Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UD61dgs2rz.exe

Overview

General Information

Sample name:UD61dgs2rz.exe
renamed because original name is a hash value
Original sample name:3f69729a8f2b22e625bb984f28758ebc.exe
Analysis ID:1483007
MD5:3f69729a8f2b22e625bb984f28758ebc
SHA1:ab8aab5952dfcf0d705daff76448920c67b6241d
SHA256:d1b50fc6ce79320a88defef33baf6a51e30845bd13ab2b52f7925ba0b8f527cd
Tags:32exetrojan
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UD61dgs2rz.exe (PID: 3064 cmdline: "C:\Users\user\Desktop\UD61dgs2rz.exe" MD5: 3F69729A8F2B22E625BB984F28758EBC)
    • powershell.exe (PID: 7280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7704 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7352 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • UD61dgs2rz.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\UD61dgs2rz.exe" MD5: 3F69729A8F2B22E625BB984F28758EBC)
  • HODoCxSdp.exe (PID: 7608 cmdline: C:\Users\user\AppData\Roaming\HODoCxSdp.exe MD5: 3F69729A8F2B22E625BB984F28758EBC)
    • schtasks.exe (PID: 7888 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • HODoCxSdp.exe (PID: 7948 cmdline: "C:\Users\user\AppData\Roaming\HODoCxSdp.exe" MD5: 3F69729A8F2B22E625BB984F28758EBC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "3.8.0 Pro", "Host:Port:Password": "204.10.160.230:7983", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7QOC3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2197786692.00000000014CB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x691e0:$a1: Remcos restarted by watchdog!
        • 0x69738:$a3: %02i:%02i:%02i:%03i
        • 0x69abd:$a4: * Remcos v
        0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6320c:$str_b2: Executing file:
        • 0x64328:$str_b3: GetDirectListeningPort
        • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x63e30:$str_b7: \update.vbs
        • 0x63234:$str_b9: Downloaded file:
        • 0x63220:$str_b10: Downloading file:
        • 0x632c4:$str_b12: Failed to upload file:
        • 0x642f0:$str_b13: StartForward
        • 0x64310:$str_b14: StopForward
        • 0x63dd8:$str_b15: fso.DeleteFile "
        • 0x63d6c:$str_b16: On Error Resume Next
        • 0x63e08:$str_b17: fso.DeleteFolder "
        • 0x632b4:$str_b18: Uploaded file:
        • 0x63274:$str_b19: Unable to delete:
        • 0x63da0:$str_b20: while fso.FileExists("
        • 0x63749:$str_c0: [Firefox StoredLogins not found]
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        14.2.HODoCxSdp.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          14.2.HODoCxSdp.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          14.2.HODoCxSdp.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
          • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6320c:$str_b2: Executing file:
          • 0x64328:$str_b3: GetDirectListeningPort
          • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x63e30:$str_b7: \update.vbs
          • 0x63234:$str_b9: Downloaded file:
          • 0x63220:$str_b10: Downloading file:
          • 0x632c4:$str_b12: Failed to upload file:
          • 0x642f0:$str_b13: StartForward
          • 0x64310:$str_b14: StopForward
          • 0x63dd8:$str_b15: fso.DeleteFile "
          • 0x63d6c:$str_b16: On Error Resume Next
          • 0x63e08:$str_b17: fso.DeleteFolder "
          • 0x632b4:$str_b18: Uploaded file:
          • 0x63274:$str_b19: Unable to delete:
          • 0x63da0:$str_b20: while fso.FileExists("
          • 0x63749:$str_c0: [Firefox StoredLogins not found]
          14.2.HODoCxSdp.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x63100:$s1: \Classes\mscfile\shell\open\command
          • 0x63160:$s1: \Classes\mscfile\shell\open\command
          • 0x63148:$s2: eventvwr.exe
          0.2.UD61dgs2rz.exe.35c2f70.4.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 31 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UD61dgs2rz.exe", ParentImage: C:\Users\user\Desktop\UD61dgs2rz.exe, ParentProcessId: 3064, ParentProcessName: UD61dgs2rz.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", ProcessId: 7280, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UD61dgs2rz.exe", ParentImage: C:\Users\user\Desktop\UD61dgs2rz.exe, ParentProcessId: 3064, ParentProcessName: UD61dgs2rz.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", ProcessId: 7280, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HODoCxSdp.exe, ParentImage: C:\Users\user\AppData\Roaming\HODoCxSdp.exe, ParentProcessId: 7608, ParentProcessName: HODoCxSdp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp", ProcessId: 7888, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UD61dgs2rz.exe", ParentImage: C:\Users\user\Desktop\UD61dgs2rz.exe, ParentProcessId: 3064, ParentProcessName: UD61dgs2rz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp", ProcessId: 7352, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UD61dgs2rz.exe", ParentImage: C:\Users\user\Desktop\UD61dgs2rz.exe, ParentProcessId: 3064, ParentProcessName: UD61dgs2rz.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe", ProcessId: 7280, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UD61dgs2rz.exe", ParentImage: C:\Users\user\Desktop\UD61dgs2rz.exe, ParentProcessId: 3064, ParentProcessName: UD61dgs2rz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp", ProcessId: 7352, ProcessName: schtasks.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 9B 9A 85 2C AD 0E 2F 7E E9 73 AC 9B C0 D0 32 9C 79 B1 9A DF 6B 20 91 C8 61 27 47 7D 8F 5A C8 49 8A AE FA 1D CC 34 89 FF 77 DB 76 F0 E9 EE E6 2C 09 A7 FE 88 A0 B7 4A BC C9 D9 EC 44 64 CC 45 6A 12 18 D3 C3 76 4A DB 78 F2 6F 6B B6 5C 8E , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\UD61dgs2rz.exe, ProcessId: 7524, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-O7QOC3\exepath

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-26T13:48:17.448620+0200
            SID:2803304
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T13:48:51.687437+0200
            SID:2022930
            Source Port:443
            Destination Port:54732
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T13:48:15.533075+0200
            SID:2036594
            Source Port:49725
            Destination Port:7983
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-26T13:48:49.721672+0200
            SID:2022930
            Source Port:443
            Destination Port:54731
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T13:48:31.403250+0200
            SID:2022930
            Source Port:443
            Destination Port:49737
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpackMalware Configuration Extractor: Remcos {"Version": "3.8.0 Pro", "Host:Port:Password": "204.10.160.230:7983", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7QOC3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeReversingLabs: Detection: 42%
            Multi AV Scanner detection for submitted file
            Source: UD61dgs2rz.exeReversingLabs: Detection: 42%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.2197786692.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 7524, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7948, type: MEMORYSTR
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: UD61dgs2rz.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,14_2_004315EC
            Source: UD61dgs2rz.exe, 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_40d683fb-8
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 4x nop then jmp 07038C75h0_2_07038F9C
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 4x nop then jmp 07287F0Dh10_2_07288234

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 204.10.160.230
            Source: global trafficTCP traffic: 192.168.2.5:49725 -> 204.10.160.230:7983
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewIP Address: 204.10.160.230 204.10.160.230
            Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,14_2_0041936B
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
            Source: UD61dgs2rz.exe, HODoCxSdp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: UD61dgs2rz.exe, HODoCxSdp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/-6
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/N
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, HODoCxSdp.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: UD61dgs2rz.exe, 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp6
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp:
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp?
