call 7ffd347075f0 75->79 78->77 79->61 84 7ffd3470c02d-7ffd3470c037 82->84 85 7ffd3470bfd6-7ffd3470bfd9 82->85 86 7ffd3470c0af-7ffd3470c0b7 84->86 87 7ffd3470c05a-7ffd3470c05b 85->87 88 7ffd3470bfdb-7ffd3470bffb 85->88 89 7ffd3470c128-7ffd3470c13b 86->89 90 7ffd3470c0b9-7ffd3470c0be 86->90 91 7ffd3470c05e-7ffd3470c063 87->91 97 7ffd3470bffd-7ffd3470c00e 88->97 98 7ffd3470c039-7ffd3470c04a 88->98 93 7ffd3470c13f-7ffd3470c14b call 7ffd34703d88 89->93 90->93 94 7ffd3470c0c0-7ffd3470c0e8 call 7ffd347075f0 90->94 95 7ffd3470c065-7ffd3470c06a 91->95 96 7ffd3470c099 91->96 110 7ffd3470c150-7ffd3470c160 93->110 108 7ffd3470c0e9-7ffd3470c104 94->108 95->108 109 7ffd3470c06c-7ffd3470c094 95->109 103 7ffd3470c09a-7ffd3470c0ab 96->103 97->91 105 7ffd3470c010-7ffd3470c02c 97->105 98->103 107 7ffd3470c04c-7ffd3470c058 98->107 103->86 105->84 107->87 112 7ffd3470c096-7ffd3470c097 107->112 108->46 116 7ffd3470c10a-7ffd3470c127 108->116 109->86 110->46 114 7ffd3470c162-7ffd3470c18b 110->114 112->96 116->89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: >{4$ >{4$ >{4$ >{4
                                                          • API String ID: 0-4010237645
                                                          • Opcode ID: 06b5a52a0c742800b0668f58aa35b6a4a193d5125fe0912ce316595eda4c8e21
                                                          • Instruction ID: c3e736ad35d8c788970edf5d666505b9e4c9b9ea01d5a87d6abf35aaed210bd2
                                                          • Opcode Fuzzy Hash: 06b5a52a0c742800b0668f58aa35b6a4a193d5125fe0912ce316595eda4c8e21
                                                          • Instruction Fuzzy Hash: 72F167B160DB868FE31DCB2888E51B577D2FF92301B14467ED5CAC72A1DA28B846C7C1
                                                          Function 00007FFD347043EC Relevance: 5.5, Strings: 4, Instructions: 471COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 117 7ffd347043ec-7ffd347043f3 118 7ffd347043f5-7ffd347043fd 117->118 119 7ffd347043fe-7ffd3470444e 117->119 118->119 121 7ffd347046c6-7ffd347046f9 119->121 122 7ffd34704454-7ffd34704496 119->122 129 7ffd347046fb-7ffd34704702 121->129 130 7ffd34704703-7ffd3470470a 121->130 134 7ffd34704497-7ffd347044b5 122->134 129->130 132 7ffd3470470c-7ffd3470471e 130->132 133 7ffd34704740 130->133 137 7ffd34704752-7ffd34704781 132->137 138 7ffd34704720-7ffd34704722 132->138 136 7ffd34704741-7ffd34704751 133->136 150 7ffd347044b7-7ffd347044e0 call 7ffd34703a40 134->150 151 7ffd34704784-7ffd347047ba 137->151 141 7ffd3470472c-7ffd34704732 138->141 142 7ffd34704724-7ffd34704727 call 7ffd34703b10 138->142 141->136 146 7ffd34704734-7ffd3470473f 141->146 142->141 146->133 156 7ffd34704542-7ffd34704555 150->156 151->151 153 7ffd347047bc 151->153 157 7ffd34704557-7ffd34704559 156->157 158 7ffd347044e2-7ffd3470450f call 7ffd34703d70 * 2 call 7ffd34703d78 156->158 159 7ffd347045b2-7ffd347045c5 157->159 164 7ffd3470455f-7ffd347045b0 call 7ffd34703d70 * 2 call 7ffd347001d8 158->164 184 7ffd34704511-7ffd3470451f 158->184 162 7ffd3470455b-7ffd3470455c 159->162 163 7ffd347045c7-7ffd347045c9 159->163 162->164 166 7ffd3470466e-7ffd34704681 163->166 164->159 169 7ffd34704687-7ffd347046c5 166->169 170 7ffd347045ce-7ffd34704600 call 7ffd34703d70 166->170 178 7ffd3470461a-7ffd3470461b 170->178 179 7ffd34704602-7ffd34704618 170->179 182 7ffd3470461d-7ffd34704667 call 7ffd34701ee0 call 7ffd34703b18 178->182 179->182 194 7ffd3470466c 182->194 189 7ffd34704526-7ffd34704540 184->189 189->156 194->166
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fish$h$y4$xzy4$yy4
                                                          • API String ID: 0-2016400660
                                                          • Opcode ID: 72d57c41d1f343638d9bd4677c247b4f8ae2b09f76af380ee2abb7b276e8ce8c
                                                          • Instruction ID: 4b2cd3ab8de4c00f745925a060271fed24a864471c39f1d98e38a853133ec132
                                                          • Opcode Fuzzy Hash: 72d57c41d1f343638d9bd4677c247b4f8ae2b09f76af380ee2abb7b276e8ce8c
                                                          • Instruction Fuzzy Hash: 41D12771B1DA4A4FE75CAB2898A55B577E1FF97310B04417EE58BC3293ED28B80287C1
                                                          Function 00007FFD347E00FB Relevance: 3.4, Strings: 1, Instructions: 2122COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2171074902.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd347e0000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: B{4
                                                          • API String ID: 0-521633028
                                                          • Opcode ID: 68f459ae2526b165a4752fbe072289136241c1c10fda4d51cd68702706cd0fab
                                                          • Instruction ID: c9ea16be3dc3d630de0d77a240fa49862181e5fbe5424e4c4894afc602e1ae95
                                                          • Opcode Fuzzy Hash: 68f459ae2526b165a4752fbe072289136241c1c10fda4d51cd68702706cd0fab
                                                          • Instruction Fuzzy Hash: EEE219B2A0DBD58FE756DB2888A55A57BE0FF57300F0C06BAD189CB193D92C7846C781
                                                          Function 00007FFD34701500 Relevance: 3.3, Strings: 2, Instructions: 762COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 814 7ffd34701500-7ffd34702540 816 7ffd3470254c-7ffd34702583 814->816 817 7ffd34702542-7ffd34702547 call 7ffd347014f8 814->817 821 7ffd34702589-7ffd34702594 816->821 822 7ffd34702774-7ffd34702789 816->822 817->816 823 7ffd34702596-7ffd3470259e 821->823 824 7ffd34702602-7ffd34702607 821->824 830 7ffd3470278b-7ffd34702792 822->830 831 7ffd34702793-7ffd347027de 822->831 823->822 828 7ffd347025a4-7ffd347025b9 823->828 825 7ffd34702609-7ffd34702615 824->825 826 7ffd34702673-7ffd3470267d 824->826 825->822 829 7ffd3470261b-7ffd3470262e 825->829 832 7ffd3470269f-7ffd347026a7 826->832 833 7ffd3470267f-7ffd3470268c call 7ffd34701518 826->833 834 7ffd347025bb-7ffd347025e0 828->834 835 7ffd347025e2-7ffd347025ed 828->835 836 7ffd347026aa-7ffd347026b5 829->836 830->831 856 7ffd347027fb-7ffd3470280c 831->856 857 7ffd347027e0-7ffd347027e6 831->857 832->836 851 7ffd34702691-7ffd3470269d 833->851 834->835 842 7ffd34702630-7ffd34702633 834->842 835->822 839 7ffd347025f3-7ffd34702600 835->839 836->822 840 7ffd347026bb-7ffd347026d6 836->840 839->823 839->824 840->822 843 7ffd347026dc-7ffd347026ef 840->843 844 7ffd34702635 842->844 845 7ffd3470263f-7ffd34702647 842->845 843->822 848 7ffd347026f5-7ffd34702706 843->848 844->845 845->822 849 7ffd3470264d-7ffd34702672 845->849 848->822 855 7ffd34702708-7ffd34702717 848->855 851->832 860 7ffd34702719-7ffd34702724 855->860 861 7ffd34702762-7ffd34702773 855->861 858 7ffd3470280e-7ffd3470281c 856->858 859 7ffd3470281d-7ffd34702840 856->859 862 7ffd347027e8-7ffd347027f9 857->862 863 7ffd34702841-7ffd347028ba 857->863 858->859 860->861 868 7ffd34702726-7ffd3470275d call 7ffd34701518 860->868 862->856 862->857 878 7ffd347028bc-7ffd347028cc 863->878 879 7ffd347028ce-7ffd347028df 863->879 868->861 878->878 878->879 881 7ffd347028e1-7ffd347028ec 879->881 882 7ffd347028f0-7ffd34702921 879->882 884 7ffd34702944-7ffd34702948 881->884 885 7ffd347028ee-7ffd347028ef 881->885 889 7ffd34702977-7ffd3470297e 882->889 895 7ffd34702923-7ffd34702929 882->895 887 7ffd3470294a-7ffd3470296c 884->887 888 7ffd34702970-7ffd34702975 884->888 885->882 887->888 888->889 890 7ffd3470292f-7ffd34702932 888->890 893 7ffd34702980-7ffd34702981 889->893 894 7ffd347029bf-7ffd347029e8 889->894 896 7ffd347029e9-7ffd34702a34 890->896 897 7ffd34702938-7ffd34702940 890->897 898 7ffd34702984-7ffd34702987 893->898 895->889 899 7ffd3470292b-7ffd3470292c 895->899 906 7ffd34702a3a-7ffd34702a6b 896->906 907 7ffd34702ad0-7ffd34702adf 896->907 897->884 898->896 900 7ffd34702989-7ffd3470299a 898->900 899->890 904 7ffd3470299c-7ffd347029a2 900->904 905 7ffd347029b6-7ffd347029bd 900->905 904->896 908 7ffd347029a4-7ffd347029b2 904->908 905->894 905->898 911 7ffd34702a71-7ffd34702a7b 906->911 912 7ffd34702aed-7ffd34702b01 906->912 908->905 911->907 913 7ffd34702a7d-7ffd34702a84 911->913 918 7ffd34702b05-7ffd34702b19 912->918 919 7ffd34702b03 912->919 913->912 914 7ffd34702a86-7ffd34702a95 913->914 916 7ffd34702a97-7ffd34702abc 914->916 917 7ffd34702abe-7ffd34702ac5 914->917 916->917 924 7ffd34702ae0-7ffd34702aec 916->924 917->912 922 7ffd34702ac7-7ffd34702ace 917->922 919->918 920 7ffd34702b45-7ffd34702b5c 919->920 926 7ffd34702bb7-7ffd34702bd8 920->926 927 7ffd34702b5e 920->927 922->907 922->913 927->926
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: d$O_H
                                                          • API String ID: 0-2920189622
                                                          • Opcode ID: e554f1873ff744ef44af54e2beaed1bc8429afddc1d042bb8882f1dbf663a1b1
                                                          • Instruction ID: 8761d2d9f0db0c411bd9ee4818761c37b266601707d58b8e62ed0795de700f3b
                                                          • Opcode Fuzzy Hash: e554f1873ff744ef44af54e2beaed1bc8429afddc1d042bb8882f1dbf663a1b1
                                                          • Instruction Fuzzy Hash: E6325672B1DA458FE369DB2888A15B273E0FF52314B1442BED19AC3597DE29FC438780
                                                          Function 00007FFD347014FD Relevance: 2.9, Strings: 2, Instructions: 412COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1469 7ffd347014fd-7ffd34701562 1477 7ffd34701563-7ffd347015c0 1469->1477 1480 7ffd347015c2-7ffd34701644 1477->1480 1491 7ffd34701677-7ffd34701744 1480->1491 1492 7ffd34701646-7ffd34701676 1480->1492 1511 7ffd34701776-7ffd3470178d 1491->1511 1512 7ffd34701746-7ffd34701775 1491->1512 1492->1491 1519 7ffd3470178e-7ffd347017ca 1511->1519 1512->1511 1522 7ffd347017cc-7ffd347017d9 1519->1522 1525 7ffd347017db-7ffd34701804 1522->1525 1526 7ffd34701807-7ffd3470183d 1522->1526 1525->1526 1531 7ffd34701844-7ffd34701853 1526->1531 1532 7ffd3470185a-7ffd3470185d 1531->1532 1533 7ffd3470186f-7ffd347018b9 1532->1533 1534 7ffd3470185f-7ffd3470186e 1532->1534 1537 7ffd347018bb-7ffd347018df call 7ffd34701428 call 7ffd34701500 1533->1537 1541 7ffd347018e4-7ffd34701915 call 7ffd34701500 call 7ffd34701800 1537->1541 1549 7ffd34701917-7ffd34701930 1541->1549 1550 7ffd34701932-7ffd34701949 1541->1550 1553 7ffd3470194b-7ffd34701984 call 7ffd34701500 * 2 call 7ffd34701800 1549->1553 1550->1553 1560 7ffd34701989-7ffd3470198a 1553->1560 1561 7ffd34701991-7ffd347019b7 call 7ffd34701800 1560->1561 1566 7ffd347019c2-7ffd347019d0 call 7ffd347014f0 1561->1566 1568 7ffd347019d5-7ffd347019d7 1566->1568 1569 7ffd347019fb-7ffd347019fe 1568->1569 1570 7ffd347019d9-7ffd347019e0 1568->1570 1573 7ffd34701a00-7ffd34701a03 1569->1573 1571 7ffd347019f6 1570->1571 1572 7ffd347019e2-7ffd347019f4 1570->1572 1571->1569 1572->1573 1574 7ffd34701a0a-7ffd34701a0b 1573->1574 1575 7ffd34701a05-7ffd34701a08 1573->1575 1576 7ffd34701a0d-7ffd34701a2c call 7ffd347014f0 1574->1576 1575->1576 1580 7ffd34701a4b-7ffd34701a4e 1576->1580 1581 7ffd34701a2e-7ffd34701a35 1576->1581 1583 7ffd34701a50-7ffd34701a53 1580->1583 1581->1571 1582 7ffd34701a37-7ffd34701a49 1581->1582 1582->1583 1584 7ffd34701a5a-7ffd34701a5b 1583->1584 1585 7ffd34701a55-7ffd34701a58 1583->1585 1586 7ffd34701a5d-7ffd34701a7f call 7ffd347014f0 1584->1586 1585->1586 1590 7ffd34701aa2-7ffd34701aa5 1586->1590 1591 7ffd34701a81-7ffd34701a88 1586->1591 1593 7ffd34701aa7-7ffd34701aaa 1590->1593 1591->1571 1592 7ffd34701a8e-7ffd34701aa0 1591->1592 1592->1593 1594 7ffd34701aac-7ffd34701aaf 1593->1594 1595 7ffd34701ab1-7ffd34701ab2 1593->1595 1596 7ffd34701ab4-7ffd34701ad6 call 7ffd347014f0 1594->1596 1595->1596 1600 7ffd34701af9-7ffd34701afc 1596->1600 1601 7ffd34701ad8-7ffd34701adf 1596->1601 1603 7ffd34701afe-7ffd34701b01 1600->1603 1601->1571 1602 7ffd34701ae5-7ffd34701af7 1601->1602 1602->1603 1604 7ffd34701b08-7ffd34701b09 1603->1604 1605 7ffd34701b03-7ffd34701b06 1603->1605 1606 7ffd34701b0b-7ffd34701b0e 1604->1606 1605->1606 1607 7ffd34701b18-7ffd34701b33 1606->1607 1608 7ffd34701b39-7ffd34701b4b 1607->1608
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0O_I$1O_I
                                                          • API String ID: 0-4034699925
                                                          • Opcode ID: 958f3187a121257ac0af5c8322a4b7496b6a52e44217167a0ce981d45eb259d3
                                                          • Instruction ID: a8656cc480e0ba6210209bbc7a92792ce422030d05da5f2984da1bd0e8f75626
                                                          • Opcode Fuzzy Hash: 958f3187a121257ac0af5c8322a4b7496b6a52e44217167a0ce981d45eb259d3
                                                          • Instruction Fuzzy Hash: F7C11C97B0F9C18BE711676D6CA51E57B80EFC232971801BBD288DE187DC19BC4993D2
                                                          Function 00007FFD3471079A Relevance: 2.4, Strings: 1, Instructions: 1101COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: B{4
                                                          • API String ID: 0-521633028
                                                          • Opcode ID: b9b543e7fa51fafad672786cab83b4de45db372188dc40b5fe69529f1fae49e6
                                                          • Instruction ID: ad4818023701563d505c986cbd4398e4afb694d9f95afad7cec8d7e1dbdb98b0
                                                          • Opcode Fuzzy Hash: b9b543e7fa51fafad672786cab83b4de45db372188dc40b5fe69529f1fae49e6
                                                          • Instruction Fuzzy Hash: E572687160CB8A8FE359DB28C4A56B177E1FF96300B1445BED48AC7296DE28F846C7C1
                                                          Function 00007FFD34703B18 Relevance: 1.9, Strings: 1, Instructions: 615COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: d
                                                          • API String ID: 0-2564639436
                                                          • Opcode ID: 7583ae45ab11ac3769812bb90120f4f9d9774ff77f67a634ae243596dfb44ba8
                                                          • Instruction ID: d457e6828b5fc0b5601413a35bb8fa3c95f688a8bba14fd8d26f19c7865d23e9
                                                          • Opcode Fuzzy Hash: 7583ae45ab11ac3769812bb90120f4f9d9774ff77f67a634ae243596dfb44ba8
                                                          • Instruction Fuzzy Hash: 3E0253B1B1DA468FE358DF2898D25B173D0EF42314B1842B9D98EC7197EE28F84287C1
                                                          Function 00007FFD34708EF8 Relevance: .9, Instructions: 925COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c8b828a72ce54e24c5fe700520a91abfb89ca5b9269ebd440440368ec720c42
                                                          • Instruction ID: 1dd2f83ba73fbfd65fe1487153b58ba66ebe8f5102d2fab2925f4781b6dd3a9e
                                                          • Opcode Fuzzy Hash: 4c8b828a72ce54e24c5fe700520a91abfb89ca5b9269ebd440440368ec720c42
                                                          • Instruction Fuzzy Hash: 8652A870B1DA098FDB68EB28D8A567977E1FF5A301B14017DE44EC7292DE28FC429781
                                                          Function 00007FFD34708F3F Relevance: .7, Instructions: 737COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c62ffea82be80005c164c20e4814cff00b15089dccbfe219c863fc31165bde14
                                                          • Instruction ID: 87c6c0438f78810cb3f674403c03556e8b0cc5bd7413ecdeafde89ed46f13833
                                                          • Opcode Fuzzy Hash: c62ffea82be80005c164c20e4814cff00b15089dccbfe219c863fc31165bde14
                                                          • Instruction Fuzzy Hash: 013218A2B0E6568BE765BB6C98F51F637D0EF52318B0800B6D2CDDB193DE1C78468781
                                                          Function 00007FFD34701800 Relevance: .4, Instructions: 371COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 03ab75dba82193ae7f0fc2ab96968f3596e68473f2c2f07b69878e97ec27a0ae
                                                          • Instruction ID: edb9feaea3f5c879980cd93a8d22d3783cdae90be10e6d594b4a99f09397391f
                                                          • Opcode Fuzzy Hash: 03ab75dba82193ae7f0fc2ab96968f3596e68473f2c2f07b69878e97ec27a0ae
                                                          • Instruction Fuzzy Hash: EEB1E470B185498BE768EB6C84A57B973D2EF99344F14017EE10EC72D7DD2ABC429281
                                                          Function 00007FFD34714D30 Relevance: .2, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26a9a5b1492a7352b2e0204e4f526b36c15457acb5fd1f20c58c89fa0d8bd8b0
                                                          • Instruction ID: 07e92c8329e66ee661bfd7becdb74d925a9b657a07df1dbd08410159fd34f72e
                                                          • Opcode Fuzzy Hash: 26a9a5b1492a7352b2e0204e4f526b36c15457acb5fd1f20c58c89fa0d8bd8b0
                                                          • Instruction Fuzzy Hash: F741797270D24A0FD71E9A7888661B53B95EB83220B1583BFD187CB5E7EC2C6847C2D1
                                                          Function 00007FFD34714D89 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3e22f7b30516c1e48f8e3793cd4b730707b497f31640d498a8863416af52296
                                                          • Instruction ID: 8ab8812296e429d4a66813415b04ad438b0af863b18960a631211d6ddba06f22
                                                          • Opcode Fuzzy Hash: c3e22f7b30516c1e48f8e3793cd4b730707b497f31640d498a8863416af52296
                                                          • Instruction Fuzzy Hash: 76418A71B0D64A0FD71E9A7488751B23B95EB83310B1582BED087CB1E7DC2C6846C3D1
                                                          Function 00007FFD347033EA Relevance: 1.6, APIs: 1, Instructions: 139memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 8fe7bd1d861597122852e5a8c7b051e88c607b836e439e158e2750efe96b4ea7
                                                          • Instruction ID: f9c9c9c25f6cd2006194ebb7304e32a2ab01c79a76524a2e9b2cbbec09ff8879
                                                          • Opcode Fuzzy Hash: 8fe7bd1d861597122852e5a8c7b051e88c607b836e439e158e2750efe96b4ea7
                                                          • Instruction Fuzzy Hash: 5841283090DB888FD71A9BA898566F97FF0EF56321F0402AFD089C71D2CB686856C7D1
                                                          Function 00007FFD34700921 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2170729165.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd34700000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID: ConsoleFree
                                                          • String ID:
                                                          • API String ID: 771614528-0
                                                          • Opcode ID: 0a00d9db974383a065374138873aad4d3816624713db48fcb91d11ac48a6aa85
                                                          • Instruction ID: 81475c1d9148295159b4787a7391675fe0fa0b56e9e689956084772f601c66a6
                                                          • Opcode Fuzzy Hash: 0a00d9db974383a065374138873aad4d3816624713db48fcb91d11ac48a6aa85
                                                          • Instruction Fuzzy Hash: 8631CF3150C7488FDB54DFA8D895AEABBF0EF56320F0442AFD089C3552C778A84ACB51
                                                          Function 00007FFD347E10C9 Relevance: .3, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2171074902.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd347e0000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7b21885a0e5b44ce17e76325f0ea413e8c0a63539745da6155ef47f468cb752
                                                          • Instruction ID: 93c7b9ea55f13b215df7aed92e82efac93240928050266098dc1cea3d97ecffe
                                                          • Opcode Fuzzy Hash: d7b21885a0e5b44ce17e76325f0ea413e8c0a63539745da6155ef47f468cb752
                                                          • Instruction Fuzzy Hash: 63710B71B0DB898FEB56DB1888B65A57BE0FF56304B0901BAD08AC75D3DE2DB841C781
                                                          Function 00007FFD347E1210 Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2171074902.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd347e0000_BDQfYL99b2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 441ce328c652908b2e1043c2b311cf99655e10cec696e7a9c1183c1931e7ee95
                                                          • Instruction ID: b6a39fa7a369252833ce43c62bc22d8a3cd7e023241a42328a9e49406f3ee709
                                                          • Opcode Fuzzy Hash: 441ce328c652908b2e1043c2b311cf99655e10cec696e7a9c1183c1931e7ee95
                                                          • Instruction Fuzzy Hash: 45312771B0894D8FEF95DF18C8A65BAB7E1FF55300B18027AD14AD7582DE29B881C7C0

                                                          Execution Graph

                                                          Execution Coverage:4.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:5.2%
                                                          Total number of Nodes:1377
                                                          Total number of Limit Nodes:72