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
            Source: UD61dgs2rz.exe, HODoCxSdp.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: UD61dgs2rz.exe, 00000000.00000002.2170083571.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000A.00000002.2223615700.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: UD61dgs2rz.exe, HODoCxSdp.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000014_2_00409340
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,14_2_00414EC1
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,14_2_00409468

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.2197786692.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 7524, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7948, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041A76C SystemParametersInfoW,14_2_0041A76C

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: HODoCxSdp.exe PID: 7948, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,14_2_00414DB4
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050C43100_2_050C4310
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050C34480_2_050C3448
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050CAF500_2_050CAF50
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050CAF600_2_050CAF60
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050C3FD90_2_050C3FD9
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_07038AB10_2_07038AB1
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070300400_2_07030040
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070347C80_2_070347C8
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_07038AB10_2_07038AB1
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070335280_2_07033528
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_07032CB80_2_07032CB8
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070351680_2_07035168
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070351780_2_07035178
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_0703B9900_2_0703B990
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070300130_2_07030013
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070330F00_2_070330F0
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_0728004010_2_07280040
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_07287D4910_2_07287D49
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_072847C810_2_072847C8
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_0728352810_2_07283528
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_0728516810_2_07285168
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_0728517810_2_07285178
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_0728000710_2_07280007
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_072830F010_2_072830F0
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_0728AC2810_2_0728AC28
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_07282CB810_2_07282CB8
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_07287D4910_2_07287D49
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0042515214_2_00425152
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0043528614_2_00435286
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004513D414_2_004513D4
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0045050B14_2_0045050B
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0043651014_2_00436510
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004316FB14_2_004316FB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0043569E14_2_0043569E
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0044370014_2_00443700
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004257FB14_2_004257FB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004128E314_2_004128E3
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0042596414_2_00425964
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041B91714_2_0041B917
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0043D9CC14_2_0043D9CC
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00435AD314_2_00435AD3
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00424BC314_2_00424BC3
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0043DBFB14_2_0043DBFB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0044ABA914_2_0044ABA9
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00433C0B14_2_00433C0B
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00434D8A14_2_00434D8A
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0043DE2A14_2_0043DE2A
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041CEAF14_2_0041CEAF
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00435F0814_2_00435F08
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\HODoCxSdp.exe D1B50FC6CE79320A88DEFEF33BAF6A51E30845BD13AB2B52F7925BA0B8F527CD
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: String function: 00402073 appears 51 times
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: String function: 00432B90 appears 53 times
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: String function: 00432525 appears 41 times
            Source: UD61dgs2rz.exe, 00000000.00000000.2123831467.00000000000FA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZpnl.exe2 vs UD61dgs2rz.exe
            Source: UD61dgs2rz.exe, 00000000.00000002.2180273618.0000000006E40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs UD61dgs2rz.exe
            Source: UD61dgs2rz.exe, 00000000.00000002.2170083571.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs UD61dgs2rz.exe
            Source: UD61dgs2rz.exe, 00000000.00000002.2168084902.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UD61dgs2rz.exe
            Source: UD61dgs2rz.exe, 00000000.00000002.2180090667.0000000006DD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs UD61dgs2rz.exe
            Source: UD61dgs2rz.exeBinary or memory string: OriginalFilenameZpnl.exe2 vs UD61dgs2rz.exe
            Source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: HODoCxSdp.exe PID: 7948, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: HODoCxSdp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, EtsJobhTeXI6X3UQ5n.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, EtsJobhTeXI6X3UQ5n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, EtsJobhTeXI6X3UQ5n.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, EtsJobhTeXI6X3UQ5n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, D9EudLlbHv2APZOL2i.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, EtsJobhTeXI6X3UQ5n.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, EtsJobhTeXI6X3UQ5n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@19/16@2/2
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_00415C90
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,14_2_0040E2E7
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,14_2_00419493
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeFile created: C:\Users\user\AppData\Roaming\HODoCxSdp.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMutant created: \Sessions\1\BaseNamedObjects\aHbsRqcXCAHRAEQcDvjfkNSbY
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC22F.tmpJump to behavior
            Source: UD61dgs2rz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: UD61dgs2rz.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeFile read: C:\Users\user\Desktop\UD61dgs2rz.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\UD61dgs2rz.exe "C:\Users\user\Desktop\UD61dgs2rz.exe"
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Users\user\Desktop\UD61dgs2rz.exe "C:\Users\user\Desktop\UD61dgs2rz.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe C:\Users\user\AppData\Roaming\HODoCxSdp.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Users\user\Desktop\UD61dgs2rz.exe "C:\Users\user\Desktop\UD61dgs2rz.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.cs.Net Code: FgBnpdUPj1 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, D9EudLlbHv2APZOL2i.cs.Net Code: FgBnpdUPj1 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, D9EudLlbHv2APZOL2i.cs.Net Code: FgBnpdUPj1 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.UD61dgs2rz.exe.250d414.0.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.UD61dgs2rz.exe.250d414.0.raw.unpack, PingPong.cs.Net Code: Justy
            Source: 0.2.UD61dgs2rz.exe.6dd0000.6.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.UD61dgs2rz.exe.6dd0000.6.raw.unpack, PingPong.cs.Net Code: Justy
            Source: 10.2.HODoCxSdp.exe.2b0d43c.0.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
            Source: 10.2.HODoCxSdp.exe.2b0d43c.0.raw.unpack, PingPong.cs.Net Code: Justy
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050C2C30 push esp; retf 0_2_050C2C39
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_050CA9D8 push esp; iretd 0_2_050CA9D9
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeCode function: 0_2_070304EA push edx; ret 0_2_070304EB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 10_2_072804EA push edx; ret 10_2_072804EB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004000D8 push es; iretd 14_2_004000D9
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040008C push es; iretd 14_2_0040008D
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004542E6 push ecx; ret 14_2_004542F9
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0045B4FD push esi; ret 14_2_0045B506
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00432BD6 push ecx; ret 14_2_00432BE9