                                                          execution_graph 47095 434887 47096 434893 ___scrt_is_nonwritable_in_current_image 47095->47096 47122 434596 47096->47122 47098 43489a 47100 4348c3 47098->47100 47424 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47098->47424 47107 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47100->47107 47133 444251 47100->47133 47104 4348e2 ___scrt_is_nonwritable_in_current_image 47105 434962 47137 434b14 47105->47137 47107->47105 47426 4433e7 36 API calls 4 library calls 47107->47426 47115 434984 47116 43498e 47115->47116 47428 44341f 28 API calls _Atexit 47115->47428 47118 434997 47116->47118 47429 4433c2 28 API calls _Atexit 47116->47429 47430 43470d 13 API calls 2 library calls 47118->47430 47121 43499f 47121->47104 47123 43459f 47122->47123 47431 434c52 IsProcessorFeaturePresent 47123->47431 47125 4345ab 47432 438f31 10 API calls 4 library calls 47125->47432 47127 4345b0 47132 4345b4 47127->47132 47433 4440bf 47127->47433 47130 4345cb 47130->47098 47132->47098 47134 444268 47133->47134 47135 434fcb CatchGuardHandler 5 API calls 47134->47135 47136 4348dc 47135->47136 47136->47104 47425 4441f5 5 API calls CatchGuardHandler 47136->47425 47456 436e90 47137->47456 47140 434968 47141 4441a2 47140->47141 47458 44f059 47141->47458 47143 434971 47146 40e9c5 47143->47146 47144 4441ab 47144->47143 47462 446815 36 API calls 47144->47462 47464 41cb50 LoadLibraryA GetProcAddress 47146->47464 47148 40e9e1 GetModuleFileNameW 47469 40f3c3 47148->47469 47150 40e9fd 47484 4020f6 47150->47484 47153 4020f6 28 API calls 47154 40ea1b 47153->47154 47490 41be1b 47154->47490 47158 40ea2d 47516 401e8d 47158->47516 47160 40ea36 47161 40ea93 47160->47161 47162 40ea49 47160->47162 47522 401e65 47161->47522 47790 40fbb3 118 API calls 47162->47790 47165 40eaa3 47169 401e65 22 API calls 47165->47169 47166 40ea5b 47167 401e65 22 API calls 47166->47167 47168 40ea67 47167->47168 47791 410f37 36 API calls __EH_prolog 47168->47791 47170 40eac2 47169->47170 47527 40531e 47170->47527 47173 40ead1 47532 406383 47173->47532 47174 40ea79 47792 40fb64 78 API calls 47174->47792 47178 40ea82 47793 40f3b0 71 API calls 47178->47793 47184 401fd8 11 API calls 47186 40eefb 47184->47186 47185 401fd8 11 API calls 47187 40eafb 47185->47187 47427 4432f6 GetModuleHandleW 47186->47427 47188 401e65 22 API calls 47187->47188 47189 40eb04 47188->47189 47549 401fc0 47189->47549 47191 40eb0f 47192 401e65 22 API calls 47191->47192 47193 40eb28 47192->47193 47194 401e65 22 API calls 47193->47194 47195 40eb43 47194->47195 47196 40ebae 47195->47196 47794 406c1e 47195->47794 47198 401e65 22 API calls 47196->47198 47203 40ebbb 47198->47203 47199 40eb70 47200 401fe2 28 API calls 47199->47200 47201 40eb7c 47200->47201 47204 401fd8 11 API calls 47201->47204 47202 40ec02 47553 40d069 47202->47553 47203->47202 47208 413549 3 API calls 47203->47208 47205 40eb85 47204->47205 47799 413549 RegOpenKeyExA 47205->47799 47207 40ec08 47209 40ea8b 47207->47209 47556 41b2c3 47207->47556 47215 40ebe6 47208->47215 47209->47184 47213 40ec23 47216 40ec76 47213->47216 47573 407716 47213->47573 47214 40f34f 47882 4139a9 30 API calls 47214->47882 47215->47202 47802 4139a9 30 API calls 47215->47802 47218 401e65 22 API calls 47216->47218 47222 40ec7f 47218->47222 47221 40f365 47883 412475 65 API calls ___scrt_fastfail 47221->47883 47231 40ec90 47222->47231 47232 40ec8b 47222->47232 47225 40ec42 47803 407738 30 API calls 47225->47803 47226 40ec4c 47227 401e65 22 API calls 47226->47227 47240 40ec55 47227->47240 47228 40f36f 47230 41bc5e 28 API calls 47228->47230 47235 40f37f 47230->47235 47234 401e65 22 API calls 47231->47234 47806 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47232->47806 47233 40ec47 47804 407260 98 API calls 47233->47804 47238 40ec99 47234->47238 47682 413a23 RegOpenKeyExW 47235->47682 47577 41bc5e 47238->47577 47240->47216 47244 40ec71 47240->47244 47241 40eca4 47581 401f13 47241->47581 47805 407260 98 API calls 47244->47805 47248 401f09 11 API calls 47250 40f39c 47248->47250 47252 401f09 11 API calls 47250->47252 47254 40f3a5 47252->47254 47253 401e65 22 API calls 47255 40ecc1 47253->47255 47685 40dd42 47254->47685 47260 401e65 22 API calls 47255->47260 47259 40f3af 47261 40ecdb 47260->47261 47262 401e65 22 API calls 47261->47262 47263 40ecf5 47262->47263 47264 401e65 22 API calls 47263->47264 47265 40ed0e 47264->47265 47267 401e65 22 API calls 47265->47267 47296 40ed7b 47265->47296 47266 40ed8a 47268 40ed93 47266->47268 47297 40ee0f ___scrt_fastfail 47266->47297 47271 40ed23 _wcslen 47267->47271 47269 401e65 22 API calls 47268->47269 47270 40ed9c 47269->47270 47272 401e65 22 API calls 47270->47272 47274 401e65 22 API calls 47271->47274 47271->47296 47276 40edae 47272->47276 47273 40ef06 ___scrt_fastfail 47867 4136f8 RegOpenKeyExA 47273->47867 47275 40ed3e 47274->47275 47279 401e65 22 API calls 47275->47279 47278 401e65 22 API calls 47276->47278 47280 40edc0 47278->47280 47281 40ed53 47279->47281 47284 401e65 22 API calls 47280->47284 47807 40da34 47281->47807 47282 40ef51 47283 401e65 22 API calls 47282->47283 47285 40ef76 47283->47285 47287 40ede9 47284->47287 47603 402093 47285->47603 47290 401e65 22 API calls 47287->47290 47289 401f13 28 API calls 47292 40ed72 47289->47292 47293 40edfa 47290->47293 47295 401f09 11 API calls 47292->47295 47865 40cdf9 45 API calls _wcslen 47293->47865 47294 40ef88 47609 41376f RegCreateKeyA 47294->47609 47295->47296 47296->47266 47296->47273 47593 413947 47297->47593 47301 40eea3 ctype 47306 401e65 22 API calls 47301->47306 47302 40ee0a 47302->47297 47304 401e65 22 API calls 47305 40efaa 47304->47305 47615 43baac 47305->47615 47307 40eeba 47306->47307 47307->47282 47311 40eece 47307->47311 47310 40efc1 47870 41cd9b 87 API calls ___scrt_fastfail 47310->47870 47313 401e65 22 API calls 47311->47313 47312 40efe4 47317 402093 28 API calls 47312->47317 47315 40eed7 47313->47315 47318 41bc5e 28 API calls 47315->47318 47316 40efc8 CreateThread 47316->47312 48651 41d45d 10 API calls 47316->48651 47319 40eff9 47317->47319 47320 40eee3 47318->47320 47321 402093 28 API calls 47319->47321 47866 40f474 104 API calls 47320->47866 47323 40f008 47321->47323 47619 41b4ef 47323->47619 47324 40eee8 47324->47282 47326 40eeef 47324->47326 47326->47209 47328 401e65 22 API calls 47329 40f019 47328->47329 47330 401e65 22 API calls 47329->47330 47331 40f02b 47330->47331 47332 401e65 22 API calls 47331->47332 47333 40f04b 47332->47333 47334 43baac _strftime 40 API calls 47333->47334 47335 40f058 47334->47335 47336 401e65 22 API calls 47335->47336 47337 40f063 47336->47337 47338 401e65 22 API calls 47337->47338 47339 40f074 47338->47339 47340 401e65 22 API calls 47339->47340 47341 40f089 47340->47341 47342 401e65 22 API calls 47341->47342 47343 40f09a 47342->47343 47344 40f0a1 StrToIntA 47343->47344 47643 409de4 47344->47643 47347 401e65 22 API calls 47348 40f0bc 47347->47348 47349 40f101 47348->47349 47350 40f0c8 47348->47350 47353 401e65 22 API calls 47349->47353 47871 4344ea 47350->47871 47355 40f111 47353->47355 47354 401e65 22 API calls 47356 40f0e4 47354->47356 47357 40f159 47355->47357 47358 40f11d 47355->47358 47359 40f0eb CreateThread 47356->47359 47361 401e65 22 API calls 47357->47361 47360 4344ea new 22 API calls 47358->47360 47359->47349 48655 419fb4 103 API calls 2 library calls 47359->48655 47362 40f126 47360->47362 47363 40f162 47361->47363 47364 401e65 22 API calls 47362->47364 47366 40f1cc 47363->47366 47367 40f16e 47363->47367 47365 40f138 47364->47365 47368 40f13f CreateThread 47365->47368 47369 401e65 22 API calls 47366->47369 47370 401e65 22 API calls 47367->47370 47368->47357 48654 419fb4 103 API calls 2 library calls 47368->48654 47371 40f1d5 47369->47371 47372 40f17e 47370->47372 47373 40f1e1 47371->47373 47374 40f21a 47371->47374 47375 401e65 22 API calls 47372->47375 47376 401e65 22 API calls 47373->47376 47668 41b60d GetComputerNameExW GetUserNameW 47374->47668 47377 40f193 47375->47377 47379 40f1ea 47376->47379 47878 40d9e8 31 API calls 47377->47878 47385 401e65 22 API calls 47379->47385 47381 401f13 28 API calls 47382 40f22e 47381->47382 47384 401f09 11 API calls 47382->47384 47387 40f237 47384->47387 47388 40f1ff 47385->47388 47386 40f1a6 47389 401f13 28 API calls 47386->47389 47390 40f240 SetProcessDEPPolicy 47387->47390 47391 40f243 CreateThread 47387->47391 47398 43baac _strftime 40 API calls 47388->47398 47392 40f1b2 47389->47392 47390->47391 47393 40f264 47391->47393 47394 40f258 CreateThread 47391->47394 48623 40f7a7 47391->48623 47395 401f09 11 API calls 47392->47395 47396 40f279 47393->47396 47397 40f26d CreateThread 47393->47397 47394->47393 48650 4120f7 138 API calls 47394->48650 47399 40f1bb CreateThread 47395->47399 47401 40f2cc 47396->47401 47403 402093 28 API calls 47396->47403 47397->47396 48652 4126db 38 API calls ___scrt_fastfail 47397->48652 47400 40f20c 47398->47400 47399->47366 48653 401be9 50 API calls _strftime 47399->48653 47879 40c162 7 API calls 47400->47879 47679 4134ff RegOpenKeyExA 47401->47679 47404 40f29c 47403->47404 47880 4052fd 28 API calls 47404->47880 47410 40f2ed 47412 41bc5e 28 API calls 47410->47412 47414 40f2fd 47412->47414 47881 41361b 31 API calls 47414->47881 47418 40f313 47419 401f09 11 API calls 47418->47419 47422 40f31e 47419->47422 47420 40f346 DeleteFileW 47421 40f34d 47420->47421 47420->47422 47421->47228 47422->47228 47422->47420 47423 40f334 Sleep 47422->47423 47423->47422 47424->47098 47425->47107 47426->47105 47427->47115 47428->47116 47429->47118 47430->47121 47431->47125 47432->47127 47437 44fb68 47433->47437 47436 438f5a 8 API calls 3 library calls 47436->47132 47440 44fb85 47437->47440 47441 44fb81 47437->47441 47439 4345bd 47439->47130 47439->47436 47440->47441 47443 449bf0 47440->47443 47448 434fcb 47441->47448 47444 449bf7 47443->47444 47445 449c3a GetStdHandle 47444->47445 47446 449ca2 47444->47446 47447 449c4d GetFileType 47444->47447 47445->47444 47446->47440 47447->47444 47449 434fd6 IsProcessorFeaturePresent 47448->47449 47450 434fd4 47448->47450 47452 435018 47449->47452 47450->47439 47455 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47452->47455 47454 4350fb 47454->47439 47455->47454 47457 434b27 GetStartupInfoW 47456->47457 47457->47140 47459 44f06b 47458->47459 47460 44f062 47458->47460 47459->47144 47463 44ef58 49 API calls 5 library calls 47460->47463 47462->47144 47463->47459 47465 41cb8f LoadLibraryA GetProcAddress 47464->47465 47466 41cb7f GetModuleHandleA GetProcAddress 47464->47466 47467 41cbb8 44 API calls 47465->47467 47468 41cba8 LoadLibraryA GetProcAddress 47465->47468 47466->47465 47467->47148 47468->47467 47884 41b4a8 FindResourceA 47469->47884 47473 40f3ed ctype 47894 4020b7 47473->47894 47476 401fe2 28 API calls 47477 40f413 47476->47477 47478 401fd8 11 API calls 47477->47478 47479 40f41c 47478->47479 47480 43bd51 ___std_exception_copy 21 API calls 47479->47480 47481 40f42d ctype 47480->47481 47900 406dd8 47481->47900 47483 40f460 47483->47150 47485 40210c 47484->47485 47486 4023ce 11 API calls 47485->47486 47487 402126 47486->47487 47488 402569 28 API calls 47487->47488 47489 402134 47488->47489 47489->47153 47954 4020df 47490->47954 47492 41be9e 47493 401fd8 11 API calls 47492->47493 47494 41bed0 47493->47494 47496 401fd8 11 API calls 47494->47496 47495 41bea0 47497 4041a2 28 API calls 47495->47497 47499 41bed8 47496->47499 47500 41beac 47497->47500 47501 401fd8 11 API calls 47499->47501 47502 401fe2 28 API calls 47500->47502 47504 40ea24 47501->47504 47505 41beb5 47502->47505 47503 401fe2 28 API calls 47511 41be2e 47503->47511 47512 40fb17 47504->47512 47506 401fd8 11 API calls 47505->47506 47508 41bebd 47506->47508 47507 401fd8 11 API calls 47507->47511 47962 41ce34 28 API calls 47508->47962 47511->47492 47511->47495 47511->47503 47511->47507 47958 4041a2 47511->47958 47961 41ce34 28 API calls 47511->47961 47513 40fb23 47512->47513 47515 40fb2a 47512->47515 47969 402163 11 API calls 47513->47969 47515->47158 47517 402163 47516->47517 47518 40219f 47517->47518 47970 402730 11 API calls 47517->47970 47518->47160 47520 402184 47971 402712 11 API calls std::_Deallocate 47520->47971 47523 401e6d 47522->47523 47524 401e75 47523->47524 47972 402158 22 API calls 47523->47972 47524->47165 47528 4020df 11 API calls 47527->47528 47529 40532a 47528->47529 47973 4032a0 47529->47973 47531 405346 47531->47173 47977 4051ef 47532->47977 47534 406391 47981 402055 47534->47981 47537 401fe2 47538 401ff1 47537->47538 47545 402039 47537->47545 47539 4023ce 11 API calls 47538->47539 47540 401ffa 47539->47540 47541 402015 47540->47541 47542 40203c 47540->47542 48013 403098 28 API calls 47541->48013 47543 40267a 11 API calls 47542->47543 47543->47545 47546 401fd8 47545->47546 47547 4023ce 11 API calls 47546->47547 47548 401fe1 47547->47548 47548->47185 47550 401fd2 47549->47550 47551 401fc9 47549->47551 47550->47191 48014 4025e0 28 API calls 47551->48014 48015 401fab 47553->48015 47555 40d073 CreateMutexA GetLastError 47555->47207 48016 41bfb7 47556->48016 47561 401fe2 28 API calls 47562 41b2ff 47561->47562 47563 401fd8 11 API calls 47562->47563 47564 41b307 47563->47564 47565 4135a6 31 API calls 47564->47565 47567 41b35d 47564->47567 47566 41b330 47565->47566 47568 41b33b StrToIntA 47566->47568 47567->47213 47569 41b349 47568->47569 47572 41b352 47568->47572 48024 41cf69 22 API calls 47569->48024 47571 401fd8 11 API calls 47571->47567 47572->47571 47574 40772a 47573->47574 47575 413549 3 API calls 47574->47575 47576 407731 47575->47576 47576->47225 47576->47226 47578 41bc72 47577->47578 48025 40b904 47578->48025 47580 41bc7a 47580->47241 47582 401f22 47581->47582 47589 401f6a 47581->47589 47583 402252 11 API calls 47582->47583 47584 401f2b 47583->47584 47585 401f6d 47584->47585 47586 401f46 47584->47586 48058 402336 47585->48058 48057 40305c 28 API calls 47586->48057 47590 401f09 47589->47590 47591 402252 11 API calls 47590->47591 47592 401f12 47591->47592 47592->47253 47594 413965 47593->47594 47595 406dd8 28 API calls 47594->47595 47596 41397a 47595->47596 47597 4020f6 28 API calls 47596->47597 47598 41398a 47597->47598 47599 41376f 14 API calls 47598->47599 47600 413994 47599->47600 47601 401fd8 11 API calls 47600->47601 47602 4139a1 47601->47602 47602->47301 47604 40209b 47603->47604 47605 4023ce 11 API calls 47604->47605 47606 4020a6 47605->47606 48062 4024ed 47606->48062 47610 413788 47609->47610 47611 4137bf 47609->47611 47614 41379a RegSetValueExA RegCloseKey 47610->47614 47612 401fd8 11 API calls 47611->47612 47613 40ef9e 47612->47613 47613->47304 47614->47611 47616 43bac5 _strftime 47615->47616 48066 43ae03 47616->48066 47618 40efb7 47618->47310 47618->47312 47620 41b5a0 47619->47620 47621 41b505 GetLocalTime 47619->47621 47622 401fd8 11 API calls 47620->47622 47623 40531e 28 API calls 47621->47623 47625 41b5a8 47622->47625 47624 41b547 47623->47624 47626 406383 28 API calls 47624->47626 47627 401fd8 11 API calls 47625->47627 47628 41b553 47626->47628 47629 40f00d 47627->47629 48094 402f10 47628->48094 47629->47328 47632 406383 28 API calls 47633 41b56b 47632->47633 48099 407200 77 API calls 47633->48099 47635 41b579 47636 401fd8 11 API calls 47635->47636 47637 41b585 47636->47637 47638 401fd8 11 API calls 47637->47638 47639 41b58e 47638->47639 47640 401fd8 11 API calls 47639->47640 47641 41b597 47640->47641 47642 401fd8 11 API calls 47641->47642 47642->47620 47644 409e02 _wcslen 47643->47644 47645 409e24 47644->47645 47646 409e0d 47644->47646 47648 40da34 31 API calls 47645->47648 47647 40da34 31 API calls 47646->47647 47649 409e15 47647->47649 47650 409e2c 47648->47650 47652 401f13 28 API calls 47649->47652 47651 401f13 28 API calls 47650->47651 47653 409e3a 47651->47653 47654 409e1f 47652->47654 47655 401f09 11 API calls 47653->47655 47657 401f09 11 API calls 47654->47657 47656 409e42 47655->47656 48118 40915b 28 API calls 47656->48118 47659 409e79 47657->47659 48103 40a109 47659->48103 47660 409e54 48119 403014 47660->48119 47665 401f13 28 API calls 47666 409e69 47665->47666 47667 401f09 11 API calls 47666->47667 47667->47654 48171 40417e 47668->48171 47673 403014 28 API calls 47674 41b672 47673->47674 47675 401f09 11 API calls 47674->47675 47676 41b67b 47675->47676 47677 401f09 11 API calls 47676->47677 47678 40f223 47677->47678 47678->47381 47680 413520 RegQueryValueExA RegCloseKey 47679->47680 47681 40f2e4 47679->47681 47680->47681 47681->47254 47681->47410 47683 413a3f RegDeleteValueW 47682->47683 47684 40f392 47682->47684 47683->47684 47684->47248 47686 40dd5b 47685->47686 47687 4134ff 3 API calls 47686->47687 47689 40dd62 47687->47689 47688 40dd81 47693 414f2a 47688->47693 47689->47688 48265 401707 47689->48265 47691 40dd6f 48268 413877 RegCreateKeyA 47691->48268 47694 4020df 11 API calls 47693->47694 47695 414f3e 47694->47695 48282 41b8b3 47695->48282 47698 4020df 11 API calls 47699 414f54 47698->47699 47700 401e65 22 API calls 47699->47700 47701 414f62 47700->47701 47702 43baac _strftime 40 API calls 47701->47702 47703 414f6f 47702->47703 47704 414f81 47703->47704 47705 414f74 Sleep 47703->47705 47706 402093 28 API calls 47704->47706 47705->47704 47707 414f90 47706->47707 47708 401e65 22 API calls 47707->47708 47709 414f99 47708->47709 47710 4020f6 28 API calls 47709->47710 47711 414fa4 47710->47711 47712 41be1b 28 API calls 47711->47712 47713 414fac 47712->47713 48286 40489e WSAStartup 47713->48286 47715 414fb6 47716 401e65 22 API calls 47715->47716 47717 414fbf 47716->47717 47718 401e65 22 API calls 47717->47718 47766 41503e 47717->47766 47719 414fd8 47718->47719 47720 401e65 22 API calls 47719->47720 47722 414fe9 47720->47722 47721 4020f6 28 API calls 47721->47766 47724 401e65 22 API calls 47722->47724 47723 41be1b 28 API calls 47723->47766 47725 414ffa 47724->47725 47727 401e65 22 API calls 47725->47727 47726 406c1e 28 API calls 47726->47766 47728 41500b 47727->47728 47730 401e65 22 API calls 47728->47730 47729 401fe2 28 API calls 47729->47766 47731 41501c 47730->47731 47732 401e65 22 API calls 47731->47732 47734 41502e 47732->47734 47733 401fd8 11 API calls 47733->47766 48446 40473d 89 API calls 47734->48446 47736 406383 28 API calls 47736->47766 47737 401e65 22 API calls 47737->47766 47739 41518c WSAGetLastError 48447 41cae1 30 API calls 47739->48447 47746 40531e 28 API calls 47746->47766 47747 401e65 22 API calls 47749 415a0f 47747->47749 47748 401e8d 11 API calls 47748->47766 47749->47747 47750 43baac _strftime 40 API calls 47749->47750 47749->47766 47785 402093 28 API calls 47749->47785 47786 41b4ef 80 API calls 47749->47786 47787 415a71 CreateThread 47749->47787 47788 401fd8 11 API calls 47749->47788 47789 401f09 11 API calls 47749->47789 48450 40b051 85 API calls 47749->48450 47751 415acf Sleep 47750->47751 47751->47766 47752 402f10 28 API calls 47752->47766 47753 402093 28 API calls 47753->47766 47754 41b4ef 80 API calls 47754->47766 47757 40905c 28 API calls 47757->47766 47759 4136f8 3 API calls 47759->47766 47760 4135a6 31 API calls 47760->47766 47761 40417e 28 API calls 47761->47766 47766->47721 47766->47723 47766->47726 47766->47729 47766->47733 47766->47736 47766->47737 47766->47739 47766->47746 47766->47748 47766->47749 47766->47752 47766->47753 47766->47754 47766->47757 47766->47759 47766->47760 47766->47761 47767 401e65 22 API calls 47766->47767 48287 414ee9 47766->48287 48292 40482d 47766->48292 48299 404f51 47766->48299 48314 4048c8 connect 47766->48314 48374 41b7e0 47766->48374 48377 4145bd 47766->48377 48380 441e81 47766->48380 48384 40dd89 47766->48384 48390 41bc42 47766->48390 48393 41bd1e 47766->48393 48397 41bb8e 47766->48397 48432 404e26 WaitForSingleObject 47766->48432 48448 4052fd 28 API calls 47766->48448 47768 415439 GetTickCount 47767->47768 47769 41bb8e 28 API calls 47768->47769 47780 415456 47769->47780 47771 41bb8e 28 API calls 47771->47780 47773 41bd1e 28 API calls 47773->47780 47776 406383 28 API calls 47776->47780 47777 402f10 28 API calls 47777->47780 47778 402ea1 28 API calls 47778->47780 47780->47771 47780->47773 47780->47776 47780->47777 47780->47778 47781 401fd8 11 API calls 47780->47781 47782 401f09 11 API calls 47780->47782 48402 41bae6 47780->48402 48404 41ba96 47780->48404 48409 40f8d1 GetLocaleInfoA 47780->48409 48412 402f31 28 API calls 47780->48412 48413 404c10 47780->48413 48449 404aa1 61 API calls ctype 47780->48449 47781->47780 47782->47780 47785->47749 47786->47749 47787->47749 48609 41ad17 104 API calls 47787->48609 47788->47749 47789->47749 47790->47166 47791->47174 47792->47178 47795 4020df 11 API calls 47794->47795 47796 406c2a 47795->47796 47797 4032a0 28 API calls 47796->47797 47798 406c47 47797->47798 47798->47199 47800 40eba4 47799->47800 47801 413573 RegQueryValueExA RegCloseKey 47799->47801 47800->47196 47800->47214 47801->47800 47802->47202 47803->47233 47804->47226 47805->47216 47806->47231 48610 401f86 47807->48610 47810 40da70 48614 41b5b4 29 API calls 47810->48614 47811 40daa5 47813 41bfb7 GetCurrentProcess 47811->47813 47812 40da66 47815 40db99 GetLongPathNameW 47812->47815 47817 40daaa 47813->47817 47816 40417e 28 API calls 47815->47816 47819 40dbae 47816->47819 47820 40db00 47817->47820 47821 40daae 47817->47821 47818 40da79 47822 401f13 28 API calls 47818->47822 47823 40417e 28 API calls 47819->47823 47824 40417e 28 API calls 47820->47824 47825 40417e 28 API calls 47821->47825 47826 40da83 47822->47826 47827 40dbbd 47823->47827 47828 40db0e 47824->47828 47829 40dabc 47825->47829 47831 401f09 11 API calls 47826->47831 48617 40ddd1 28 API calls 47827->48617 47834 40417e 28 API calls 47828->47834 47835 40417e 28 API calls 47829->47835 47831->47812 47832 40dbd0 48618 402fa5 28 API calls 47832->48618 47837 40db24 47834->47837 47838 40dad2 47835->47838 47836 40dbdb 48619 402fa5 28 API calls 47836->48619 48616 402fa5 28 API calls 47837->48616 48615 402fa5 28 API calls 47838->48615 47842 40dbe5 47845 401f09 11 API calls 47842->47845 47843 40db2f 47846 401f13 28 API calls 47843->47846 47844 40dadd 47847 401f13 28 API calls 47844->47847 47848 40dbef 47845->47848 47849 40db3a 47846->47849 47850 40dae8 47847->47850 47851 401f09 11 API calls 47848->47851 47852 401f09 11 API calls 47849->47852 47853 401f09 11 API calls 47850->47853 47855 40dbf8 47851->47855 47856 40db43 47852->47856 47854 40daf1 47853->47854 47858 401f09 11 API calls 47854->47858 47859 401f09 11 API calls 47855->47859 47857 401f09 11 API calls 47856->47857 47857->47826 47858->47826 47860 40dc01 47859->47860 47861 401f09 11 API calls 47860->47861 47862 40dc0a 47861->47862 47863 401f09 11 API calls 47862->47863 47864 40dc13 47863->47864 47864->47289 47865->47302 47866->47324 47868 41371e RegQueryValueExA RegCloseKey 47867->47868 47869 413742 47867->47869 47868->47869 47869->47282 47870->47316 47874 4344ef 47871->47874 47872 43bd51 ___std_exception_copy 21 API calls 47872->47874 47873 40f0d1 47873->47354 47874->47872 47874->47873 48620 442f80 7 API calls 2 library calls 47874->48620 48621 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47874->48621 48622 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47874->48622 47878->47386 47879->47374 47881->47418 47882->47221 47885 41b4c5 LoadResource LockResource SizeofResource 47884->47885 47886 40f3de 47884->47886 47885->47886 47887 43bd51 47886->47887 47892 446137 ___crtLCMapStringA 47887->47892 47888 446175 47904 4405dd 20 API calls _Atexit 47888->47904 47889 446160 RtlAllocateHeap 47891 446173 47889->47891 47889->47892 47891->47473 47892->47888 47892->47889 47903 442f80 7 API calls 2 library calls 47892->47903 47895 4020bf 47894->47895 47905 4023ce 47895->47905 47897 4020ca 47909 40250a 47897->47909 47899 4020d9 47899->47476 47901 4020b7 28 API calls 47900->47901 47902 406dec 47901->47902 47902->47483 47903->47892 47904->47891 47906 402428 47905->47906 47907 4023d8 47905->47907 47906->47897 47907->47906 47916 4027a7 11 API calls std::_Deallocate 47907->47916 47910 40251a 47909->47910 47911 402520 47910->47911 47912 402535 47910->47912 47917 402569 47911->47917 47927 4028e8 47912->47927 47915 402533 47915->47899 47916->47906 47938 402888 47917->47938 47919 40257d 47920 402592 47919->47920 47921 4025a7 47919->47921 47943 402a34 22 API calls 47920->47943 47923 4028e8 28 API calls 47921->47923 47926 4025a5 47923->47926 47924 40259b 47944 4029da 22 API calls 47924->47944 47926->47915 47928 4028f1 47927->47928 47929 402953 47928->47929 47930 4028fb 47928->47930 47952 4028a4 22 API calls 47929->47952 47933 402904 47930->47933 47934 402917 47930->47934 47946 402cae 47933->47946 47936 402915 47934->47936 47937 4023ce 11 API calls 47934->47937 47936->47915 47937->47936 47939 402890 47938->47939 47940 402898 47939->47940 47945 402ca3 22 API calls 47939->47945 47940->47919 47943->47924 47944->47926 47947 402cb8 __EH_prolog 47946->47947 47953 402e54 22 API calls 47947->47953 47949 402d24 47950 4023ce 11 API calls 47949->47950 47951 402d92 47950->47951 47951->47936 47953->47949 47955 4020e7 47954->47955 47956 4023ce 11 API calls 47955->47956 47957 4020f2 47956->47957 47957->47511 47963 40423a 47958->47963 47961->47511 47962->47492 47964 404243 47963->47964 47965 4023ce 11 API calls 47964->47965 47966 40424e 47965->47966 47967 402569 28 API calls 47966->47967 47968 4041b5 47967->47968 47968->47511 47969->47515 47970->47520 47971->47518 47975 4032aa 47973->47975 47974 4032c9 47974->47531 47975->47974 47976 4028e8 28 API calls 47975->47976 47976->47974 47978 4051fb 47977->47978 47987 405274 47978->47987 47980 405208 47980->47534 47982 402061 47981->47982 47983 4023ce 11 API calls 47982->47983 47984 40207b 47983->47984 48009 40267a 47984->48009 47988 405282 47987->47988 47989 405288 47988->47989 47990 40529e 47988->47990 47998 4025f0 47989->47998 47992 4052f5 47990->47992 47993 4052b6 47990->47993 48007 4028a4 22 API calls 47992->48007 47996 4028e8 28 API calls 47993->47996 47997 40529c 47993->47997 47996->47997 47997->47980 47999 402888 22 API calls 47998->47999 48000 402602 47999->48000 48001 402672 48000->48001 48002 402629 48000->48002 48008 4028a4 22 API calls 48001->48008 48005 4028e8 28 API calls 48002->48005 48006 40263b 48002->48006 48005->48006 48006->47997 48010 40268b 48009->48010 48011 4023ce 11 API calls 48010->48011 48012 40208d 48011->48012 48012->47537 48013->47545 48014->47550 48017 41bfc4 GetCurrentProcess 48016->48017 48018 41b2d1 48016->48018 48017->48018 48019 4135a6 RegOpenKeyExA 48018->48019 48020 4135d4 RegQueryValueExA RegCloseKey 48019->48020 48021 4135fe 48019->48021 48020->48021 48022 402093 28 API calls 48021->48022 48023 413613 48022->48023 48023->47561 48024->47572 48026 40b90c 48025->48026 48031 402252 48026->48031 48028 40b917 48035 40b92c 48028->48035 48030 40b926 48030->47580 48032 40225c 48031->48032 48033 4022ac 48031->48033 48032->48033 48042 402779 11 API calls std::_Deallocate 48032->48042 48033->48028 48036 40b966 48035->48036 48037 40b938 48035->48037 48054 4028a4 22 API calls 48036->48054 48043 4027e6 48037->48043 48041 40b942 48041->48030 48042->48033 48044 4027ef 48043->48044 48045 402851 48044->48045 48046 4027f9 48044->48046 48056 4028a4 22 API calls 48045->48056 48049 402802 48046->48049 48050 402815 48046->48050 48055 402aea 28 API calls __EH_prolog 48049->48055 48052 402813 48050->48052 48053 402252 11 API calls 48050->48053 48052->48041 48053->48052 48055->48052 48057->47589 48059 402347 48058->48059 48060 402252 11 API calls 48059->48060 48061 4023c7 48060->48061 48061->47589 48063 4024f9 48062->48063 48064 40250a 28 API calls 48063->48064 48065 4020b1 48064->48065 48065->47294 48082 43ba0a 48066->48082 48068 43ae50 48088 43a7b7 36 API calls 3 library calls 48068->48088 48070 43ae15 48070->48068 48071 43ae2a 48070->48071 48081 43ae2f pre_c_initialization 48070->48081 48087 4405dd 20 API calls _Atexit 48071->48087 48074 43ae5c 48075 43ae8b 48074->48075 48089 43ba4f 40 API calls __Tolower 48074->48089 48078 43aef7 48075->48078 48090 43b9b6 20 API calls 2 library calls 48075->48090 48091 43b9b6 20 API calls 2 library calls 48078->48091 48079 43afbe _strftime 48079->48081 48092 4405dd 20 API calls _Atexit 48079->48092 48081->47618 48083 43ba22 48082->48083 48084 43ba0f 48082->48084 48083->48070 48093 4405dd 20 API calls _Atexit 48084->48093 48086 43ba14 pre_c_initialization 48086->48070 48087->48081 48088->48074 48089->48074 48090->48078 48091->48079 48092->48081 48093->48086 48100 401fb0 48094->48100 48096 402f1e 48097 402055 11 API calls 48096->48097 48098 402f2d 48097->48098 48098->47632 48099->47635 48101 4025f0 28 API calls 48100->48101 48102 401fbd 48101->48102 48102->48096 48104 40a127 48103->48104 48105 413549 3 API calls 48104->48105 48106 40a12e 48105->48106 48107 40a142 48106->48107 48108 40a15c 48106->48108 48109 409e9b 48107->48109 48110 40a147 48107->48110 48111 40905c 28 API calls 48108->48111 48109->47347 48124 40905c 48110->48124 48113 40a16a 48111->48113 48131 40a179 86 API calls 48113->48131 48117 40a15a 48117->48109 48118->47660 48148 403222 48119->48148 48121 403022 48152 403262 48121->48152 48125 409072 48124->48125 48126 402252 11 API calls 48125->48126 48127 40908c 48126->48127 48132 404267 48127->48132 48129 40909a 48130 40a22d 29 API calls 48129->48130 48130->48117 48144 40a273 162 API calls 48130->48144 48131->48109 48145 40a267 85 API calls 48131->48145 48146 40a289 48 API calls 48131->48146 48147 40a27d 127 API calls 48131->48147 48133 402888 22 API calls 48132->48133 48134 40427b 48133->48134 48135 404290 48134->48135 48136 4042a5 48134->48136 48142 4042df 22 API calls 48135->48142 48138 4027e6 28 API calls 48136->48138 48141 4042a3 48138->48141 48139 404299 48143 402c48 22 API calls 48139->48143 48141->48129 48142->48139 48143->48141 48149 40322e 48148->48149 48158 403618 48149->48158 48151 40323b 48151->48121 48153 40326e 48152->48153 48154 402252 11 API calls 48153->48154 48155 403288 48154->48155 48156 402336 11 API calls 48155->48156 48157 403031 48156->48157 48157->47665 48159 403626 48158->48159 48160 403644 48159->48160 48161 40362c 48159->48161 48163 40369e 48160->48163 48165 40365c 48160->48165 48169 4036a6 28 API calls 48161->48169 48170 4028a4 22 API calls 48163->48170 48167 4027e6 28 API calls 48165->48167 48168 403642 48165->48168 48167->48168 48168->48151 48169->48168 48172 404186 48171->48172 48173 402252 11 API calls 48172->48173 48174 404191 48173->48174 48182 4041bc 48174->48182 48177 4042fc 48193 404353 48177->48193 48179 40430a 48180 403262 11 API calls 48179->48180 48181 404319 48180->48181 48181->47673 48183 4041c8 48182->48183 48186 4041d9 48183->48186 48185 40419c 48185->48177 48187 4041e9 48186->48187 48188 404206 48187->48188 48189 4041ef 48187->48189 48190 4027e6 28 API calls 48188->48190 48191 404267 28 API calls 48189->48191 48192 404204 48190->48192 48191->48192 48192->48185 48194 40435f 48193->48194 48197 404371 48194->48197 48196 40436d 48196->48179 48198 40437f 48197->48198 48199 404385 48198->48199 48200 40439e 48198->48200 48263 4034e6 28 API calls 48199->48263 48201 402888 22 API calls 48200->48201 48202 4043a6 48201->48202 48204 404419 48202->48204 48205 4043bf 48202->48205 48264 4028a4 22 API calls 48204->48264 48207 4027e6 28 API calls 48205->48207 48216 40439c 48205->48216 48207->48216 48216->48196 48263->48216 48271 43aa9a 48265->48271 48269 4138b9 48268->48269 48270 41388f RegSetValueExA RegCloseKey 48268->48270 48269->47688 48270->48269 48274 43aa1b 48271->48274 48273 40170d 48273->47691 48275 43aa2a 48274->48275 48276 43aa3e 48274->48276 48280 4405dd 20 API calls _Atexit 48275->48280 48279 43aa2f pre_c_initialization __alldvrm 48276->48279 48281 448957 11 API calls 2 library calls 48276->48281 48279->48273 48280->48279 48281->48279 48285 41b8f9 ctype ___scrt_fastfail 48282->48285 48283 402093 28 API calls 48284 414f49 48283->48284 48284->47698 48285->48283 48286->47715 48288 414f02 getaddrinfo WSASetLastError 48287->48288 48289 414ef8 48287->48289 48288->47766 48451 414d86 29 API calls ___std_exception_copy 48289->48451 48291 414efd 48291->48288 48293 404846 socket 48292->48293 48294 404839 48292->48294 48295 404860 CreateEventW 48293->48295 48296 404842 48293->48296 48452 40489e WSAStartup 48294->48452 48295->47766 48296->47766 48298 40483e 48298->48293 48298->48296 48300 404f65 48299->48300 48301 404fea 48299->48301 48302 404f6e 48300->48302 48303 404fc0 CreateEventA CreateThread 48300->48303 48304 404f7d GetLocalTime 48300->48304 48301->47766 48302->48303 48303->48301 48454 405150 48303->48454 48305 41bb8e 28 API calls 48304->48305 48306 404f91 48305->48306 48453 4052fd 28 API calls 48306->48453 48315 404a1b 48314->48315 48316 4048ee 48314->48316 48317 40497e 48315->48317 48318 404a21 WSAGetLastError 48315->48318 48316->48317 48319 404923 48316->48319 48322 40531e 28 API calls 48316->48322 48317->47766 48318->48317 48320 404a31 48318->48320 48458 420c60 27 API calls 48319->48458 48323 404932 48320->48323 48324 404a36 48320->48324 48326 40490f 48322->48326 48329 402093 28 API calls 48323->48329 48469 41cae1 30 API calls 48324->48469 48325 40492b 48325->48323 48328 404941 48325->48328 48330 402093 28 API calls 48326->48330 48339 404950 48328->48339 48340 404987 48328->48340 48332 404a80 48329->48332 48333 40491e 48330->48333 48331 404a40 48470 4052fd 28 API calls 48331->48470 48336 402093 28 API calls 48332->48336 48337 41b4ef 80 API calls 48333->48337 48341 404a8f 48336->48341 48337->48319 48344 402093 28 API calls 48339->48344 48466 421a40 54 API calls 48340->48466 48345 41b4ef 80 API calls 48341->48345 48348 40495f 48344->48348 48345->48317 48347 40498f 48350 4049c4 48347->48350 48351 404994 48347->48351 48352 402093 28 API calls 48348->48352 48468 420e06 28 API calls 48350->48468 48354 402093 28 API calls 48351->48354 48355 40496e 48352->48355 48357 4049a3 48354->48357 48358 41b4ef 80 API calls 48355->48358 48361 402093 28 API calls 48357->48361 48362 404973 48358->48362 48359 4049cc 48360 4049f9 CreateEventW CreateEventW 48359->48360 48363 402093 28 API calls 48359->48363 48360->48317 48364 4049b2 48361->48364 48459 420ca0 48362->48459 48365 4049e2 48363->48365 48366 41b4ef 80 API calls 48364->48366 48368 402093 28 API calls 48365->48368 48369 4049b7 48366->48369 48370 4049f1 48368->48370 48467 4210b2 52 API calls 48369->48467 48372 41b4ef 80 API calls 48370->48372 48373 4049f6 48372->48373 48373->48360 48473 41b7b6 GlobalMemoryStatusEx 48374->48473 48376 41b7f5 48376->47766 48474 414580 48377->48474 48381 441e8d 48380->48381 48504 441c7d 48381->48504 48383 441eae 48383->47766 48385 40dda5 48384->48385 48386 4134ff 3 API calls 48385->48386 48388 40ddac 48386->48388 48387 40ddc4 48387->47766 48388->48387 48389 413549 3 API calls 48388->48389 48389->48387 48391 4020b7 28 API calls 48390->48391 48392 41bc57 48391->48392 48392->47766 48394 41bd2b 48393->48394 48395 4020b7 28 API calls 48394->48395 48396 41bd3d 48395->48396 48396->47766 48398 441e81 20 API calls 48397->48398 48399 41bbb2 48398->48399 48400 402093 28 API calls 48399->48400 48401 41bbc0 48400->48401 48401->47766 48403 41bafc GetTickCount 48402->48403 48403->47780 48405 436e90 ___scrt_fastfail 48404->48405 48406 41bab5 GetForegroundWindow GetWindowTextW 48405->48406 48407 40417e 28 API calls 48406->48407 48408 41badf 48407->48408 48408->47780 48410 402093 28 API calls 48409->48410 48411 40f8f6 48410->48411 48411->47780 48412->47780 48414 4020df 11 API calls 48413->48414 48415 404c27 48414->48415 48416 4020df 11 API calls 48415->48416 48428 404c30 48416->48428 48417 43bd51 ___std_exception_copy 21 API calls 48417->48428 48419 404c96 48421 404ca1 48419->48421 48419->48428 48420 4020b7 28 API calls 48420->48428 48423 404e26 99 API calls 48421->48423 48422 401fe2 28 API calls 48422->48428 48424 404ca8 48423->48424 48426 401fd8 11 API calls 48424->48426 48425 401fd8 11 API calls 48425->48428 48427 404cb1 48426->48427 48429 401fd8 11 API calls 48427->48429 48428->48417 48428->48419 48428->48420 48428->48422 48428->48425 48509 404cc3 48428->48509 48521 404b96 57 API calls 48428->48521 48430 404cba 48429->48430 48430->47749 48433 404e40 SetEvent CloseHandle 48432->48433 48434 404e57 closesocket 48432->48434 48435 404ed8 48433->48435 48436 404e64 48434->48436 48435->47766 48437 404e73 48436->48437 48438 404e7a 48436->48438 48608 4050e4 84 API calls 48437->48608 48439 404e8c WaitForSingleObject 48438->48439 48440 404ece SetEvent CloseHandle 48438->48440 48442 420ca0 3 API calls 48439->48442 48440->48435 48443 404e9b SetEvent WaitForSingleObject 48442->48443 48444 420ca0 3 API calls 48443->48444 48445 404eb3 SetEvent FindCloseChangeNotification FindCloseChangeNotification 48444->48445 48445->48440 48446->47766 48447->47766 48449->47780 48450->47749 48451->48291 48452->48298 48457 40515c 102 API calls 48454->48457 48456 405159 48457->48456 48458->48325 48460 420ca8 48459->48460 48461 41e711 48459->48461 48460->48317 48462 41e71f 48461->48462 48471 41d85b DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48461->48471 48472 41e441 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48462->48472 48465 41e726 48466->48347 48467->48362 48468->48359 48469->48331 48471->48462 48472->48465 48473->48376 48477 414553 48474->48477 48478 414568 ___scrt_initialize_default_local_stdio_options 48477->48478 48481 43f79d 48478->48481 48484 43c4f0 48481->48484 48485 43c530 48484->48485 48486 43c518 48484->48486 48485->48486 48487 43c538 48485->48487 48499 4405dd 20 API calls _Atexit 48486->48499 48500 43a7b7 36 API calls 3 library calls 48487->48500 48490 43c548 48501 43cc76 20 API calls 2 library calls 48490->48501 48491 43c51d pre_c_initialization 48492 434fcb CatchGuardHandler 5 API calls 48491->48492 48494 414576 48492->48494 48494->47766 48495 43c5c0 48502 43d2e4 51 API calls 3 library calls 48495->48502 48498 43c5cb 48503 43cce0 20 API calls _free 48498->48503 48499->48491 48500->48490 48501->48495 48502->48498 48503->48491 48505 441c94 48504->48505 48507 441ccb pre_c_initialization 48505->48507 48508 4405dd 20 API calls _Atexit 48505->48508 48507->48383 48508->48507 48510 4020df 11 API calls 48509->48510 48520 404cde 48510->48520 48511 404e13 48512 401fd8 11 API calls 48511->48512 48513 404e1c 48512->48513 48513->48419 48514 401fe2 28 API calls 48514->48520 48515 401fd8 11 API calls 48515->48520 48516 401fc0 28 API calls 48518 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 48516->48518 48517 4020f6 28 API calls 48517->48520 48518->48520 48522 415aea 48518->48522 48519 4041a2 28 API calls 48519->48520 48520->48511 48520->48514 48520->48515 48520->48516 48520->48517 48520->48519 48521->48428 48523 4020f6 28 API calls 48522->48523 48524 415b0c SetEvent 48523->48524 48525 415b21 48524->48525 48526 4041a2 28 API calls 48525->48526 48527 415b3b 48526->48527 48528 4020f6 28 API calls 48527->48528 48529 415b4b 48528->48529 48530 4020f6 28 API calls 48529->48530 48531 415b5d 48530->48531 48532 41be1b 28 API calls 48531->48532 48533 415b66 48532->48533 48534 417089 48533->48534 48535 415b86 GetTickCount 48533->48535 48536 415d2f 48533->48536 48537 401e8d 11 API calls 48534->48537 48538 41bb8e 28 API calls 48535->48538 48536->48534 48599 415ce5 48536->48599 48539 417092 48537->48539 48540 415b97 48538->48540 48542 401fd8 11 API calls 48539->48542 48543 41bae6 GetTickCount 48540->48543 48544 41709e 48542->48544 48545 415ba3 48543->48545 48546 401fd8 11 API calls 48544->48546 48547 41bb8e 28 API calls 48545->48547 48548 4170aa 48546->48548 48549 415bae 48547->48549 48550 41ba96 30 API calls 48549->48550 48551 415bbc 48550->48551 48552 41bd1e 28 API calls 48551->48552 48553 415bca 48552->48553 48554 401e65 22 API calls 48553->48554 48555 415bd8 48554->48555 48601 402f31 28 API calls 48555->48601 48557 415be6 48602 402ea1 28 API calls 48557->48602 48559 415bf5 48560 402f10 28 API calls 48559->48560 48561 415c04 48560->48561 48603 402ea1 28 API calls 48561->48603 48563 415c13 48564 402f10 28 API calls 48563->48564 48565 415c1f 48564->48565 48604 402ea1 28 API calls 48565->48604 48567 415c29 48605 404aa1 61 API calls ctype 48567->48605 48569 415c38 48570 401fd8 11 API calls 48569->48570 48571 415c41 48570->48571 48572 401fd8 11 API calls 48571->48572 48573 415c4d 48572->48573 48574 401fd8 11 API calls 48573->48574 48575 415c59 48574->48575 48576 401fd8 11 API calls 48575->48576 48577 415c65 48576->48577 48578 401fd8 11 API calls 48577->48578 48579 415c71 48578->48579 48580 401fd8 11 API calls 48579->48580 48581 415c7d 48580->48581 48582 401f09 11 API calls 48581->48582 48583 415c86 48582->48583 48584 401fd8 11 API calls 48583->48584 48585 415c8f 48584->48585 48586 401fd8 11 API calls 48585->48586 48587 415c98 48586->48587 48588 401e65 22 API calls 48587->48588 48589 415ca3 48588->48589 48590 43baac _strftime 40 API calls 48589->48590 48591 415cb0 48590->48591 48592 415cb5 48591->48592 48593 415cdb 48591->48593 48595 415cc3 48592->48595 48596 415cce 48592->48596 48594 401e65 22 API calls 48593->48594 48594->48599 48606 404ff4 82 API calls 48595->48606 48598 404f51 105 API calls 48596->48598 48600 415cc9 48598->48600 48599->48534 48607 4050e4 84 API calls 48599->48607 48600->48534 48601->48557 48602->48559 48603->48563 48604->48567 48605->48569 48606->48600 48607->48600 48608->48438 48611 401f8e 48610->48611 48612 402252 11 API calls 48611->48612 48613 401f99 48612->48613 48613->47810 48613->47811 48613->47812 48614->47818 48615->47844 48616->47843 48617->47832 48618->47836 48619->47842 48620->47874 48625 40f7c2 48623->48625 48624 413549 3 API calls 48624->48625 48625->48624 48626 40f866 48625->48626 48629 40f856 Sleep 48625->48629 48645 40f7f4 48625->48645 48628 40905c 28 API calls 48626->48628 48627 40905c 28 API calls 48627->48645 48631 40f871 48628->48631 48629->48625 48630 41bc5e 28 API calls 48630->48645 48633 41bc5e 28 API calls 48631->48633 48634 40f87d 48633->48634 48658 413814 14 API calls 48634->48658 48637 401f09 11 API calls 48637->48645 48638 40f890 48639 401f09 11 API calls 48638->48639 48641 40f89c 48639->48641 48640 402093 28 API calls 48640->48645 48642 402093 28 API calls 48641->48642 48643 40f8ad 48642->48643 48646 41376f 14 API calls 48643->48646 48644 41376f 14 API calls 48644->48645 48645->48627 48645->48629 48645->48630 48645->48637 48645->48640 48645->48644 48656 40d096 112 API calls ___scrt_fastfail 48645->48656 48657 413814 14 API calls 48645->48657 48647 40f8c0 48646->48647 48659 412850 TerminateProcess WaitForSingleObject 48647->48659 48649 40f8c8 ExitProcess 48660 4127ee 62 API calls 48650->48660 48657->48645 48658->48638 48659->48649 48661 4269e6 48662 4269fb 48661->48662 48667 426a8d 48661->48667 48663 426a48 48662->48663 48664 426b44 48662->48664 48665 426abd 48662->48665 48666 426b1d 48662->48666 48662->48667 48671 426af2 48662->48671 48675 426a7d 48662->48675 48689 424edd 49 API calls ctype 48662->48689 48663->48667 48663->48675 48690 41fb6c 52 API calls 48663->48690 48664->48667 48694 426155 28 API calls 48664->48694 48665->48667 48665->48671 48692 41fb6c 52 API calls 48665->48692 48666->48664 48666->48667 48677 425ae1 48666->48677 48671->48666 48693 4256f0 21 API calls 48671->48693 48675->48665 48675->48667 48691 424edd 49 API calls ctype 48675->48691 48678 425b00 ___scrt_fastfail 48677->48678 48680 425b0f 48678->48680 48683 425b34 48678->48683 48695 41ebbb 21 API calls 48678->48695 48680->48683 48688 425b14 48680->48688 48696 4205d8 46 API calls 48680->48696 48683->48664 48684 425b1d 48684->48683 48699 424d05 21 API calls 2 library calls 48684->48699 48686 425bb7 48686->48683 48697 432ec4 21 API calls ___std_exception_copy 48686->48697 48688->48683 48688->48684 48698 41da5f 49 API calls 48688->48698 48689->48663 48690->48663 48691->48665 48692->48665 48693->48666 48694->48667 48695->48680 48696->48686 48697->48688 48698->48684 48699->48683 48700 415d06 48715 41b380 48700->48715 48702 415d0f 48703 4020f6 28 API calls 48702->48703 48704 415d1e 48703->48704 48726 404aa1 61 API calls ctype 48704->48726 48706 415d2a 48707 417089 48706->48707 48708 401fd8 11 API calls 48706->48708 48709 401e8d 11 API calls 48707->48709 48708->48707 48710 417092 48709->48710 48711 401fd8 11 API calls 48710->48711 48712 41709e 48711->48712 48713 401fd8 11 API calls 48712->48713 48714 4170aa 48713->48714 48716 4020df 11 API calls 48715->48716 48717 41b38e 48716->48717 48718 43bd51 ___std_exception_copy 21 API calls 48717->48718 48719 41b39e InternetOpenW InternetOpenUrlW 48718->48719 48720 41b3c5 InternetReadFile 48719->48720 48724 41b3e8 48720->48724 48721 4020b7 28 API calls 48721->48724 48722 41b415 InternetCloseHandle InternetCloseHandle 48723 41b427 48722->48723 48723->48702 48724->48720 48724->48721 48724->48722 48725 401fd8 11 API calls 48724->48725 48725->48724 48726->48706 48727 426c4b 48732 426cc8 send 48727->48732 48733 44375d 48734 443766 48733->48734 48735 44377f 48733->48735 48736 44376e 48734->48736 48740 4437e5 48734->48740 48738 443776 48738->48736 48751 443ab2 22 API calls 2 library calls 48738->48751 48741 4437f1 48740->48741 48742 4437ee 48740->48742 48752 44f3dd GetEnvironmentStringsW 48741->48752 48742->48738 48745 4437fe 48747 446782 _free 20 API calls 48745->48747 48748 443833 48747->48748 48748->48738 48749 443809 48760 446782 48749->48760 48751->48735 48753 44f3f1 48752->48753 48754 4437f8 48752->48754 48766 446137 48753->48766 48754->48745 48759 44390a 26 API calls 3 library calls 48754->48759 48756 44f405 ctype 48757 446782 _free 20 API calls 48756->48757 48758 44f41f FreeEnvironmentStringsW 48757->48758 48758->48754 48759->48749 48761 44678d RtlFreeHeap 48760->48761 48762 4467b6 __dosmaperr 48760->48762 48761->48762 48763 4467a2 48761->48763 48762->48745 48775 4405dd 20 API calls _Atexit 48763->48775 48765 4467a8 GetLastError 48765->48762 48767 446175 48766->48767 48771 446145 ___crtLCMapStringA 48766->48771 48774 4405dd 20 API calls _Atexit 48767->48774 48768 446160 RtlAllocateHeap 48770 446173 48768->48770 48768->48771 48770->48756 48771->48767 48771->48768 48773 442f80 7 API calls 2 library calls 48771->48773 48773->48771 48774->48770 48775->48765 48776 44372e 48777 443737 48776->48777 48778 443750 48776->48778 48779 44373f 48777->48779 48783 44378c 48777->48783 48781 443747 48781->48779 48796 443a33 22 API calls 2 library calls 48781->48796 48784 443795 48783->48784 48785 443798 48783->48785 48784->48781 48786 44f059 49 API calls 48785->48786 48787 44379f 48786->48787 48797 44f35a GetEnvironmentStringsW 48787->48797 48791 446782 _free 20 API calls 48792 4437df 48791->48792 48792->48781 48793 4437b5 48794 446782 _free 20 API calls 48793->48794 48795 4437aa 48794->48795 48795->48791 48796->48778 48798 44f371 48797->48798 48808 44f3c4 48797->48808 48799 44f377 WideCharToMultiByte 48798->48799 48802 44f393 48799->48802 48799->48808 48800 4437a4 48800->48795 48809 443839 26 API calls 4 library calls 48800->48809 48801 44f3cd FreeEnvironmentStringsW 48801->48800 48803 446137 ___crtLCMapStringA 21 API calls 48802->48803 48804 44f399 48803->48804 48805 44f3a0 WideCharToMultiByte 48804->48805 48806 44f3b6 48804->48806 48805->48806 48807 446782 _free 20 API calls 48806->48807 48807->48808 48808->48800 48808->48801 48809->48793 48810 43be58 48813 43be64 _swprintf ___scrt_is_nonwritable_in_current_image 48810->48813 48811 43be72 48826 4405dd 20 API calls _Atexit 48811->48826 48813->48811 48814 43be9c 48813->48814 48821 445888 EnterCriticalSection 48814->48821 48816 43be77 pre_c_initialization ___scrt_is_nonwritable_in_current_image 48817 43bea7 48822 43bf48 48817->48822 48821->48817 48824 43bf56 48822->48824 48823 43beb2 48827 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48823->48827 48824->48823 48828 44976c 37 API calls 2 library calls 48824->48828 48826->48816 48827->48816 48828->48824 48829 41dfbd 48830 41dfd2 ctype ___scrt_fastfail 48829->48830 48842 41e1d5 48830->48842 48848 432ec4 21 API calls ___std_exception_copy 48830->48848 48833 41e1e6 48840 41e189 48833->48840 48844 432ec4 21 API calls ___std_exception_copy 48833->48844 48835 41e182 ___scrt_fastfail 48835->48840 48849 432ec4 21 API calls ___std_exception_copy 48835->48849 48837 41e1af ___scrt_fastfail 48837->48840 48850 432ec4 21 API calls ___std_exception_copy 48837->48850 48838 41e21f ___scrt_fastfail 48838->48840 48845 43354a 48838->48845 48842->48840 48843 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 48842->48843 48843->48833 48844->48838 48851 433469 48845->48851 48847 433552 48847->48840 48848->48835 48849->48837 48850->48842 48852 433482 48851->48852 48856 433478 48851->48856 48852->48856 48857 432ec4 21 API calls ___std_exception_copy 48852->48857 48854 4334a3 48854->48856 48858 433837 CryptAcquireContextA 48854->48858 48856->48847 48857->48854 48859 433858 CryptGenRandom 48858->48859 48860 433853 48858->48860 48859->48860 48861 43386d CryptReleaseContext 48859->48861 48860->48856 48861->48860 48862 40165e 48863 401666 48862->48863 48864 401669 48862->48864 48865 4016a8 48864->48865 48868 401696 48864->48868 48866 4344ea new 22 API calls 48865->48866 48867 40169c 48866->48867 48869 4344ea new 22 API calls 48868->48869 48869->48867 48870 426bdc 48876 426cb1 recv 48870->48876 48877 42f8ed 48878 42f8f8 48877->48878 48879 42f90c 48878->48879 48881 432eee 48878->48881 48882 432ef9 48881->48882 48883 432efd 48881->48883 48882->48879 48885 440f0d 48883->48885 48886 446185 48885->48886 48887 446192 48886->48887 48888 44619d 48886->48888 48890 446137 ___crtLCMapStringA 21 API calls 48887->48890 48889 4461a5 48888->48889 48896 4461ae ___crtLCMapStringA 48888->48896 48891 446782 _free 20 API calls 48889->48891 48894 44619a 48890->48894 48891->48894 48892 4461b3 48898 4405dd 20 API calls _Atexit 48892->48898 48893 4461d8 RtlReAllocateHeap 48893->48894 48893->48896 48894->48882 48896->48892 48896->48893 48899 442f80 7 API calls 2 library calls 48896->48899 48898->48894 48899->48896

                                                          Executed Functions

                                                          Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                                          • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                                          • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                          • API String ID: 4236061018-3687161714
                                                          • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                          • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                                          • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                          • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                                          Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1099 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1104 41b3c5-41b3e6 InternetReadFile 1099->1104 1105 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1104->1105 1106 41b40c-41b40f 1104->1106 1105->1106 1108 41b411-41b413 1106->1108 1109 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1106->1109 1108->1104 1108->1109 1112 41b427-41b431 1109->1112
                                                          APIs
                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                                          Strings
                                                          • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                          • String ID: http://geoplugin.net/json.gp
                                                          • API String ID: 3121278467-91888290
                                                          • Opcode ID: 4404311406b4a12e258bc180555c1bc499fb9e537e63fa9c5eb012b199318316
                                                          • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                                          • Opcode Fuzzy Hash: 4404311406b4a12e258bc180555c1bc499fb9e537e63fa9c5eb012b199318316
                                                          • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                                          Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                            • Part of subcall function 00413549: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                            • Part of subcall function 00413549: RegCloseKey.KERNELBASE(?), ref: 00413592
                                                          • Sleep.KERNELBASE(00000BB8), ref: 0040F85B