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00454C08 push eax; ret 14_2_00454C26
            Source: HODoCxSdp.exe.0.drStatic PE information: section name: .text entropy: 7.9098783782347315
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, zLRx0Krvxpl94Gmelc.csHigh entropy of concatenated method names: 'EQB4L53l8P', 'gnK4ZijvRb', 'foC4gMcnln', 'URD4ilVIrQ', 'MHI4mNNXXH', 'RXg4w8t06r', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, JV8COMjuieAqErQMuGa.csHigh entropy of concatenated method names: 'jPpRUlBDat', 'RCjR0ikxwX', 'hV5RpFi5pq', 'uIPNh1ovZZDc03eJ9OK', 'McMdE6oHLhe1bMWnNWV', 'oSuCUIok5xYAhNTgSrd'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, EtsJobhTeXI6X3UQ5n.csHigh entropy of concatenated method names: 'MZR5mbDnbO', 'sYs59UpbPG', 'ELE5Xl8Wmn', 'Gf25ISiCqV', 'kgg5rFZ9Zn', 'uXw5MmuTXG', 'ALS5C8Z78G', 'PeY5fAgDIq', 'sB25tZqQGv', 'yk55B2GSHp'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.csHigh entropy of concatenated method names: 'CNbQJAcVb5', 's7uQPiP1Cs', 'qCwQ5Sp0qi', 'BVUQHwjPCD', 'ekFQjGeXhY', 'v30QVXIgIu', 'ud1Q2dwpK7', 'wnqQhrb0hj', 'BxDQOIYIJh', 'VtdQEP7W9w'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, j18cpQf7mkuHRbXFpl.csHigh entropy of concatenated method names: 'o272UcYVjI', 'IkQ20KqGI7', 'Bee2pXQMjH', 'eQj2DQTdAe', 'Vs82lUAkMh', 'eri2df75Ei', 'enW2xG6Nqv', 'S8j2NLVOuN', 'eTe2usWXRI', 'AN92Y3wW2o'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, A70MiS059eBQ79exbu.csHigh entropy of concatenated method names: 'xiNqN60YdT', 'LsBqutc1Jf', 'ih3qLluX1e', 'wygqZDmxIU', 'DZoqiQTcjH', 'IlpqwxYBX6', 'vFfqcvBwNL', 'Fbsq6YhC0F', 'l2oqom147T', 'r0qqAKAP8x'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, Fb16UU9rwEUap37uVW.csHigh entropy of concatenated method names: 'FO04PKlfRI', 'jtU45fpDLC', 'DBu4HERWIw', 'Ltb4jyWZr8', 'Bqo4VHukoc', 'KB942SWca1', 'X5n4hIjV45', 'SiG4OqU4E6', 'egg4E3Aepp', 'ScE4KkkTcJ'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, dYK3NXtpx6kd8ZccpM.csHigh entropy of concatenated method names: 'AHX2PbPYFU', 'KeI2H6kBnq', 'sFL2VyVWur', 'SKfVBCmeuB', 'HVUVz1l4Mo', 'HLO27IrPX5', 'CW328M4t48', 'kww2kq2nm0', 'Uxm2Q4Jw3K', 'oxT2n6vIIk'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, BoJSG7UDrVhUJiyNwB.csHigh entropy of concatenated method names: 'DpRTfK5287', 'y0XTB4lLio', 'jrN47Xag86', 'xqb48vHkqF', 'j1uTAE4QRk', 'kQDTaRHeAr', 'aECTF8Weda', 'TjKTmx7eui', 'qSuT9B5KRF', 'GFZTXiXn6X'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, eghuitF4yljFm0lKkM.csHigh entropy of concatenated method names: 'zZh82TnHuT', 'b8e8hMmqKB', 'FUu8EXaogP', 'KLJ8KekqrH', 'aFL8W4Tdeg', 'jLO8y34GqS', 'jwPwoL7htqxuauRScp', 'zYAZtv4O4FkTpx5eq8', 'kog881ZcJ9', 'Va58QI35Ca'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, RrYOk9jcPYBpJRwhDsY.csHigh entropy of concatenated method names: 'eAtSUwHgN2', 'LwrS0ieXrT', 'oZdSpgB5k3', 'pssSDPaBpW', 'VdMSlgpCkY', 'QoeSd330D1', 'tAgSxaElHl', 'CXiSNCPynd', 'omhSu8iVjP', 'qItSYsSmXe'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, qIHWAkuExOeaUujlqY.csHigh entropy of concatenated method names: 'WSgpEZ4MG', 'X6UDM5hF3', 'BfEdO9uBN', 'LRqxPSlJ5', 'vsku4ysYV', 'ghdYeYsQy', 'yl6Xhbv0h2JfbU7SqD', 'mZx6j6HlhTU3SgfsrJ', 'v9L4nd4Dp', 'eVJRli8Gy'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, JailI0yyD3oy9EWXGR.csHigh entropy of concatenated method names: 'nTaVJ9JO6e', 'SWjV5n3nAB', 'zXpVjSMBLu', 'RKbV2HJW6u', 'svEVhUYkvp', 'Yt8jr9vG3w', 'lwFjMpPhK0', 'qVQjCOCcbM', 'mMZjfc8u4e', 'Eehjtkoi7n'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, RbFpxOjX2gByO9bfJbc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9DRmYdvGC', 'O0XR93NS9h', 'm6wRXmrjtq', 'I2pRIsfTlx', 'O9ORrH7n5H', 'tCjRM8qwpH', 'b9URC6kjV5'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, mo2uG0YjKHD1aiAviU.csHigh entropy of concatenated method names: 'UvHTEHYYRJ', 'xR8TKpmMlK', 'ToString', 'A4ZTPOih7A', 'QkET5GVwmu', 'gu0THvvNke', 'YFXTjDiylY', 'gb4TVh1Q16', 'aFOT2UhtuD', 'vVmThxoyny'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, j6B1wyQDUGbllhbbhO.csHigh entropy of concatenated method names: 'VALS8kp83n', 'hvISQYk9SH', 'FsXSnrS7WN', 'VS4SPoOcB5', 'iMXS5uwhRi', 'Nm3SjJEEYI', 'L3mSVG9KxB', 'qEE4CCL2ZQ', 'E2a4fOuEEW', 'qCP4tSb5AP'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, CMxTafJa09SU85L67A.csHigh entropy of concatenated method names: 'esvjlLBaiq', 'jXGjx8b1RM', 'n7THglFIai', 'fgMHilYg5D', 'vOrHw7VjY1', 'qGvH1dRGHH', 'C2gHcxbfRd', 'lCTH6hxnQl', 'LouHbHacFB', 'H7jHoLOMJx'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, fYR6BysfY0DiREaAo2.csHigh entropy of concatenated method names: 'bgdHDJcNPO', 'J9yHdcj4VN', 'TxZHN31kqQ', 'pSiHuGeLiT', 'juRHWDlrnJ', 'HKYHyXayuI', 'xryHT3oB1K', 'in0H4pscok', 'Pf4HSvybJh', 'h2xHROBbm0'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, dMl8TwIyBpNEgmJauT.csHigh entropy of concatenated method names: 'MAjWoYxX44', 'JD4Wa9YnPK', 'paaWmQOT91', 'ecIW9tEfWO', 'DGjWZHl3We', 'fGmWgna66x', 'mx4WiedG3y', 'dfPWwhj2mN', 'U3KW1AwCCZ', 'QdFWcLbt4N'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, rOQN4VeudJysxd8645.csHigh entropy of concatenated method names: 'Dispose', 'n7n8tvTYUg', 'tEQkZNpeyR', 'FlJGGYUBaQ', 'xqv8BeqsIM', 'Xrd8zIRogm', 'ProcessDialogKey', 'wmOk7vSu2J', 'K0rk85TTNo', 'Rflkk4Vh95'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, c2cMNMpYDGGCdGPNCV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fMnktTLXLy', 'f53kB1Hs3W', 'doAkzhdZEP', 'mUqQ75Unh6', 'tWcQ8Tq8ZZ', 'B3XQkgGALn', 'Sh9QQDBC6G', 'u1BxKpDoTTSW2HrvqNF'
            Source: 0.2.UD61dgs2rz.exe.6e40000.8.raw.unpack, BET2H7355jyJGS9kPV.csHigh entropy of concatenated method names: 'WQXVXXtMaL', 'uZxVId6NHp', 'DGlVrk8KL0', 'ToString', 'Wb9VMxA98E', 'y28VCOoJbB', 'BxaQYaYaJ5p7YgiDttw', 'hUXs4fY3fCmSojIpZeM', 'swZrCyY2AfjqaO2L7UG'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, zLRx0Krvxpl94Gmelc.csHigh entropy of concatenated method names: 'EQB4L53l8P', 'gnK4ZijvRb', 'foC4gMcnln', 'URD4ilVIrQ', 'MHI4mNNXXH', 'RXg4w8t06r', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, JV8COMjuieAqErQMuGa.csHigh entropy of concatenated method names: 'jPpRUlBDat', 'RCjR0ikxwX', 'hV5RpFi5pq', 'uIPNh1ovZZDc03eJ9OK', 'McMdE6oHLhe1bMWnNWV', 'oSuCUIok5xYAhNTgSrd'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, EtsJobhTeXI6X3UQ5n.csHigh entropy of concatenated method names: 'MZR5mbDnbO', 'sYs59UpbPG', 'ELE5Xl8Wmn', 'Gf25ISiCqV', 'kgg5rFZ9Zn', 'uXw5MmuTXG', 'ALS5C8Z78G', 'PeY5fAgDIq', 'sB25tZqQGv', 'yk55B2GSHp'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, D9EudLlbHv2APZOL2i.csHigh entropy of concatenated method names: 'CNbQJAcVb5', 's7uQPiP1Cs', 'qCwQ5Sp0qi', 'BVUQHwjPCD', 'ekFQjGeXhY', 'v30QVXIgIu', 'ud1Q2dwpK7', 'wnqQhrb0hj', 'BxDQOIYIJh', 'VtdQEP7W9w'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, j18cpQf7mkuHRbXFpl.csHigh entropy of concatenated method names: 'o272UcYVjI', 'IkQ20KqGI7', 'Bee2pXQMjH', 'eQj2DQTdAe', 'Vs82lUAkMh', 'eri2df75Ei', 'enW2xG6Nqv', 'S8j2NLVOuN', 'eTe2usWXRI', 'AN92Y3wW2o'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, A70MiS059eBQ79exbu.csHigh entropy of concatenated method names: 'xiNqN60YdT', 'LsBqutc1Jf', 'ih3qLluX1e', 'wygqZDmxIU', 'DZoqiQTcjH', 'IlpqwxYBX6', 'vFfqcvBwNL', 'Fbsq6YhC0F', 'l2oqom147T', 'r0qqAKAP8x'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, Fb16UU9rwEUap37uVW.csHigh entropy of concatenated method names: 'FO04PKlfRI', 'jtU45fpDLC', 'DBu4HERWIw', 'Ltb4jyWZr8', 'Bqo4VHukoc', 'KB942SWca1', 'X5n4hIjV45', 'SiG4OqU4E6', 'egg4E3Aepp', 'ScE4KkkTcJ'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, dYK3NXtpx6kd8ZccpM.csHigh entropy of concatenated method names: 'AHX2PbPYFU', 'KeI2H6kBnq', 'sFL2VyVWur', 'SKfVBCmeuB', 'HVUVz1l4Mo', 'HLO27IrPX5', 'CW328M4t48', 'kww2kq2nm0', 'Uxm2Q4Jw3K', 'oxT2n6vIIk'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, BoJSG7UDrVhUJiyNwB.csHigh entropy of concatenated method names: 'DpRTfK5287', 'y0XTB4lLio', 'jrN47Xag86', 'xqb48vHkqF', 'j1uTAE4QRk', 'kQDTaRHeAr', 'aECTF8Weda', 'TjKTmx7eui', 'qSuT9B5KRF', 'GFZTXiXn6X'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, eghuitF4yljFm0lKkM.csHigh entropy of concatenated method names: 'zZh82TnHuT', 'b8e8hMmqKB', 'FUu8EXaogP', 'KLJ8KekqrH', 'aFL8W4Tdeg', 'jLO8y34GqS', 'jwPwoL7htqxuauRScp', 'zYAZtv4O4FkTpx5eq8', 'kog881ZcJ9', 'Va58QI35Ca'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, RrYOk9jcPYBpJRwhDsY.csHigh entropy of concatenated method names: 'eAtSUwHgN2', 'LwrS0ieXrT', 'oZdSpgB5k3', 'pssSDPaBpW', 'VdMSlgpCkY', 'QoeSd330D1', 'tAgSxaElHl', 'CXiSNCPynd', 'omhSu8iVjP', 'qItSYsSmXe'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, qIHWAkuExOeaUujlqY.csHigh entropy of concatenated method names: 'WSgpEZ4MG', 'X6UDM5hF3', 'BfEdO9uBN', 'LRqxPSlJ5', 'vsku4ysYV', 'ghdYeYsQy', 'yl6Xhbv0h2JfbU7SqD', 'mZx6j6HlhTU3SgfsrJ', 'v9L4nd4Dp', 'eVJRli8Gy'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, JailI0yyD3oy9EWXGR.csHigh entropy of concatenated method names: 'nTaVJ9JO6e', 'SWjV5n3nAB', 'zXpVjSMBLu', 'RKbV2HJW6u', 'svEVhUYkvp', 'Yt8jr9vG3w', 'lwFjMpPhK0', 'qVQjCOCcbM', 'mMZjfc8u4e', 'Eehjtkoi7n'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, RbFpxOjX2gByO9bfJbc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9DRmYdvGC', 'O0XR93NS9h', 'm6wRXmrjtq', 'I2pRIsfTlx', 'O9ORrH7n5H', 'tCjRM8qwpH', 'b9URC6kjV5'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, mo2uG0YjKHD1aiAviU.csHigh entropy of concatenated method names: 'UvHTEHYYRJ', 'xR8TKpmMlK', 'ToString', 'A4ZTPOih7A', 'QkET5GVwmu', 'gu0THvvNke', 'YFXTjDiylY', 'gb4TVh1Q16', 'aFOT2UhtuD', 'vVmThxoyny'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, j6B1wyQDUGbllhbbhO.csHigh entropy of concatenated method names: 'VALS8kp83n', 'hvISQYk9SH', 'FsXSnrS7WN', 'VS4SPoOcB5', 'iMXS5uwhRi', 'Nm3SjJEEYI', 'L3mSVG9KxB', 'qEE4CCL2ZQ', 'E2a4fOuEEW', 'qCP4tSb5AP'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, CMxTafJa09SU85L67A.csHigh entropy of concatenated method names: 'esvjlLBaiq', 'jXGjx8b1RM', 'n7THglFIai', 'fgMHilYg5D', 'vOrHw7VjY1', 'qGvH1dRGHH', 'C2gHcxbfRd', 'lCTH6hxnQl', 'LouHbHacFB', 'H7jHoLOMJx'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, fYR6BysfY0DiREaAo2.csHigh entropy of concatenated method names: 'bgdHDJcNPO', 'J9yHdcj4VN', 'TxZHN31kqQ', 'pSiHuGeLiT', 'juRHWDlrnJ', 'HKYHyXayuI', 'xryHT3oB1K', 'in0H4pscok', 'Pf4HSvybJh', 'h2xHROBbm0'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, dMl8TwIyBpNEgmJauT.csHigh entropy of concatenated method names: 'MAjWoYxX44', 'JD4Wa9YnPK', 'paaWmQOT91', 'ecIW9tEfWO', 'DGjWZHl3We', 'fGmWgna66x', 'mx4WiedG3y', 'dfPWwhj2mN', 'U3KW1AwCCZ', 'QdFWcLbt4N'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, rOQN4VeudJysxd8645.csHigh entropy of concatenated method names: 'Dispose', 'n7n8tvTYUg', 'tEQkZNpeyR', 'FlJGGYUBaQ', 'xqv8BeqsIM', 'Xrd8zIRogm', 'ProcessDialogKey', 'wmOk7vSu2J', 'K0rk85TTNo', 'Rflkk4Vh95'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, c2cMNMpYDGGCdGPNCV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fMnktTLXLy', 'f53kB1Hs3W', 'doAkzhdZEP', 'mUqQ75Unh6', 'tWcQ8Tq8ZZ', 'B3XQkgGALn', 'Sh9QQDBC6G', 'u1BxKpDoTTSW2HrvqNF'
            Source: 0.2.UD61dgs2rz.exe.38efb90.2.raw.unpack, BET2H7355jyJGS9kPV.csHigh entropy of concatenated method names: 'WQXVXXtMaL', 'uZxVId6NHp', 'DGlVrk8KL0', 'ToString', 'Wb9VMxA98E', 'y28VCOoJbB', 'BxaQYaYaJ5p7YgiDttw', 'hUXs4fY3fCmSojIpZeM', 'swZrCyY2AfjqaO2L7UG'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, zLRx0Krvxpl94Gmelc.csHigh entropy of concatenated method names: 'EQB4L53l8P', 'gnK4ZijvRb', 'foC4gMcnln', 'URD4ilVIrQ', 'MHI4mNNXXH', 'RXg4w8t06r', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, JV8COMjuieAqErQMuGa.csHigh entropy of concatenated method names: 'jPpRUlBDat', 'RCjR0ikxwX', 'hV5RpFi5pq', 'uIPNh1ovZZDc03eJ9OK', 'McMdE6oHLhe1bMWnNWV', 'oSuCUIok5xYAhNTgSrd'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, EtsJobhTeXI6X3UQ5n.csHigh entropy of concatenated method names: 'MZR5mbDnbO', 'sYs59UpbPG', 'ELE5Xl8Wmn', 'Gf25ISiCqV', 'kgg5rFZ9Zn', 'uXw5MmuTXG', 'ALS5C8Z78G', 'PeY5fAgDIq', 'sB25tZqQGv', 'yk55B2GSHp'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, D9EudLlbHv2APZOL2i.csHigh entropy of concatenated method names: 'CNbQJAcVb5', 's7uQPiP1Cs', 'qCwQ5Sp0qi', 'BVUQHwjPCD', 'ekFQjGeXhY', 'v30QVXIgIu', 'ud1Q2dwpK7', 'wnqQhrb0hj', 'BxDQOIYIJh', 'VtdQEP7W9w'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, j18cpQf7mkuHRbXFpl.csHigh entropy of concatenated method names: 'o272UcYVjI', 'IkQ20KqGI7', 'Bee2pXQMjH', 'eQj2DQTdAe', 'Vs82lUAkMh', 'eri2df75Ei', 'enW2xG6Nqv', 'S8j2NLVOuN', 'eTe2usWXRI', 'AN92Y3wW2o'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, A70MiS059eBQ79exbu.csHigh entropy of concatenated method names: 'xiNqN60YdT', 'LsBqutc1Jf', 'ih3qLluX1e', 'wygqZDmxIU', 'DZoqiQTcjH', 'IlpqwxYBX6', 'vFfqcvBwNL', 'Fbsq6YhC0F', 'l2oqom147T', 'r0qqAKAP8x'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, Fb16UU9rwEUap37uVW.csHigh entropy of concatenated method names: 'FO04PKlfRI', 'jtU45fpDLC', 'DBu4HERWIw', 'Ltb4jyWZr8', 'Bqo4VHukoc', 'KB942SWca1', 'X5n4hIjV45', 'SiG4OqU4E6', 'egg4E3Aepp', 'ScE4KkkTcJ'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, dYK3NXtpx6kd8ZccpM.csHigh entropy of concatenated method names: 'AHX2PbPYFU', 'KeI2H6kBnq', 'sFL2VyVWur', 'SKfVBCmeuB', 'HVUVz1l4Mo', 'HLO27IrPX5', 'CW328M4t48', 'kww2kq2nm0', 'Uxm2Q4Jw3K', 'oxT2n6vIIk'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, BoJSG7UDrVhUJiyNwB.csHigh entropy of concatenated method names: 'DpRTfK5287', 'y0XTB4lLio', 'jrN47Xag86', 'xqb48vHkqF', 'j1uTAE4QRk', 'kQDTaRHeAr', 'aECTF8Weda', 'TjKTmx7eui', 'qSuT9B5KRF', 'GFZTXiXn6X'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, eghuitF4yljFm0lKkM.csHigh entropy of concatenated method names: 'zZh82TnHuT', 'b8e8hMmqKB', 'FUu8EXaogP', 'KLJ8KekqrH', 'aFL8W4Tdeg', 'jLO8y34GqS', 'jwPwoL7htqxuauRScp', 'zYAZtv4O4FkTpx5eq8', 'kog881ZcJ9', 'Va58QI35Ca'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, RrYOk9jcPYBpJRwhDsY.csHigh entropy of concatenated method names: 'eAtSUwHgN2', 'LwrS0ieXrT', 'oZdSpgB5k3', 'pssSDPaBpW', 'VdMSlgpCkY', 'QoeSd330D1', 'tAgSxaElHl', 'CXiSNCPynd', 'omhSu8iVjP', 'qItSYsSmXe'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, qIHWAkuExOeaUujlqY.csHigh entropy of concatenated method names: 'WSgpEZ4MG', 'X6UDM5hF3', 'BfEdO9uBN', 'LRqxPSlJ5', 'vsku4ysYV', 'ghdYeYsQy', 'yl6Xhbv0h2JfbU7SqD', 'mZx6j6HlhTU3SgfsrJ', 'v9L4nd4Dp', 'eVJRli8Gy'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, JailI0yyD3oy9EWXGR.csHigh entropy of concatenated method names: 'nTaVJ9JO6e', 'SWjV5n3nAB', 'zXpVjSMBLu', 'RKbV2HJW6u', 'svEVhUYkvp', 'Yt8jr9vG3w', 'lwFjMpPhK0', 'qVQjCOCcbM', 'mMZjfc8u4e', 'Eehjtkoi7n'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, RbFpxOjX2gByO9bfJbc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9DRmYdvGC', 'O0XR93NS9h', 'm6wRXmrjtq', 'I2pRIsfTlx', 'O9ORrH7n5H', 'tCjRM8qwpH', 'b9URC6kjV5'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, mo2uG0YjKHD1aiAviU.csHigh entropy of concatenated method names: 'UvHTEHYYRJ', 'xR8TKpmMlK', 'ToString', 'A4ZTPOih7A', 'QkET5GVwmu', 'gu0THvvNke', 'YFXTjDiylY', 'gb4TVh1Q16', 'aFOT2UhtuD', 'vVmThxoyny'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, j6B1wyQDUGbllhbbhO.csHigh entropy of concatenated method names: 'VALS8kp83n', 'hvISQYk9SH', 'FsXSnrS7WN', 'VS4SPoOcB5', 'iMXS5uwhRi', 'Nm3SjJEEYI', 'L3mSVG9KxB', 'qEE4CCL2ZQ', 'E2a4fOuEEW', 'qCP4tSb5AP'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, CMxTafJa09SU85L67A.csHigh entropy of concatenated method names: 'esvjlLBaiq', 'jXGjx8b1RM', 'n7THglFIai', 'fgMHilYg5D', 'vOrHw7VjY1', 'qGvH1dRGHH', 'C2gHcxbfRd', 'lCTH6hxnQl', 'LouHbHacFB', 'H7jHoLOMJx'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, fYR6BysfY0DiREaAo2.csHigh entropy of concatenated method names: 'bgdHDJcNPO', 'J9yHdcj4VN', 'TxZHN31kqQ', 'pSiHuGeLiT', 'juRHWDlrnJ', 'HKYHyXayuI', 'xryHT3oB1K', 'in0H4pscok', 'Pf4HSvybJh', 'h2xHROBbm0'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, dMl8TwIyBpNEgmJauT.csHigh entropy of concatenated method names: 'MAjWoYxX44', 'JD4Wa9YnPK', 'paaWmQOT91', 'ecIW9tEfWO', 'DGjWZHl3We', 'fGmWgna66x', 'mx4WiedG3y', 'dfPWwhj2mN', 'U3KW1AwCCZ', 'QdFWcLbt4N'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, rOQN4VeudJysxd8645.csHigh entropy of concatenated method names: 'Dispose', 'n7n8tvTYUg', 'tEQkZNpeyR', 'FlJGGYUBaQ', 'xqv8BeqsIM', 'Xrd8zIRogm', 'ProcessDialogKey', 'wmOk7vSu2J', 'K0rk85TTNo', 'Rflkk4Vh95'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, c2cMNMpYDGGCdGPNCV.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fMnktTLXLy', 'f53kB1Hs3W', 'doAkzhdZEP', 'mUqQ75Unh6', 'tWcQ8Tq8ZZ', 'B3XQkgGALn', 'Sh9QQDBC6G', 'u1BxKpDoTTSW2HrvqNF'
            Source: 0.2.UD61dgs2rz.exe.39a69b0.3.raw.unpack, BET2H7355jyJGS9kPV.csHigh entropy of concatenated method names: 'WQXVXXtMaL', 'uZxVId6NHp', 'DGlVrk8KL0', 'ToString', 'Wb9VMxA98E', 'y28VCOoJbB', 'BxaQYaYaJ5p7YgiDttw', 'hUXs4fY3fCmSojIpZeM', 'swZrCyY2AfjqaO2L7UG'
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004063C6 ShellExecuteW,URLDownloadToFileW,14_2_004063C6
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeFile created: C:\Users\user\AppData\Roaming\HODoCxSdp.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp"
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTR
            Delayed program exit found
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040E18D Sleep,ExitProcess,14_2_0040E18D
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: 870000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: 7280000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: 8280000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: 8430000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: 9430000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 4AE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 75D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 85D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 8770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory allocated: 9770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,14_2_004186FE
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6227Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1034Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5598Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1303Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeWindow / User API: threadDelayed 6381Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeWindow / User API: threadDelayed 3615Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeAPI coverage: 4.9 %
            Source: C:\Users\user\Desktop\UD61dgs2rz.exe TID: 1656Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep count: 5598 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 1303 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exe TID: 7560Thread sleep count: 6381 > 30Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exe TID: 7560Thread sleep time: -19143000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exe TID: 7560Thread sleep count: 3615 > 30Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exe TID: 7560Thread sleep time: -10845000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe TID: 7696Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: HODoCxSdp.exe, 0000000A.00000002.2230054812.000000000705D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004407B5 mov eax, dword ptr fs:[00000030h]14_2_004407B5