                                                          • ExitProcess.KERNEL32 ref: 0040F8CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                          • String ID: 5.1.0 Pro$override$pth_unenc
                                                          • API String ID: 2281282204-182549033
                                                          • Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                                          • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                                          • Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                                          • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                                          Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1299 404f51-404f5f 1300 404f65-404f6c 1299->1300 1301 404fea 1299->1301 1303 404f74-404f7b 1300->1303 1304 404f6e-404f72 1300->1304 1302 404fec-404ff1 1301->1302 1305 404fc0-404fe8 CreateEventA CreateThread 1303->1305 1306 404f7d-404fbb GetLocalTime call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1303->1306 1304->1305 1305->1302 1306->1305
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$EventLocalThreadTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 2532271599-1507639952
                                                          • Opcode ID: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
                                                          • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                                          • Opcode Fuzzy Hash: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
                                                          • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                                          Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,04ECD6F8), ref: 00433849
                                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID:
                                                          • API String ID: 1815803762-0
                                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                          • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                          • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                                          Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750E4), ref: 0041B62A
                                                          • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Name$ComputerUser
                                                          • String ID:
                                                          • API String ID: 4229901323-0
                                                          • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                          • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                                          • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                          • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                                          Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                          • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                          Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 48 40eef2-40ef03 call 401fd8 23->48 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 90 40ec13-40ec1a 79->90 91 40ec0c-40ec0e 79->91 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 92 40ec1c 90->92 93 40ec1e-40ec2a call 41b2c3 90->93 96 40eef1 91->96 92->93 103 40ec33-40ec37 93->103 104 40ec2c-40ec2e 93->104 96->48 98->79 124 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->124 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 129 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 130 40ec8b call 407755 107->130 118 40ec3e-40ec40 108->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->107 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 124->157 177 40ed80-40ed84 129->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 129->178 130->129 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 202 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->202 233 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->233 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 192 40ee1e-40ee42 call 40247c call 434798 182->192 183->192 213 40ee51 192->213 214 40ee44-40ee4f call 436e90 192->214 202->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 213->217 214->217 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->271 286 40efc1 233->286 287 40efdc-40efde 233->287 271->233 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->233 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->96 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 368 40f1cc-40f1df call 401e65 call 401fab 356->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 426 40f2e4-40f2e7 416->426 418->416 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->124 445->124 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                                          APIs
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe,00000104), ref: 0040E9EE
                                                            • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                          • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                          • API String ID: 2830904901-1775603642
                                                          • Opcode ID: 747d405c528f15ab38f340b499f6c8eb85ced7579b397f1517eaf58dd5f7f014
                                                          • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                                          • Opcode Fuzzy Hash: 747d405c528f15ab38f340b499f6c8eb85ced7579b397f1517eaf58dd5f7f014
                                                          • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                                          Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 567 415210-415225 call 404f51 call 4048c8 560->567 568 4151e5-41520b call 402093 * 2 call 41b4ef 560->568 583 415aa3-415aa5 call 404e26 561->583 567->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 567->584 568->583 589 415aaa-415ab5 call 4021fa 583->589 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 596 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 589->596 597 415add-415ae5 call 401e8d 589->597 596->597 597->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->583
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                                          • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$ErrorLastLocalTime
                                                          • String ID: | $%I64u$5.1.0 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                          • API String ID: 524882891-1821206693
                                                          • Opcode ID: 19ef7ff21120ce4d864f1b3937725887b2176c6c21eb35dbedaed6ac899dd5b6
                                                          • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                                          • Opcode Fuzzy Hash: 19ef7ff21120ce4d864f1b3937725887b2176c6c21eb35dbedaed6ac899dd5b6
                                                          • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                                          Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • connect.WS2_32(?,?,?), ref: 004048E0
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                          • API String ID: 994465650-2151626615
                                                          • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                                          • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                                          • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                                          • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                                          Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEvent$ObjectSingleWait$ChangeFindHandleNotification$closesocket
                                                          • String ID:
                                                          • API String ID: 4074944092-0
                                                          • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                          • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                                          • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                          • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                                          Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1017 40da34-40da59 call 401f86 1020 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1017->1020 1021 40da5f 1017->1021 1042 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1020->1042 1022 40da70-40da7e call 41b5b4 call 401f13 1021->1022 1023 40da91-40da96 1021->1023 1024 40db51-40db56 1021->1024 1025 40daa5-40daac call 41bfb7 1021->1025 1026 40da66-40da6b 1021->1026 1027 40db58-40db5d 1021->1027 1028 40da9b-40daa0 1021->1028 1029 40db6e 1021->1029 1030 40db5f-40db64 call 43c0cf 1021->1030 1051 40da83 1022->1051 1032 40db73-40db78 call 43c0cf 1023->1032 1024->1032 1043 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1025->1043 1044 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1025->1044 1026->1032 1027->1032 1028->1032 1029->1032 1039 40db69-40db6c 1030->1039 1045 40db79-40db7e call 409057 1032->1045 1039->1029 1039->1045 1043->1051 1056 40da87-40da8c call 401f09 1044->1056 1045->1020 1051->1056 1056->1020
                                                          APIs
                                                          • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongNamePath
                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                          • API String ID: 82841172-425784914
                                                          • Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                                          • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                                          • Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                                          • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                                          Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1117 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1128 41b35d-41b366 1117->1128 1129 41b31c-41b32b call 4135a6 1117->1129 1131 41b368-41b36d 1128->1131 1132 41b36f 1128->1132 1134 41b330-41b347 call 401fab StrToIntA 1129->1134 1133 41b374-41b37f call 40537d 1131->1133 1132->1133 1139 41b355-41b358 call 401fd8 1134->1139 1140 41b349-41b352 call 41cf69 1134->1140 1139->1128 1140->1139
                                                          APIs
                                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                            • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                            • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                            • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                                          • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue
                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 1866151309-2070987746
                                                          • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                                          • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                                          • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                                          • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                                          Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1191 44f35a-44f36f GetEnvironmentStringsW 1192 44f3c7 1191->1192 1193 44f371-44f391 call 44f323 WideCharToMultiByte 1191->1193 1195 44f3c9-44f3cb 1192->1195 1193->1192 1199 44f393-44f394 call 446137 1193->1199 1197 44f3d4-44f3dc 1195->1197 1198 44f3cd-44f3ce FreeEnvironmentStringsW 1195->1198 1198->1197 1201 44f399-44f39e 1199->1201 1202 44f3a0-44f3b4 WideCharToMultiByte 1201->1202 1203 44f3bc 1201->1203 1202->1203 1204 44f3b6-44f3ba 1202->1204 1205 44f3be-44f3c5 call 446782 1203->1205 1204->1205 1205->1195
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                                          • _free.LIBCMT ref: 0044F3BF
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: d5b6095c133353841a26178031a5c1abb4d8b399141107c63a7e0046b26a79ce
                                                          • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                                          • Opcode Fuzzy Hash: d5b6095c133353841a26178031a5c1abb4d8b399141107c63a7e0046b26a79ce
                                                          • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                                          Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountEventTick
                                                          • String ID: !D@$NG
                                                          • API String ID: 180926312-2721294649
                                                          • Opcode ID: 8534da9eaa12ab86249594b2047bbf4fbef179ea81602a36c7078798381233d8
                                                          • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                                          • Opcode Fuzzy Hash: 8534da9eaa12ab86249594b2047bbf4fbef179ea81602a36c7078798381233d8
                                                          • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                                          Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1316 41376f-413786 RegCreateKeyA 1317 413788-4137bd call 40247c call 401fab RegSetValueExA RegCloseKey 1316->1317 1318 4137bf 1316->1318 1320 4137c1-4137cf call 401fd8 1317->1320 1318->1320
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                          • RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                                                          • RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                                          • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                                          • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                                          • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                                          Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                          • CreateThread.KERNELBASE(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                          • FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00404DDB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 2579639479-0
                                                          • Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                                          • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                                          • Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                                          • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                          Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1374 40d069-40d095 call 401fab CreateMutexA GetLastError
                                                          APIs
                                                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                                          • GetLastError.KERNEL32 ref: 0040D083
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorLastMutex
                                                          • String ID: SG
                                                          • API String ID: 1925916568-3189917014
                                                          • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                          • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                                          • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                          • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                                          Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                          • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                          • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                                          • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                          • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                                          Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                                          • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                                          • RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                          • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                          • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                                          Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                                                          • _free.LIBCMT ref: 0044F41A
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnvironmentStrings$Free_free
                                                          • String ID:
                                                          • API String ID: 2716640707-0
                                                          • Opcode ID: 504d4926eafdb637a077559789b9bb5aaba759e104292cc6b8616cd148f73828
                                                          • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                                                          • Opcode Fuzzy Hash: 504d4926eafdb637a077559789b9bb5aaba759e104292cc6b8616cd148f73828
                                                          • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                                                          Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                          • RegCloseKey.KERNELBASE(?), ref: 00413592
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                          • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                          • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                                          Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                                          • RegCloseKey.KERNELBASE(?,?,?,0040C19C,00466C48), ref: 00413535
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                          • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                          • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                                          Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                          • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                          • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID:
                                                          • API String ID: 1818849710-0
                                                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                          • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                          • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                                          Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: pQG
                                                          • API String ID: 176396367-3769108836
                                                          • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                                          • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                                          • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                                          • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                                          Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B7CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID: @
                                                          • API String ID: 1890195054-2766056989
                                                          • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                          • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                          • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                          • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                          Function 00449BF0 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                                                          • GetFileType.KERNELBASE(00000000), ref: 00449C4E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileHandleType
                                                          • String ID:
                                                          • API String ID: 3000768030-0
                                                          • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                          • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                                                          • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                          • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                                                          Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 004461A6
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap$_free
                                                          • String ID:
                                                          • API String ID: 1482568997-0
                                                          • Opcode ID: 772c31557fa088d80623a76db429ecb42590c884a7b4f0945094e61351f9ba1e
                                                          • Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
                                                          • Opcode Fuzzy Hash: 772c31557fa088d80623a76db429ecb42590c884a7b4f0945094e61351f9ba1e
                                                          • Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F
                                                          Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEventStartupsocket
                                                          • String ID:
                                                          • API String ID: 1953588214-0
                                                          • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                          • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                                          • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                          • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                          Function 0044378C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                                          • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                                          • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                                          • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                                          • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                                          • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                                          • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                                          Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 0041BAB8
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$ForegroundText
                                                          • String ID:
                                                          • API String ID: 29597999-0