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,14_2_00410763
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004328FC SetUnhandledExceptionFilter,14_2_004328FC
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004398AC
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00432D5C
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe"
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMemory written: C:\Users\user\Desktop\UD61dgs2rz.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMemory written: C:\Users\user\AppData\Roaming\HODoCxSdp.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe14_2_00410B5C
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004175E1 mouse_event,14_2_004175E1
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeProcess created: C:\Users\user\Desktop\UD61dgs2rz.exe "C:\Users\user\Desktop\UD61dgs2rz.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeProcess created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"Jump to behavior
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager"
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerq
            Source: UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004329DA cpuid 14_2_004329DA
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: EnumSystemLocalesW,14_2_0044F17B
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: EnumSystemLocalesW,14_2_0044F130
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: EnumSystemLocalesW,14_2_0044F216
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F2A3
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetLocaleInfoA,14_2_0040E2BB
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetLocaleInfoW,14_2_0044F4F3
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0044F61C
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetLocaleInfoW,14_2_0044F723
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F7F0
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: EnumSystemLocalesW,14_2_00445914
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: GetLocaleInfoW,14_2_00445E1C
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,14_2_0044EEB8
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeQueries volume information: C:\Users\user\Desktop\UD61dgs2rz.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeQueries volume information: C:\Users\user\AppData\Roaming\HODoCxSdp.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_0040A0B0 GetLocalTime,wsprintfW,14_2_0040A0B0
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004195F8 GetUserNameW,14_2_004195F8
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: 14_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,14_2_004466BF
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.2197786692.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 7524, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7948, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data14_2_0040A953
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\14_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: \key3.db14_2_0040AA71

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\UD61dgs2rz.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3Jump to behavior
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3Jump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3bc3d48.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.35c2f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.HODoCxSdp.exe.3b4e728.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.UD61dgs2rz.exe.354d950.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.2197786692.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 3064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UD61dgs2rz.exe PID: 7524, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HODoCxSdp.exe PID: 7948, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exeCode function: cmd.exe14_2_0040567A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol111
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Windows Service            		4
            Obfuscated Files or Information            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook122
            Process Injection            		12
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Scheduled Task/Job            		1
            DLL Side-Loading            		LSA Secrets33
            System Information Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials121
            Security Software Discovery            		VNCGUI Input Capture12
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt122
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483007 Sample: UD61dgs2rz.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 46 171.39.242.20.in-addr.arpa 2->46 48 geoplugin.net 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 8 other signatures 2->60 8 UD61dgs2rz.exe 7 2->8         started        12 HODoCxSdp.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\HODoCxSdp.exe, PE32 8->38 dropped 40 C:\Users\...\HODoCxSdp.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpC22F.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\UD61dgs2rz.exe.log, ASCII 8->44 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 UD61dgs2rz.exe 2 13 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Contains functionalty to change the wallpaper 12->70 72 Machine Learning detection for dropped file 12->72 74 4 other signatures 12->74 24 HODoCxSdp.exe 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 50 204.10.160.230, 49725, 7983 UNREAL-SERVERSUS Canada 14->50 52 geoplugin.net 178.237.33.50, 49730, 80 ATOM86-ASATOM86NL Netherlands 14->52 76 Detected Remcos RAT 14->76 78 Loading BitLocker PowerShell Module 18->78 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 26->36         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            UD61dgs2rz.exe42%ReversingLabsWin32.Backdoor.Remcos
            UD61dgs2rz.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\HODoCxSdp.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\HODoCxSdp.exe42%ReversingLabsWin32.Backdoor.Remcos

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://geoplugin.net/json.gp0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            204.10.160.2300%Avira URL Cloudsafe
            http://geoplugin.net/json.gp:0%Avira URL Cloudsafe
            http://geoplugin.net/-60%Avira URL Cloudsafe
            http://geoplugin.net/json.gp?0%Avira URL Cloudsafe
            http://geoplugin.net/0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
            http://geoplugin.net/N0%Avira URL Cloudsafe
            http://geoplugin.net/json.gp60%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		unknown
              171.39.242.20.in-addr.arpa
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                204.10.160.230true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/NUD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp6UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/CUD61dgs2rz.exe, 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUD61dgs2rz.exe, 00000000.00000002.2170083571.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000A.00000002.2223615700.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.chiark.greenend.org.uk/~sgtatham/putty/0UD61dgs2rz.exe, HODoCxSdp.exe.0.drfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gp:UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/-6UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpSystem32UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp?UD61dgs2rz.exe, 00000009.00000002.4594472847.0000000000F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse
                204.10.160.230
                		unknownCanada
                		64236UNREAL-SERVERSUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1483007
                Start date and time:2024-07-26 13:47:10 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 44s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:UD61dgs2rz.exe
                renamed because original name is a hash value
                Original Sample Name:3f69729a8f2b22e625bb984f28758ebc.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.evad.winEXE@19/16@2/2
                EGA Information:
                • Successful, ratio: 75%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 63
                • Number of non-executed functions: 195
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target UD61dgs2rz.exe, PID 7524 because there are no executed function
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: UD61dgs2rz.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:48:11API Interceptor5342750x Sleep call for process: UD61dgs2rz.exe modified
                07:48:13API Interceptor38x Sleep call for process: powershell.exe modified
                07:48:16API Interceptor2x Sleep call for process: HODoCxSdp.exe modified
                13:48:14Task SchedulerRun new task: HODoCxSdp path: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                178.237.33.50DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                • geoplugin.net/json.gp
                Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                204.10.160.230Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                  CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                    Banco_BPM__Copia_del_Pagamento.pdf.batGet hashmaliciousRemcosBrowse
                      BBVA Colombia__ Aviso de Pago.pdf.bat.exeGet hashmaliciousRemcosBrowse
                        Aviso de Pago __Banco Republica.pdf.bat.exeGet hashmaliciousRemcosBrowse
                          Payment Advice__Swift-MT103.pdf.bat.exeGet hashmaliciousRemcosBrowse
                            UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                              Documento di Pagamento_Intesa Sanpaolo_pdf.bat.exeGet hashmaliciousRemcosBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                geoplugin.netDHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                • 178.237.33.50
                                Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                Quotation.xlsGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ATOM86-ASATOM86NLDHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                • 178.237.33.50
                                Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                Quotation.xlsGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                UNREAL-SERVERSUSPayment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                • 204.10.160.230
                                CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                • 204.10.160.230
                                LisectAVT_2403002C_9.exeGet hashmaliciousRemcosBrowse
                                • 212.162.149.217
                                DRAFT AWB and DRAFT Commercial invoice.xlsGet hashmaliciousRemcosBrowse
                                • 162.251.122.70
                                XrAADcYten.rtfGet hashmaliciousRemcosBrowse
                                • 162.251.122.76
                                iWRmEn1DDT.rtfGet hashmaliciousRemcosBrowse
                                • 204.10.160.144
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.14325.16174.rtfGet hashmaliciousRemcosBrowse
                                • 162.251.122.70
                                Payment Copy.xlsGet hashmaliciousRemcosBrowse
                                • 204.10.160.144
                                Chemicals list 0724.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 212.162.149.85
                                RFQPO3D93876738.scr.exeGet hashmaliciousAgentTesla, RedLine, XWormBrowse
                                • 212.162.149.48

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\AppData\Roaming\HODoCxSdp.exePayment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HODoCxSdp.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\HODoCxSdp.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
                                  MD5:B3F9683FD57A94D3C3F5E1AEC259CEAD
                                  SHA1:EC2310112CBA894207F624FCC35E9C0FCE80EE2F
                                  SHA-256:97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
                                  SHA-512:37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UD61dgs2rz.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
                                  MD5:B3F9683FD57A94D3C3F5E1AEC259CEAD
                                  SHA1:EC2310112CBA894207F624FCC35E9C0FCE80EE2F
                                  SHA-256:97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
                                  SHA-512:37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
                                  Malicious:true
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                  Download File
                                  Process:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):962
                                  Entropy (8bit):5.012309356796613
                                  Encrypted:false
                                  SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                                  MD5:14B479958E659C5A4480548A393022AC
                                  SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                                  SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                                  SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                                  Malicious:false
                                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2232
                                  Entropy (8bit):5.379552885213346
                                  Encrypted:false
                                  SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
                                  MD5:3E5712DC6AFCA8CF60C5CB8BE65E2089
                                  SHA1:CDBAF3935912EFB05DBE58CA89C5422F07B528A0
                                  SHA-256:B9F7E5F0AFD718D8585A8B37DD8C459ECDD4E7E68C5FE61631D89CDD3E229833
                                  SHA-512:1BD81033EB26CD0EE3DEF6F02FECB4097D878D61CAA5BEF6739C51E889B99C9E695BECF51719959D33F7BA9838E202ADD7EE4DD704D5163B584F4E8B8B7ECC38
                                  Malicious:false
                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05fyhmbz.5bq.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f4u2fzh.ljg.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aolmdvef.h5l.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmeaug3f.3vt.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hs0q00c4.s03.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2y5hn5h.e5a.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdfpmxpk.gjq.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xb4hpvfb.qjg.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\tmpC22F.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1582
                                  Entropy (8bit):5.101247331289632
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt6xvn:cgergYrFdOFzOzN33ODOiDdKrsuTOv
                                  MD5:A67D49ECA26CE3A58CDEA1F14A586702
                                  SHA1:CA04A2BDAA4D9D634AE2B025E060D3D0C3B2E5C9
                                  SHA-256:B7D04D7DC61D6C8D129CEB9EFF84C78FF08819BA979F7B53DD33E7EDE284FB96
                                  SHA-512:2B0234A20E0B37EEF8151077F2A290974B56D23402E36E10DABA1C1BD82E546924FAB9A14554650D43B452F67CEDC95348DA45112D717830F280CE7CF6BB4E8C
                                  Malicious:true
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                  C:\Users\user\AppData\Local\Temp\tmpD46F.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\HODoCxSdp.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1582
                                  Entropy (8bit):5.101247331289632
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt6xvn:cgergYrFdOFzOzN33ODOiDdKrsuTOv
                                  MD5:A67D49ECA26CE3A58CDEA1F14A586702
                                  SHA1:CA04A2BDAA4D9D634AE2B025E060D3D0C3B2E5C9
                                  SHA-256:B7D04D7DC61D6C8D129CEB9EFF84C78FF08819BA979F7B53DD33E7EDE284FB96
                                  SHA-512:2B0234A20E0B37EEF8151077F2A290974B56D23402E36E10DABA1C1BD82E546924FAB9A14554650D43B452F67CEDC95348DA45112D717830F280CE7CF6BB4E8C
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                  C:\Users\user\AppData\Roaming\HODoCxSdp.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):961544
                                  Entropy (8bit):7.9046329365332095
                                  Encrypted:false
                                  SSDEEP:24576:Yglv8Jv17LLE1hUG+n1KD9Wa9PMEgDzx9mZREOUqqHXONlVUE:oPYf+n1KDghPx9ARDhqHXOR
                                  MD5:3F69729A8F2B22E625BB984F28758EBC
                                  SHA1:AB8AAB5952DFCF0D705DAFF76448920C67B6241D
                                  SHA-256:D1B50FC6CE79320A88DEFEF33BAF6A51E30845BD13AB2B52F7925BA0B8F527CD
                                  SHA-512:C4622E82F66AA728DED76EF628BD31DDCD35581A10A6043E735E557A26C8F9C72C67713F29A3ED90F647BF268484B44CF812918A02AA8E1539C3FDAC7BCC1FA1
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 42%
                                  Joe Sandbox View:
                                  • Filename: Payment Advice__HSBC Banking.pdf.lnk, Detection: malicious, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................l............... ........@.. ....................................@.................................p...K....................v...6........................................................... ............... ..H............text....j... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B........................H...................m....................................................0.......... .........%.?...(.....@... .........%.[...(.....\... .........%.....(......... .........%.....(......... .........%.:...(.....;...(H...*.....&*.&.(......*...0..........~......~...........E........"...V...".......C....~.........,... ........w.Y..+..+..r...p.....(....o....s.............. ..... Y;..Y..+.~......*...0...........~......*...".......*....0...........(....r;..p~....o......t......*.6(H.