                                                          • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                          • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                                          • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                          • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                                          Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                                          • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                                            • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                            • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                            • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                            • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                            • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                            • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                            • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                            • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                          • String ID:
                                                          • API String ID: 1170566393-0
                                                          • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                          • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                                          • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                          • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                                          Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                          • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                                          • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                          • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                                          Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID:
                                                          • API String ID: 724789610-0
                                                          • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                          • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                                          • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                          • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                                          Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                          • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                                                          • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                          • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                                                          Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID:
                                                          • API String ID: 1507349165-0
                                                          • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                          • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                                                          • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                          • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

                                                          Non-executed Functions

                                                          Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                                            • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                            • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                            • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                                          • DeleteFileA.KERNEL32(?), ref: 00408652
                                                            • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                                            • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                            • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                            • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                          • Sleep.KERNEL32(000007D0), ref: 004086F8
                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                                            • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                          • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                          • API String ID: 1067849700-181434739
                                                          • Opcode ID: 1ff92908fb735a07688bd7b3bf3bf23fdc0ca7871faa2f0198a6c16e2433a594
                                                          • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                                          • Opcode Fuzzy Hash: 1ff92908fb735a07688bd7b3bf3bf23fdc0ca7871faa2f0198a6c16e2433a594
                                                          • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                                          • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                          • CloseHandle.KERNEL32 ref: 00405A23
                                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                                          • CloseHandle.KERNEL32 ref: 00405A45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                          • API String ID: 2994406822-18413064
                                                          • Opcode ID: c42f28ba644b97e37895e1f3ee2c7c884f8e483c3f5d678ab53032e062026d85
                                                          • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                                          • Opcode Fuzzy Hash: c42f28ba644b97e37895e1f3ee2c7c884f8e483c3f5d678ab53032e062026d85
                                                          • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                                          Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 00412106
                                                            • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                            • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                            • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                                          • CloseHandle.KERNEL32(00000000), ref: 00412155
                                                          • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                          • API String ID: 3018269243-13974260
                                                          • Opcode ID: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                                                          • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                                          • Opcode Fuzzy Hash: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                                                          • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                                          Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                                          • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                                          • FindClose.KERNEL32(00000000), ref: 0040BD12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                          • API String ID: 1164774033-3681987949
                                                          • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                                          • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                                          • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                                          • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                                          Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 004168C2
                                                          • EmptyClipboard.USER32 ref: 004168D0
                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                                          • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                                          • CloseClipboard.USER32 ref: 00416955
                                                          • OpenClipboard.USER32 ref: 0041695C
                                                          • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                          • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                          • CloseClipboard.USER32 ref: 00416984
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                          • String ID: !D@
                                                          • API String ID: 3520204547-604454484
                                                          • Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                                                          • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                                          • Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                                                          • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                                          Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                                          • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                                          • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                                          • FindClose.KERNEL32(00000000), ref: 0040BED0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$File$FirstNext
                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 3527384056-432212279
                                                          • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                                          • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                                          • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                                          • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                                          Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                          • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                          • API String ID: 3756808967-1743721670
                                                          • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                                          • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                                          • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                                          • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                                          Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$1$2$3$4$5$6$7$VG
                                                          • API String ID: 0-1861860590
                                                          • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                                          • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                                          • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                                          • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                                          Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00407521
                                                          • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object_wcslen
                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                          • API String ID: 240030777-3166923314
                                                          • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                          • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                                          • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                          • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                                          Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                                          • GetLastError.KERNEL32 ref: 0041A7BB
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                          • String ID:
                                                          • API String ID: 3587775597-0
                                                          • Opcode ID: 8be6c0db88263c078c4d0e26e1b320dd21e80ff956e73d25d1154f48fd66f17a
                                                          • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                                          • Opcode Fuzzy Hash: 8be6c0db88263c078c4d0e26e1b320dd21e80ff956e73d25d1154f48fd66f17a
                                                          • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                                          Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                          • String ID: lJD$lJD$lJD
                                                          • API String ID: 745075371-479184356
                                                          • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                          • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                                          • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                          • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                                          Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                                          • FindClose.KERNEL32(00000000), ref: 0040C47D
                                                          • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 1164774033-405221262
                                                          • Opcode ID: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                                                          • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                                          • Opcode Fuzzy Hash: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                                                          • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                                          Function 0040A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                                          • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                                          • GetLastError.KERNEL32 ref: 0040A2ED
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                                          • TranslateMessage.USER32(?), ref: 0040A34A
                                                          • DispatchMessageA.USER32(?), ref: 0040A355
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                          • String ID: Keylogger initialization failure: error $`#v
                                                          • API String ID: 3219506041-3226811161
                                                          • Opcode ID: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
                                                          • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                                          • Opcode Fuzzy Hash: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
                                                          • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                                          Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                          • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2341273852-0
                                                          • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                          • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                                          • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                          • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                                          Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$CreateFirstNext
                                                          • String ID: 8SG$PXG$PXG$NG$PG
                                                          • API String ID: 341183262-3812160132
                                                          • Opcode ID: 70a9e3f00708a443c6ca5e26428a05552e6f294bdb71f0817eb9d2ef8bf8d511
                                                          • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                                          • Opcode Fuzzy Hash: 70a9e3f00708a443c6ca5e26428a05552e6f294bdb71f0817eb9d2ef8bf8d511
                                                          • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                          Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 0040A416
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                          • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                          • GetKeyState.USER32(00000010), ref: 0040A433
                                                          • GetKeyboardState.USER32(?,?,00000000), ref: 0040A43E
                                                          • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                          • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                          • String ID:
                                                          • API String ID: 1888522110-0
                                                          • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                          • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                                          • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                          • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                                          Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                          • API String ID: 2127411465-314212984
                                                          • Opcode ID: 31f50e56d7f4f7f2575dbc53f49883a4967628fc93eddf4b35ee6b86778a76ed
                                                          • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                                          • Opcode Fuzzy Hash: 31f50e56d7f4f7f2575dbc53f49883a4967628fc93eddf4b35ee6b86778a76ed
                                                          • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                                          Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00449212
                                                          • _free.LIBCMT ref: 00449236
                                                          • _free.LIBCMT ref: 004493BD
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                          • _free.LIBCMT ref: 00449589
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: 40c2cd227b4e82c5ef182974e33c50a43272327f856facbcf86662361da255d2
                                                          • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                                          • Opcode Fuzzy Hash: 40c2cd227b4e82c5ef182974e33c50a43272327f856facbcf86662361da255d2
                                                          • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                                          Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                            • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                            • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                            • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                            • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                                          • API String ID: 1589313981-2876530381
                                                          • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                                          • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                                          • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                                                          • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                                          Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                                          • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                                          • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP$['E
                                                          • API String ID: 2299586839-2532616801
                                                          • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                          • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                                          • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                          • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                                          Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                                          • GetLastError.KERNEL32 ref: 0040BA58
                                                          Strings
                                                          • [Chrome StoredLogins not found], xrefs: 0040BA72
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                                          • UserProfile, xrefs: 0040BA1E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                          • API String ID: 2018770650-1062637481
                                                          • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                                          • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                                          • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                                          • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                                          Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                          • GetLastError.KERNEL32 ref: 0041799D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3534403312-3733053543
                                                          • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                          • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                                          • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                          • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                                          Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00409258
                                                            • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                                          • FindClose.KERNEL32(00000000), ref: 004093C1
                                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                          • FindClose.KERNEL32(00000000), ref: 004095B9
                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                          • String ID:
                                                          • API String ID: 1824512719-0
                                                          • Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                                                          • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                                          • Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                                                          • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                                          Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                          • String ID:
                                                          • API String ID: 276877138-0
                                                          • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                          • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                                          • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                          • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                                          Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                                          • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                                          • _wcschr.LIBVCRUNTIME ref: 00451E58
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                          • String ID: sJD
                                                          • API String ID: 4212172061-3536923933
                                                          • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                          • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                                          • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                          • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                                          Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                                          • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                                          • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                                          • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID: SETTINGS
                                                          • API String ID: 3473537107-594951305
                                                          • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                          • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                                          • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                          • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                                          Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040966A
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 1157919129-0
                                                          • Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                                                          • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                                          • Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                                                          • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                                          Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00408811
                                                          • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                          • String ID:
                                                          • API String ID: 1771804793-0
                                                          • Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                                          • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                                          • Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                                          • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                                          Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadExecuteFileShell
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe$open
                                                          • API String ID: 2825088817-2220371382
                                                          • Opcode ID: bfa19ed26d2a849e876c6b977b2559079fafbd645fd55724d5dd89cb6e5b05b7
                                                          • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                                          • Opcode Fuzzy Hash: bfa19ed26d2a849e876c6b977b2559079fafbd645fd55724d5dd89cb6e5b05b7
                                                          • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                                          Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstNextsend
                                                          • String ID: XPG$XPG
                                                          • API String ID: 4113138495-1962359302
                                                          • Opcode ID: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
                                                          • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                                          • Opcode Fuzzy Hash: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
                                                          • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                                          Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                            • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                            • Part of subcall function 0041376F: RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                                                            • Part of subcall function 0041376F: RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                          • API String ID: 4127273184-3576401099
                                                          • Opcode ID: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                                          • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                                          • Opcode Fuzzy Hash: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                                          • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                                          Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                          • String ID:
                                                          • API String ID: 2829624132-0
                                                          • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                          • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                                          • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                          • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                                          Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                          • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                                          • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                          • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                                          Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                                          • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                                          • ExitProcess.KERNEL32 ref: 004432EF
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                          • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                                          • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                          • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                                          Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 0040B711
                                                          • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                                          • CloseClipboard.USER32 ref: 0040B725
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseDataOpen
                                                          • String ID:
                                                          • API String ID: 2058664381-0
                                                          • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                          • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                                          • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                          • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                                          Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-248832578
                                                          • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                          • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                                          • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                          • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                                          Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: lJD
                                                          • API String ID: 1084509184-3316369744
                                                          • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                          • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                                          • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                          • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                                          Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: lJD
                                                          • API String ID: 1084509184-3316369744
                                                          • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                          • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                                          • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                          • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                                          Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: GetLocaleInfoEx
                                                          • API String ID: 2299586839-2904428671
                                                          • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                                          • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                                          • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                                          • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                                          Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$FreeProcess
                                                          • String ID:
                                                          • API String ID: 3859560861-0
                                                          • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                                          • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                                          • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                                          • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                                          Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FeaturePresentProcessor
                                                          • String ID:
                                                          • API String ID: 2325560087-0
                                                          • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                          • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                                          • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                          • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                                          Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                          • String ID:
                                                          • API String ID: 1663032902-0
                                                          • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                          • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                                          • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                          • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                                          Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                          • String ID:
                                                          • API String ID: 2692324296-0
                                                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                          • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                          • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                                          Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                                          • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                          • String ID:
                                                          • API String ID: 1272433827-0
                                                          • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                          • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                                          • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                          • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                                          Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                          • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                                          • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                          • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                                          Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                          • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                                          • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                          • Instruction Fuzzy Hash:
                                                          Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                                            • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                                          • DeleteDC.GDI32(00000000), ref: 00418F2A
                                                          • DeleteDC.GDI32(00000000), ref: 00418F2D
                                                          • DeleteObject.GDI32(00000000), ref: 00418F30
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                                          • DeleteDC.GDI32(00000000), ref: 00418F62
                                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                                          • GetIconInfo.USER32(?,?), ref: 00418FBD
                                                          • DeleteObject.GDI32(?), ref: 00418FEC
                                                          • DeleteObject.GDI32(?), ref: 00418FF9
                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                                          • DeleteDC.GDI32(?), ref: 0041917C
                                                          • DeleteDC.GDI32(00000000), ref: 0041917F
                                                          • DeleteObject.GDI32(00000000), ref: 00419182
                                                          • GlobalFree.KERNEL32(?), ref: 0041918D
                                                          • DeleteObject.GDI32(00000000), ref: 00419241
                                                          • GlobalFree.KERNEL32(?), ref: 00419248
                                                          • DeleteDC.GDI32(?), ref: 00419258
                                                          • DeleteDC.GDI32(00000000), ref: 00419263
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                          • String ID: DISPLAY
                                                          • API String ID: 479521175-865373369
                                                          • Opcode ID: fd3515ee385558d8e943bffbf3e4feffdcfed35a1f0292415d45ed89f267a670
                                                          • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                                          • Opcode Fuzzy Hash: fd3515ee385558d8e943bffbf3e4feffdcfed35a1f0292415d45ed89f267a670
                                                          • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                                          Function 004180EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                          • ResumeThread.KERNEL32(?), ref: 00418435
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                          • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                          • GetLastError.KERNEL32 ref: 0041847A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                          • API String ID: 4188446516-108836778
                                                          • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                          • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                          • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                          • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                          Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                            • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                            • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                                          • ExitProcess.KERNEL32 ref: 0040D7D0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                          • API String ID: 1861856835-332907002
                                                          • Opcode ID: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                                          • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                                          • Opcode Fuzzy Hash: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                                          • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                                          Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                            • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                                          • ExitProcess.KERNEL32 ref: 0040D419
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                                          • API String ID: 3797177996-2557013105
                                                          • Opcode ID: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                                                          • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                                          • Opcode Fuzzy Hash: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                                                          • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                                          Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                                          • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                                          • GetCurrentProcessId.KERNEL32 ref: 00412541
                                                          • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                                          • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                                            • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                                          • Sleep.KERNEL32(000001F4), ref: 00412682
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                                          • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                                          • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                          • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                          • API String ID: 2649220323-436679193
                                                          • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                          • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                                          • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                          • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                                          Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                                          • SetEvent.KERNEL32 ref: 0041B219
                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                                          • CloseHandle.KERNEL32 ref: 0041B23A
                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                          • API String ID: 738084811-2094122233
                                                          • Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                                                          • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                                          • Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                                                          • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Write$Create
                                                          • String ID: RIFF$WAVE$data$fmt
                                                          • API String ID: 1602526932-4212202414
                                                          • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                          • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                                          • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                          • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                                          Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                          • API String ID: 1646373207-3667453779
                                                          • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                          • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                                          • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                          • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                                          Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0040CE07
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                                          • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                                          • _wcslen.LIBCMT ref: 0040CEE6
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                                          • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe,00000000,00000000), ref: 0040CF84
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                                          • _wcslen.LIBCMT ref: 0040CFC6
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                                          • ExitProcess.KERNEL32 ref: 0040D062
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                          • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe$del$open
                                                          • API String ID: 1579085052-2091100752
                                                          • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                                          • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                                          • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                                          • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                                          Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 0041C036
                                                          • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                                          • lstrlenW.KERNEL32(?), ref: 0041C067
                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                                          • _wcslen.LIBCMT ref: 0041C13B
                                                          • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                                          • GetLastError.KERNEL32 ref: 0041C173
                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                                          • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                                          • GetLastError.KERNEL32 ref: 0041C1D0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                          • String ID: ?