                                  C:\Users\user\AppData\Roaming\HODoCxSdp.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:
                                  Entropy (8bit):7.9046329365332095
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:UD61dgs2rz.exe
                                  File size:961'544 bytes
                                  MD5:3f69729a8f2b22e625bb984f28758ebc
                                  SHA1:ab8aab5952dfcf0d705daff76448920c67b6241d
                                  SHA256:d1b50fc6ce79320a88defef33baf6a51e30845bd13ab2b52f7925ba0b8f527cd
                                  SHA512:c4622e82f66aa728ded76ef628bd31ddcd35581a10a6043e735e557a26c8f9c72c67713f29a3ed90f647bf268484b44cf812918a02aa8e1539c3fdac7bcc1fa1
                                  SSDEEP:24576:Yglv8Jv17LLE1hUG+n1KD9Wa9PMEgDzx9mZREOUqqHXONlVUE:oPYf+n1KDghPx9ARDhqHXOR
                                  TLSH:9915122D8B225F17CFBD0BB8A4412015077AA066F266F72F29C1C4FD1D51FF881A6A93
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................l............... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                  2024-07-26T13:48:17.448620+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4973080192.168.2.5178.237.33.50
                                  2024-07-26T13:48:51.687437+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435473240.127.169.103192.168.2.5
                                  2024-07-26T13:48:15.533075+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection497257983192.168.2.5204.10.160.230
                                  2024-07-26T13:48:49.721672+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435473140.127.169.103192.168.2.5
                                  2024-07-26T13:48:31.403250+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973720.114.59.183192.168.2.5

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 26, 2024 13:48:14.571439981 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:14.576597929 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:14.576729059 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:14.581968069 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:14.586852074 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:15.488145113 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:15.533075094 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:15.624773979 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:15.629177094 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:15.634040117 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:15.634130001 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:15.638988018 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:16.163506985 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:16.204957962 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:16.285514116 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:16.290935040 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:16.297980070 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:16.345576048 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:16.806446075 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:48:16.811340094 CEST8049730178.237.33.50192.168.2.5
                                  Jul 26, 2024 13:48:16.811395884 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:48:16.811815023 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:48:16.816692114 CEST8049730178.237.33.50192.168.2.5
                                  Jul 26, 2024 13:48:17.448548079 CEST8049730178.237.33.50192.168.2.5
                                  Jul 26, 2024 13:48:17.448620081 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:48:17.458848953 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:17.511995077 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:18.620531082 CEST8049730178.237.33.50192.168.2.5
                                  Jul 26, 2024 13:48:18.620588064 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:48:51.434425116 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:48:51.435789108 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:48:51.442425966 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:49:26.801454067 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:49:26.802834034 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:49:26.807950020 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:50:02.621690035 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:50:02.625957012 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:50:02.631016970 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:50:06.720726967 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:07.032932997 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:07.642427921 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:08.845635891 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:11.251657963 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:16.064204931 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:25.673613071 CEST4973080192.168.2.5178.237.33.50
                                  Jul 26, 2024 13:50:39.185075045 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:50:39.188445091 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:50:39.193761110 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:51:17.287810087 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:51:17.288835049 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:51:17.295747995 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:51:54.240680933 CEST798349725204.10.160.230192.168.2.5
                                  Jul 26, 2024 13:51:54.241894007 CEST497257983192.168.2.5204.10.160.230
                                  Jul 26, 2024 13:51:54.246989012 CEST798349725204.10.160.230192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 26, 2024 13:48:16.782485008 CEST5651153192.168.2.51.1.1.1
                                  Jul 26, 2024 13:48:16.790401936 CEST53565111.1.1.1192.168.2.5
                                  Jul 26, 2024 13:48:45.090811968 CEST5351971162.159.36.2192.168.2.5
                                  Jul 26, 2024 13:48:45.567487955 CEST4978753192.168.2.51.1.1.1
                                  Jul 26, 2024 13:48:45.590920925 CEST53497871.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 26, 2024 13:48:16.782485008 CEST192.168.2.51.1.1.10x368dStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                  Jul 26, 2024 13:48:45.567487955 CEST192.168.2.51.1.1.10x8438Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 26, 2024 13:48:16.790401936 CEST1.1.1.1192.168.2.50x368dNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                  Jul 26, 2024 13:48:45.590920925 CEST1.1.1.1192.168.2.50x8438Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • geoplugin.net

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549730178.237.33.50807524C:\Users\user\Desktop\UD61dgs2rz.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 26, 2024 13:48:16.811815023 CEST71OUTGET /json.gp HTTP/1.1
                                  Host: geoplugin.net
                                  Cache-Control: no-cache
                                  Jul 26, 2024 13:48:17.448548079 CEST1170INHTTP/1.1 200 OK
                                  date: Fri, 26 Jul 2024 11:48:17 GMT
                                  server: Apache
                                  content-length: 962
                                  content-type: application/json; charset=utf-8
                                  cache-control: public, max-age=300
                                  access-control-allow-origin: *
                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:07:48:11
                                  Start date:26/07/2024
                                  Path:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\UD61dgs2rz.exe"
                                  Imagebase:0x10000
                                  File size:961'544 bytes
                                  MD5 hash:3F69729A8F2B22E625BB984F28758EBC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2171071902.000000000354D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:07:48:12
                                  Start date:26/07/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UD61dgs2rz.exe"
                                  Imagebase:0x5e0000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:07:48:12
                                  Start date:26/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:07:48:12
                                  Start date:26/07/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
                                  Imagebase:0x5e0000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:07:48:12
                                  Start date:26/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:07:48:12
                                  Start date:26/07/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpC22F.tmp"