                                                          • API String ID: 3941738427-1684325040
                                                          • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                          • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                                          • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                          • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                                          Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                          • String ID:
                                                          • API String ID: 3899193279-0
                                                          • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                          • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                                          • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                          • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                                          Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                          • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                                          • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                                          • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                                          • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                                          • Sleep.KERNEL32(00000064), ref: 00412E94
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                          • String ID: /stext "$0TG$0TG$NG$NG
                                                          • API String ID: 1223786279-2576077980
                                                          • Opcode ID: bc7e362d57d7670180143ae5cce880ef26dc034d902ff58de5e25bf17600ed29
                                                          • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                                          • Opcode Fuzzy Hash: bc7e362d57d7670180143ae5cce880ef26dc034d902ff58de5e25bf17600ed29
                                                          • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                                          Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                          • API String ID: 2490988753-744132762
                                                          • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                          • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                                          • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                          • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                                          Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                                          • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                          • API String ID: 1332880857-3714951968
                                                          • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                          • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                                          • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                          • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                                          Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                                          • GetCursorPos.USER32(?), ref: 0041D5E9
                                                          • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                                          • ExitProcess.KERNEL32 ref: 0041D665
                                                          • CreatePopupMenu.USER32 ref: 0041D66B
                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                          • String ID: Close
                                                          • API String ID: 1657328048-3535843008
                                                          • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                          • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                                          • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                          • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                                          Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$Info
                                                          • String ID:
                                                          • API String ID: 2509303402-0
                                                          • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                          • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                                          • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                          • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                                          Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                                          • __aulldiv.LIBCMT ref: 00408D4D
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                          • API String ID: 3086580692-2582957567
                                                          • Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                                                          • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                                          • Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                                                          • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                                          Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00001388), ref: 0040A740
                                                            • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                            • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                            • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                            • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                          • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                          • API String ID: 3795512280-1152054767
                                                          • Opcode ID: 6f73b5aa983a983c729dc0a6f3b495559223a18d1a5043611dd20871b8f51584
                                                          • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                                          • Opcode Fuzzy Hash: 6f73b5aa983a983c729dc0a6f3b495559223a18d1a5043611dd20871b8f51584
                                                          • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                                          Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 0045130A
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                                          • _free.LIBCMT ref: 004512FF
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00451321
                                                          • _free.LIBCMT ref: 00451336
                                                          • _free.LIBCMT ref: 00451341
                                                          • _free.LIBCMT ref: 00451363
                                                          • _free.LIBCMT ref: 00451376
                                                          • _free.LIBCMT ref: 00451384
                                                          • _free.LIBCMT ref: 0045138F
                                                          • _free.LIBCMT ref: 004513C7
                                                          • _free.LIBCMT ref: 004513CE
                                                          • _free.LIBCMT ref: 004513EB
                                                          • _free.LIBCMT ref: 00451403
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                                          Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00419FB9
                                                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                                          • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                                          • GetLocalTime.KERNEL32(?), ref: 0041A105
                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                          • API String ID: 489098229-1431523004
                                                          • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                                          • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                                          • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                                          • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                                          Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                            • Part of subcall function 004136F8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                                            • Part of subcall function 004136F8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                                            • Part of subcall function 004136F8: RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                                          • ExitProcess.KERNEL32 ref: 0040D9C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                          • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                          • API String ID: 1913171305-3159800282
                                                          • Opcode ID: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                                                          • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                                          • Opcode Fuzzy Hash: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                                                          • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                                          Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                          • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                                          • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                          • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                                          Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                                          • GetLastError.KERNEL32 ref: 00455CEF
                                                          • __dosmaperr.LIBCMT ref: 00455CF6
                                                          • GetFileType.KERNEL32(00000000), ref: 00455D02
                                                          • GetLastError.KERNEL32 ref: 00455D0C
                                                          • __dosmaperr.LIBCMT ref: 00455D15
                                                          • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                                          • CloseHandle.KERNEL32(?), ref: 00455E7F
                                                          • GetLastError.KERNEL32 ref: 00455EB1
                                                          • __dosmaperr.LIBCMT ref: 00455EB8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                          • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                                          • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                          • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                                          Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                                          • __alloca_probe_16.LIBCMT ref: 00453EEA
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                                          • __alloca_probe_16.LIBCMT ref: 00453F94
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                                          • __freea.LIBCMT ref: 00454003
                                                          • __freea.LIBCMT ref: 0045400F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                          • String ID: \@E
                                                          • API String ID: 201697637-1814623452
                                                          • Opcode ID: 8eef1abf2eabe479dcae4f9af76b753aa7ed0f98d759a8922b1bbfff7f4a22fd
                                                          • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                                          • Opcode Fuzzy Hash: 8eef1abf2eabe479dcae4f9af76b753aa7ed0f98d759a8922b1bbfff7f4a22fd
                                                          • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                                          Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: \&G$\&G$`&G
                                                          • API String ID: 269201875-253610517
                                                          • Opcode ID: 39b9b6c8608080d28b2e7f7cf5284200a3a4a806653a89cbfef4e0f35c26d023
                                                          • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                                          • Opcode Fuzzy Hash: 39b9b6c8608080d28b2e7f7cf5284200a3a4a806653a89cbfef4e0f35c26d023
                                                          • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                                          Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 65535$udp
                                                          • API String ID: 0-1267037602
                                                          • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                          • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                                          • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                          • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                                          Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040AD38
                                                          • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                                          • GetForegroundWindow.USER32 ref: 0040AD49
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                                          • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                          • API String ID: 911427763-3954389425
                                                          • Opcode ID: 1fd890e2d21f894b0b3b077f7e4e96656cdfff5721ec9a02ea1a5f8763c76f61
                                                          • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                                          • Opcode Fuzzy Hash: 1fd890e2d21f894b0b3b077f7e4e96656cdfff5721ec9a02ea1a5f8763c76f61
                                                          • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                                          Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                                          • __dosmaperr.LIBCMT ref: 0043A8A6
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                                          • __dosmaperr.LIBCMT ref: 0043A8E3
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                                          • __dosmaperr.LIBCMT ref: 0043A937
                                                          • _free.LIBCMT ref: 0043A943
                                                          • _free.LIBCMT ref: 0043A94A
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 2441525078-0
                                                          • Opcode ID: fa4da05dd8a67754de1a03f94d01cde04b55035fab5c02a195002bcca7332aec
                                                          • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                                          • Opcode Fuzzy Hash: fa4da05dd8a67754de1a03f94d01cde04b55035fab5c02a195002bcca7332aec
                                                          • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                          • TranslateMessage.USER32(?), ref: 0040557E
                                                          • DispatchMessageA.USER32(?), ref: 00405589
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                          • API String ID: 2956720200-749203953
                                                          • Opcode ID: 1596478972ce96747ca32779f183717890ad831c566256f19ff3d4655c30f502
                                                          • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                                          • Opcode Fuzzy Hash: 1596478972ce96747ca32779f183717890ad831c566256f19ff3d4655c30f502
                                                          • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                                          Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                                          • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                                          • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                          • String ID: 0VG$0VG$<$@$Temp
                                                          • API String ID: 1704390241-2575729100
                                                          • Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                                                          • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                                          • Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                                                          • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                                          Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 00416941
                                                          • EmptyClipboard.USER32 ref: 0041694F
                                                          • CloseClipboard.USER32 ref: 00416955
                                                          • OpenClipboard.USER32 ref: 0041695C
                                                          • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                          • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                          • CloseClipboard.USER32 ref: 00416984
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                          • String ID: !D@
                                                          • API String ID: 2172192267-604454484
                                                          • Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                                                          • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                                          • Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                                                          • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                                          Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                                          • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                                          • CloseHandle.KERNEL32(?), ref: 00413465
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                          • String ID:
                                                          • API String ID: 297527592-0
                                                          • Opcode ID: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                                                          • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                                          • Opcode Fuzzy Hash: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                                                          • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                                          Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                          • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                                          • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                          • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                                          Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00448135
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00448141
                                                          • _free.LIBCMT ref: 0044814C
                                                          • _free.LIBCMT ref: 00448157
                                                          • _free.LIBCMT ref: 00448162
                                                          • _free.LIBCMT ref: 0044816D
                                                          • _free.LIBCMT ref: 00448178
                                                          • _free.LIBCMT ref: 00448183
                                                          • _free.LIBCMT ref: 0044818E
                                                          • _free.LIBCMT ref: 0044819C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                          • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                                          • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                          • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                                          Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventinet_ntoa
                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                          • API String ID: 3578746661-3604713145
                                                          • Opcode ID: 05c42a8275862105916410cb05f28230ec4bbfa298c3e0115c38b27023db1ff4
                                                          • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                                          • Opcode Fuzzy Hash: 05c42a8275862105916410cb05f28230ec4bbfa298c3e0115c38b27023db1ff4
                                                          • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                                          Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                          • API String ID: 3527080286-3064271455
                                                          • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                          • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                                          • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                          • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                                          Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • Sleep.KERNEL32(00000064), ref: 00417521
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                          • API String ID: 1462127192-2001430897
                                                          • Opcode ID: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
                                                          • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                                          • Opcode Fuzzy Hash: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
                                                          • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                                          Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe), ref: 0040749E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProcess
                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                          • API String ID: 2050909247-4242073005
                                                          • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                                          • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                                          • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                                          • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                                          Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strftime.LIBCMT ref: 00401D50
                                                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                          • API String ID: 3809562944-243156785
                                                          • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                                          • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                                          • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                                          • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                                          Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                                          • int.LIBCPMT ref: 00410E81
                                                            • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                            • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                          • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                                          • __Init_thread_footer.LIBCMT ref: 00410F29
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 3815856325-2015055088
                                                          • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                                          • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                                          • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                                          • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                                          Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                          • waveInStart.WINMM ref: 00401CFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                          • String ID: dMG$|MG$PG
                                                          • API String ID: 1356121797-532278878
                                                          • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                          • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                                          • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                          • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                          Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                                            • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                            • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                            • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                                          • TranslateMessage.USER32(?), ref: 0041D4E9
                                                          • DispatchMessageA.USER32(?), ref: 0041D4F3
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                          • String ID: Remcos
                                                          • API String ID: 1970332568-165870891
                                                          • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                          • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                                          • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                          • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                                          Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3dd2bc7c5296376d22626ce8c5f791cd342ef098cfd546241479ba3f3a72c86
                                                          • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                                          • Opcode Fuzzy Hash: f3dd2bc7c5296376d22626ce8c5f791cd342ef098cfd546241479ba3f3a72c86
                                                          • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                                          Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • _memcmp.LIBVCRUNTIME ref: 00445423
                                                          • _free.LIBCMT ref: 00445494
                                                          • _free.LIBCMT ref: 004454AD
                                                          • _free.LIBCMT ref: 004454DF
                                                          • _free.LIBCMT ref: 004454E8
                                                          • _free.LIBCMT ref: 004454F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 1679612858-1037565863
                                                          • Opcode ID: 5f790d26fce38988a141c35fe83db3f1b86da0f00427cbe84f4ff193b0889d7e
                                                          • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                                          • Opcode Fuzzy Hash: 5f790d26fce38988a141c35fe83db3f1b86da0f00427cbe84f4ff193b0889d7e
                                                          • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                                          Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tcp$udp
                                                          • API String ID: 0-3725065008
                                                          • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                          • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                                          • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                          • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                                          Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                                          • ExitThread.KERNEL32 ref: 004018F6
                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                          • String ID: PkG$XMG$NG$NG
                                                          • API String ID: 1649129571-3151166067
                                                          • Opcode ID: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
                                                          • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                                          • Opcode Fuzzy Hash: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
                                                          • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                                          Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                          • String ID: .part
                                                          • API String ID: 1303771098-3499674018
                                                          • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                                          • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                                          • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                                                          • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                                          Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                                          • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                                          • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                                          • __freea.LIBCMT ref: 0044AE30
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • __freea.LIBCMT ref: 0044AE39
                                                          • __freea.LIBCMT ref: 0044AE5E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3864826663-0
                                                          • Opcode ID: 043ec68b98aa4ebf357a9f59fd7f0775fd90971620a33c89dfc8d53c0e97e0dc
                                                          • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                                          • Opcode Fuzzy Hash: 043ec68b98aa4ebf357a9f59fd7f0775fd90971620a33c89dfc8d53c0e97e0dc
                                                          • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                                          Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                                          • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InputSend
                                                          • String ID:
                                                          • API String ID: 3431551938-0
                                                          • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                          • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                                          • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                          • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                                          Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16_free
                                                          • String ID: a/p$am/pm$zD
                                                          • API String ID: 2936374016-2723203690
                                                          • Opcode ID: 84f371d37c8f862a2b00ed1c57116dc454e86183856eda82f00282cb6199cad1
                                                          • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                                          • Opcode Fuzzy Hash: 84f371d37c8f862a2b00ed1c57116dc454e86183856eda82f00282cb6199cad1
                                                          • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                                          Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Enum$InfoQueryValue
                                                          • String ID: [regsplt]$xUG$TG
                                                          • API String ID: 3554306468-1165877943
                                                          • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                                          • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                                          • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                                                          • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                                          Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                                          • __fassign.LIBCMT ref: 0044B479
                                                          • __fassign.LIBCMT ref: 0044B494
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                                          • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                          • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                                          • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                          • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                                          Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: D[E$D[E
                                                          • API String ID: 269201875-3695742444
                                                          • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                          • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                                          • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                          • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                                          Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                                            • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                            • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                          • String ID: xUG$NG$NG$TG
                                                          • API String ID: 3114080316-2811732169
                                                          • Opcode ID: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
                                                          • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                                          • Opcode Fuzzy Hash: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
                                                          • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                                          Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                                            • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                            • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                          • _wcslen.LIBCMT ref: 0041B763
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                          • API String ID: 37874593-122982132
                                                          • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                          • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                                          • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                          • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                                          Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                            • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                            • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                          • API String ID: 1133728706-4073444585
                                                          • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                                          • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                                          • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                                                          • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                                          Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 302096fee21974a114d74a9fa8c576cae1dfaff57e1be86c6fc3986ec34d9537
                                                          • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                                          • Opcode Fuzzy Hash: 302096fee21974a114d74a9fa8c576cae1dfaff57e1be86c6fc3986ec34d9537
                                                          • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                                          Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C477
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreatePointerWrite
                                                          • String ID: hpF
                                                          • API String ID: 1852769593-151379673
                                                          • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                          • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                          • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                          • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                          Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                                          • _free.LIBCMT ref: 00450F48
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00450F53
                                                          • _free.LIBCMT ref: 00450F5E
                                                          • _free.LIBCMT ref: 00450FB2
                                                          • _free.LIBCMT ref: 00450FBD
                                                          • _free.LIBCMT ref: 00450FC8
                                                          • _free.LIBCMT ref: 00450FD3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                                          Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                                          • int.LIBCPMT ref: 00411183
                                                            • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                            • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                          • std::_Facet_Register.LIBCPMT ref: 004111C3
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: (mG
                                                          • API String ID: 2536120697-4059303827
                                                          • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                          • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                                          • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                          • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                                          Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                                          • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                          • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                                          • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                          • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                                          Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe), ref: 004075D0
                                                            • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                                            • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                          • CoUninitialize.OLE32 ref: 00407629
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                          • API String ID: 3851391207-4011795141
                                                          • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                          • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                                          • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                          • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                                          Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                                          • GetLastError.KERNEL32 ref: 0040BAE7
                                                          Strings
                                                          • [Chrome Cookies not found], xrefs: 0040BB01
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                                          • UserProfile, xrefs: 0040BAAD
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                          • API String ID: 2018770650-304995407
                                                          • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                                          • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                                          • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                                          • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                                          Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AllocOutputShowWindow
                                                          • String ID: Remcos v$5.1.0 Pro$CONOUT$
                                                          • API String ID: 2425139147-1043272453
                                                          • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                          • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                                          • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                          • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                                          Function 0041ADC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                                          • Sleep.KERNEL32(00002710), ref: 0041AE07
                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                          • String ID: Alarm triggered$`#v
                                                          • API String ID: 614609389-3049340936
                                                          • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                          • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                                          • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                          • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                                          Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 0043AC69
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                                          • __allrem.LIBCMT ref: 0043AC9C
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                                          • __allrem.LIBCMT ref: 0043ACD1
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                          • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                                          • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                          • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologSleep
                                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                          • API String ID: 3469354165-3054508432
                                                          • Opcode ID: 6f157006139ccf4b8d86a432b5633ede6fd06edeca8eb9c0ae1caa95c8564102
                                                          • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                                          • Opcode Fuzzy Hash: 6f157006139ccf4b8d86a432b5633ede6fd06edeca8eb9c0ae1caa95c8564102
                                                          • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                                          Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                                          • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                                            • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                                            • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                            • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                          • String ID:
                                                          • API String ID: 3950776272-0
                                                          • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                          • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                                          • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                          • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                                          Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: d6bf761def625c4c1eac859fe9698f11da6ba3a27158c8fc6c2513ce27c7522a
                                                          • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                                          • Opcode Fuzzy Hash: d6bf761def625c4c1eac859fe9698f11da6ba3a27158c8fc6c2513ce27c7522a
                                                          • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                                          Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                          • String ID:
                                                          • API String ID: 493672254-0
                                                          • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                          • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                                          • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                          • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                                          Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • _free.LIBCMT ref: 0044824C
                                                          • _free.LIBCMT ref: 00448274
                                                          • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • _abort.LIBCMT ref: 00448293
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                          • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                                          • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                          • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                                          Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                          • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                                          • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                          • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                                          Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                          • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                                          • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                          • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                                          Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                          • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                                          • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                          • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                                          Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                          • wsprintfW.USER32 ref: 0040B1F3
                                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventLocalTimewsprintf
                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                          • API String ID: 1497725170-248792730
                                                          • Opcode ID: 5930b91d6002e4bc173ab4be93e7cb7fd053249898d40d7797ac70fa62357d50
                                                          • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                          • Opcode Fuzzy Hash: 5930b91d6002e4bc173ab4be93e7cb7fd053249898d40d7797ac70fa62357d50
                                                          • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                          Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                          • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                          • String ID: XQG
                                                          • API String ID: 1958988193-3606453820
                                                          • Opcode ID: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                                                          • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                                          • Opcode Fuzzy Hash: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                                                          • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                                          Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                          • GetLastError.KERNEL32 ref: 0041D580
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                          • String ID: 0$MsgWindowClass
                                                          • API String ID: 2877667751-2410386613
                                                          • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                          • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                                          • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                          • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                                          Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                                          • CloseHandle.KERNEL32(?), ref: 004077AA
                                                          • CloseHandle.KERNEL32(?), ref: 004077AF
                                                          Strings
                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                                          • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreateProcess
                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                          • API String ID: 2922976086-4183131282
                                                          • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                          • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                                          • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                          • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                                          Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SG, xrefs: 004076DA
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe, xrefs: 004076C4
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
                                                          • API String ID: 0-1842886494
                                                          • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                          • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                                          • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                          • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                                          Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                          • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                                          • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                          • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                          • String ID: KeepAlive | Disabled
                                                          • API String ID: 2993684571-305739064
                                                          • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                          • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                                          • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                          • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                                          Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                                          Strings
                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                          • API String ID: 3024135584-2418719853
                                                          • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                          • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                                          • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                          • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                                          Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetCursorInfo$User32.dll$`#v
                                                          • API String ID: 1646373207-1032071883
                                                          • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                          • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                                          • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                          • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                                          Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                          • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                                          • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                          • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                                          Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • _free.LIBCMT ref: 00444E06
                                                          • _free.LIBCMT ref: 00444E1D
                                                          • _free.LIBCMT ref: 00444E3C
                                                          • _free.LIBCMT ref: 00444E57
                                                          • _free.LIBCMT ref: 00444E6E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3033488037-0
                                                          • Opcode ID: e5e5e32cbc9e0b3a113123649c74924e208ff27c04b4f5f5a1971e5417510091
                                                          • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                                          • Opcode Fuzzy Hash: e5e5e32cbc9e0b3a113123649c74924e208ff27c04b4f5f5a1971e5417510091
                                                          • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                                          Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                          • _free.LIBCMT ref: 004493BD
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00449589
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                          • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                                          • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                          • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                                          Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                                            • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 4269425633-0
                                                          • Opcode ID: 6f51e59ffccac79a8cfa31e78c91a9a185d84b91a830793d1a1b18643491f6ec
                                                          • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                                          • Opcode Fuzzy Hash: 6f51e59ffccac79a8cfa31e78c91a9a185d84b91a830793d1a1b18643491f6ec
                                                          • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                                          Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                          • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                                          • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                          • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                                          Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                                          • __alloca_probe_16.LIBCMT ref: 004511B1
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                                          • __freea.LIBCMT ref: 0045121D
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                          • String ID:
                                                          • API String ID: 313313983-0
                                                          • Opcode ID: 2499d542bf4c3cf77a933f34e88371000126cd90bc440e7173a6a514ae814305
                                                          • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                                          • Opcode Fuzzy Hash: 2499d542bf4c3cf77a933f34e88371000126cd90bc440e7173a6a514ae814305
                                                          • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                                          Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                                          • _free.LIBCMT ref: 004482D3
                                                          • _free.LIBCMT ref: 004482FA
                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                          • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                                          • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                          • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                                          Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 004509D4
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 004509E6
                                                          • _free.LIBCMT ref: 004509F8
                                                          • _free.LIBCMT ref: 00450A0A
                                                          • _free.LIBCMT ref: 00450A1C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                                          Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00444066
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00444078
                                                          • _free.LIBCMT ref: 0044408B
                                                          • _free.LIBCMT ref: 0044409C
                                                          • _free.LIBCMT ref: 004440AD
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                          • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                          • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                                          Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strpbrk.LIBCMT ref: 0044E738
                                                          • _free.LIBCMT ref: 0044E855
                                                            • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                                            • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                                            • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 2812119850-3972193922
                                                          • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                          • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                                          • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                          • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                                          Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                                            • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                            • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                          • String ID: XQG$NG$PG
                                                          • API String ID: 1634807452-3565412412
                                                          • Opcode ID: 540faca1283a201b615fa294366106f171e649dc374ea9aa343cf977934f0195
                                                          • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                                          • Opcode Fuzzy Hash: 540faca1283a201b615fa294366106f171e649dc374ea9aa343cf977934f0195
                                                          • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                                          Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: `#D$`#D
                                                          • API String ID: 885266447-2450397995
                                                          • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                          • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                                          • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                          • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                                          Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe,00000104), ref: 00443475
                                                          • _free.LIBCMT ref: 00443540
                                                          • _free.LIBCMT ref: 0044354A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
                                                          • API String ID: 2506810119-3262595026
                                                          • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                          • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                                          • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                          • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                                          Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                          • String ID: /sort "Visit Time" /stext "$0NG
                                                          • API String ID: 368326130-3219657780
                                                          • Opcode ID: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
                                                          • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                                          • Opcode Fuzzy Hash: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
                                                          • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                                          Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 004162F5
                                                            • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                            • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                            • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                            • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen$CloseCreateValue
                                                          • String ID: !D@$okmode$PG
                                                          • API String ID: 3411444782-3370592832
                                                          • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                                          • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                                          • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                                          • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                                          Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                                          Strings
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                                          • User Data\Default\Network\Cookies, xrefs: 0040C603
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                          • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                                          • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                          • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                                          Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                                          Strings
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                                          • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                          • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                                          • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                          • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                                          Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A
                                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTimewsprintf
                                                          • String ID: Offline Keylogger Started
                                                          • API String ID: 465354869-4114347211
                                                          • Opcode ID: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
                                                          • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                                          • Opcode Fuzzy Hash: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
                                                          • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                                          Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                          • String ID: Online Keylogger Started
                                                          • API String ID: 112202259-1258561607
                                                          • Opcode ID: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
                                                          • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                                          • Opcode Fuzzy Hash: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
                                                          • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                                          Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CryptUnprotectData$crypt32
                                                          • API String ID: 2574300362-2380590389
                                                          • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                          • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                                          • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                          • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandleObjectSingleWait
                                                          • String ID: Connection Timeout
                                                          • API String ID: 2055531096-499159329
                                                          • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                          • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                                          • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                          • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                                          Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exception@8Throw
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2005118841-1866435925
                                                          • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                          • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                                          • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                          • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                                          Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                                          • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                                                          • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                          • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                                          • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                          • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                                          Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                                            • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                                            • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                          • String ID: bad locale name
                                                          • API String ID: 3628047217-1405518554
                                                          • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                          • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                                          • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                          • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                                          Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                                          • ShowWindow.USER32(00000009), ref: 00416C61
                                                          • SetForegroundWindow.USER32 ref: 00416C6D
                                                            • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                            • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                            • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                          • String ID: !D@
                                                          • API String ID: 3446828153-604454484
                                                          • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                                          • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                                          • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                                          • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                                          Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: /C $cmd.exe$open
                                                          • API String ID: 587946157-3896048727
                                                          • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                          • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                                          • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                          • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                                          Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                          • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                          • TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread$HookUnhookWindows
                                                          • String ID: pth_unenc
                                                          • API String ID: 3123878439-4028850238
                                                          • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                          • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                                          • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                          • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetLastInputInfo$User32.dll
                                                          • API String ID: 2574300362-1519888992
                                                          • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                          • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                                          • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                          • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                                          Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID:
                                                          • API String ID: 1036877536-0
                                                          • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                          • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                                          • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                          • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                                          Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                          • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                                          • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                          • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                                          Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                                          • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                          • API String ID: 3472027048-1236744412
                                                          • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                                          • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                                          • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                                                          • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                                          Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                                            • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                                            • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                                          • Sleep.KERNEL32(000001F4), ref: 0040A573
                                                          • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$ForegroundLength
                                                          • String ID: [ $ ]
                                                          • API String ID: 3309952895-93608704
                                                          • Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                                          • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                                          • Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                                          • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                                          Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                          • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                                          • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                          • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                                          Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                          • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                                          • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                          • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                                          Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                                          • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                          • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                                          • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                          • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                                          Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 3919263394-0
                                                          • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                          • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                                          • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                          • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                                          Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcess
                                                          • String ID:
                                                          • API String ID: 39102293-0
                                                          • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                          • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                                          • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                          • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                                          Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                                            • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                                          • _UnwindNestedFrames.LIBCMT ref: 00439891
                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                          • String ID:
                                                          • API String ID: 2633735394-0
                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                                          Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                                          • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                                          • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                                          • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                          • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                          • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                                          Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                                            • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                          • String ID:
                                                          • API String ID: 1761009282-0
                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                                          Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          • __Init_thread_footer.LIBCMT ref: 0040B797
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                          • API String ID: 1881088180-3686566968
                                                          • Opcode ID: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
                                                          • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                                          • Opcode Fuzzy Hash: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
                                                          • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                                          Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ACP$OCP
                                                          • API String ID: 0-711371036
                                                          • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                          • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                                          • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                          • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                                          Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 481472006-1507639952
                                                          • Opcode ID: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
                                                          • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                                          • Opcode Fuzzy Hash: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
                                                          • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                                          Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32 ref: 00416640
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadFileSleep
                                                          • String ID: !D@
                                                          • API String ID: 1931167962-604454484
                                                          • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                                          • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                                          • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                                          • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                                          Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                          • API String ID: 481472006-2430845779
                                                          • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                                          • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                                          • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                                          • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                                          Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: alarm.wav$hYG
                                                          • API String ID: 1174141254-2782910960
                                                          • Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                                                          • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                                          • Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                                                          • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                                          Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                                          • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B0C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                          • String ID: Online Keylogger Stopped
                                                          • API String ID: 1623830855-1496645233
                                                          • Opcode ID: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
                                                          • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                                          • Opcode Fuzzy Hash: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
                                                          • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                                          Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                          • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferHeaderPrepare
                                                          • String ID: XMG
                                                          • API String ID: 2315374483-813777761
                                                          • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                          • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                          • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                          • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                          Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocaleValid
                                                          • String ID: IsValidLocaleName$JD
                                                          • API String ID: 1901932003-2234456777
                                                          • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                          • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                                          • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                          • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                                          Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                          • API String ID: 1174141254-4188645398
                                                          • Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                                          • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                                          • Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                                          • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                                          Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                          • API String ID: 1174141254-2800177040
                                                          • Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                                          • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                                          • Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                                          • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                                          Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                          • API String ID: 1174141254-1629609700
                                                          • Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                                          • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                                          • Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                                          • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                                          Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000011), ref: 0040B64B
                                                            • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,00000000), ref: 0040A416
                                                            • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                            • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                            • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                                            • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,00000000), ref: 0040A43E
                                                            • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                                            • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                          • String ID: [AltL]$[AltR]
                                                          • API String ID: 2738857842-2658077756
                                                          • Opcode ID: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
                                                          • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                                          • Opcode Fuzzy Hash: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
                                                          • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                                          Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                          • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: uD
                                                          • API String ID: 0-2547262877
                                                          • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                          • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                                          • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                          • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                                          Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: !D@$open
                                                          • API String ID: 587946157-1586967515
                                                          • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                                          • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                                          • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                                          • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                                          Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000012), ref: 0040B6A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State
                                                          • String ID: [CtrlL]$[CtrlR]
                                                          • API String ID: 1649606143-2446555240
                                                          • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                                          • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                                          • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                                          • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                                          Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          • __Init_thread_footer.LIBCMT ref: 00410F29
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 1881088180-2015055088
                                                          • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                                          • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                                          • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                                          • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                                          Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteOpenValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 2654517830-1051519024
                                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                          • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                          • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                                          Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteDirectoryFileRemove
                                                          • String ID: pth_unenc
                                                          • API String ID: 3325800564-4028850238
                                                          • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                          • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                                          • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                          • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                                          Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ObjectProcessSingleTerminateWait
                                                          • String ID: pth_unenc
                                                          • API String ID: 1872346434-4028850238
                                                          • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                          • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                                          • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                          • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                                          Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                                          • GetLastError.KERNEL32 ref: 00440D35
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                          • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                                          • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                          • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                                          Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                                          • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                                          • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.4567402427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_aspnet_wp.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastRead
                                                          • String ID:
                                                          • API String ID: 4100373531-0
                                                          • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                          • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                                          • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                          • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99