                                  Imagebase:0x230000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:07:48:12
                                  Start date:26/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:07:48:13
                                  Start date:26/07/2024
                                  Path:C:\Users\user\Desktop\UD61dgs2rz.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\UD61dgs2rz.exe"
                                  Imagebase:0x7a0000
                                  File size:961'544 bytes
                                  MD5 hash:3F69729A8F2B22E625BB984F28758EBC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4594472847.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:10
                                  Start time:07:48:14
                                  Start date:26/07/2024
                                  Path:C:\Users\user\AppData\Roaming\HODoCxSdp.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Roaming\HODoCxSdp.exe
                                  Imagebase:0x740000
                                  File size:961'544 bytes
                                  MD5 hash:3F69729A8F2B22E625BB984F28758EBC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.2226007539.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 42%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:07:48:15
                                  Start date:26/07/2024
                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Imagebase:0x7ff6ef0c0000
                                  File size:496'640 bytes
                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:07:48:18
                                  Start date:26/07/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46F.tmp"
                                  Imagebase:0x230000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:07:48:18
                                  Start date:26/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:07:48:18
                                  Start date:26/07/2024
                                  Path:C:\Users\user\AppData\Roaming\HODoCxSdp.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
                                  Imagebase:0xe40000
                                  File size:961'544 bytes
                                  MD5 hash:3F69729A8F2B22E625BB984F28758EBC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2197786692.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:10.4%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:3%
                                    Total number of Nodes:167
                                    Total number of Limit Nodes:7
                                    execution_graph 31196 7035f08 31197 7035f12 31196->31197 31198 7036036 31196->31198 31202 70387a0 31197->31202 31220 7038790 31197->31220 31238 70387fe 31197->31238 31203 70387ba 31202->31203 31204 70387de 31203->31204 31257 7038e20 31203->31257 31262 7038dd9 31203->31262 31267 7038bb4 31203->31267 31272 7038e77 31203->31272 31281 7038ab1 31203->31281 31286 7039112 31203->31286 31290 7038dac 31203->31290 31295 70393ad 31203->31295 31300 7038ccd 31203->31300 31309 703942f 31203->31309 31314 7038f89 31203->31314 31319 70393ca 31203->31319 31328 7038d87 31203->31328 31333 70390a7 31203->31333 31337 7038f00 31203->31337 31204->31198 31221 7038795 31220->31221 31222 70387de 31221->31222 31223 7038e20 2 API calls 31221->31223 31224 7038f00 2 API calls 31221->31224 31225 70390a7 2 API calls 31221->31225 31226 7038d87 2 API calls 31221->31226 31227 70393ca 4 API calls 31221->31227 31228 7038f89 2 API calls 31221->31228 31229 703942f 2 API calls 31221->31229 31230 7038ccd 4 API calls 31221->31230 31231 70393ad 2 API calls 31221->31231 31232 7038dac 2 API calls 31221->31232 31233 7039112 2 API calls 31221->31233 31234 7038ab1 2 API calls 31221->31234 31235 7038e77 4 API calls 31221->31235 31236 7038bb4 2 API calls 31221->31236 31237 7038dd9 2 API calls 31221->31237 31222->31198 31223->31222 31224->31222 31225->31222 31226->31222 31227->31222 31228->31222 31229->31222 31230->31222 31231->31222 31232->31222 31233->31222 31234->31222 31235->31222 31236->31222 31237->31222 31239 703878c 31238->31239 31241 7038801 31238->31241 31240 70387de 31239->31240 31242 7038e20 2 API calls 31239->31242 31243 7038f00 2 API calls 31239->31243 31244 70390a7 2 API calls 31239->31244 31245 7038d87 2 API calls 31239->31245 31246 70393ca 4 API calls 31239->31246 31247 7038f89 2 API calls 31239->31247 31248 703942f 2 API calls 31239->31248 31249 7038ccd 4 API calls 31239->31249 31250 70393ad 2 API calls 31239->31250 31251 7038dac 2 API calls 31239->31251 31252 7039112 2 API calls 31239->31252 31253 7038ab1 2 API calls 31239->31253 31254 7038e77 4 API calls 31239->31254 31255 7038bb4 2 API calls 31239->31255 31256 7038dd9 2 API calls 31239->31256 31240->31198 31241->31198 31242->31240 31243->31240 31244->31240 31245->31240 31246->31240 31247->31240 31248->31240 31249->31240 31250->31240 31251->31240 31252->31240 31253->31240 31254->31240 31255->31240 31256->31240 31258 7038e26 31257->31258 31342 70355b0 31258->31342 31346 70355aa 31258->31346 31259 7038e42 31263 7039329 31262->31263 31350 70350a0 31263->31350 31354 7035098 31263->31354 31264 7039344 31268 7038ba1 31267->31268 31269 7038bae 31268->31269 31358 70358f8 31268->31358 31362 70358ed 31268->31362 31269->31204 31273 7038cd9 31272->31273 31273->31272 31274 7038fca 31273->31274 31275 7038ceb 31273->31275 31366 7035668 31273->31366 31370 7035670 31273->31370 31274->31204 31277 70350a0 Wow64SetThreadContext 31275->31277 31278 7035098 Wow64SetThreadContext 31275->31278 31276 70390a8 31276->31204 31277->31276 31278->31276 31282 7038af3 31281->31282 31283 7038bae 31282->31283 31284 70358f8 CreateProcessA 31282->31284 31285 70358ed CreateProcessA 31282->31285 31283->31204 31284->31283 31285->31283 31288 7035670 WriteProcessMemory 31286->31288 31289 7035668 WriteProcessMemory 31286->31289 31287 7039136 31288->31287 31289->31287 31291 7038dcf 31290->31291 31293 7035670 WriteProcessMemory 31291->31293 31294 7035668 WriteProcessMemory 31291->31294 31292 7038f3a 31292->31204 31293->31292 31294->31292 31296 70393ba 31295->31296 31374 7039942 31296->31374 31379 7039950 31296->31379 31297 7039459 31303 7038cd9 31300->31303 31301 7038ceb 31307 70350a0 Wow64SetThreadContext 31301->31307 31308 7035098 Wow64SetThreadContext 31301->31308 31302 70390a8 31302->31204 31303->31301 31304 7038fca 31303->31304 31305 7035670 WriteProcessMemory 31303->31305 31306 7035668 WriteProcessMemory 31303->31306 31304->31204 31305->31303 31306->31303 31307->31302 31308->31302 31310 7039435 31309->31310 31312 7039942 2 API calls 31310->31312 31313 7039950 2 API calls 31310->31313 31311 7039459 31312->31311 31313->31311 31315 7038da5 31314->31315 31317 7039942 2 API calls 31315->31317 31318 7039950 2 API calls 31315->31318 31316 7039459 31317->31316 31318->31316 31321 7038cd9 31319->31321 31320 7038fca 31320->31204 31321->31320 31322 7038ceb 31321->31322 31326 7035670 WriteProcessMemory 31321->31326 31327 7035668 WriteProcessMemory 31321->31327 31324 70350a0 Wow64SetThreadContext 31322->31324 31325 7035098 Wow64SetThreadContext 31322->31325 31323 70390a8 31323->31204 31324->31323 31325->31323 31326->31321 31327->31321 31329 7038d8d 31328->31329 31331 7039942 2 API calls 31329->31331 31332 7039950 2 API calls 31329->31332 31330 7039459 31331->31330 31332->31330 31334 70390d1 31333->31334 31392 7035760 31333->31392 31396 7035758 31333->31396 31334->31204 31338 70390af 31337->31338 31340 7035760 ReadProcessMemory 31338->31340 31341 7035758 ReadProcessMemory 31338->31341 31339 70390d1 31339->31204 31340->31339 31341->31339 31343 70355f0 VirtualAllocEx 31342->31343 31345 703562d 31343->31345 31345->31259 31347 70355b0 VirtualAllocEx 31346->31347 31349 703562d 31347->31349 31349->31259 31351 70350e5 Wow64SetThreadContext 31350->31351 31353 703512d 31351->31353 31353->31264 31355 70350a0 Wow64SetThreadContext 31354->31355 31357 703512d 31355->31357 31357->31264 31359 7035981 31358->31359 31359->31359 31360 7035ae6 CreateProcessA 31359->31360 31361 7035b43 31360->31361 31361->31361 31363 70358f8 CreateProcessA 31362->31363 31365 7035b43 31363->31365 31367 70356b8 WriteProcessMemory 31366->31367 31369 703570f 31367->31369 31369->31273 31371 70356b8 WriteProcessMemory 31370->31371 31373 703570f 31371->31373 31373->31273 31375 7039950 31374->31375 31384 7034ff0 31375->31384 31388 7034fe8 31375->31388 31376 7039978 31376->31297 31380 7039965 31379->31380 31382 7034ff0 ResumeThread 31380->31382 31383 7034fe8 ResumeThread 31380->31383 31381 7039978 31381->31297 31382->31381 31383->31381 31385 7035030 ResumeThread 31384->31385 31387 7035061 31385->31387 31387->31376 31389 7035030 ResumeThread 31388->31389 31391 7035061 31389->31391 31391->31376 31393 70357ab ReadProcessMemory 31392->31393 31395 70357ef 31393->31395 31395->31334 31397 7035760 ReadProcessMemory 31396->31397 31399 70357ef 31397->31399 31399->31334 31400 7039a08 31401 7039b93 31400->31401 31403 7039a2e 31400->31403 31403->31401 31404 7037f24 31403->31404 31405 7039c88 PostMessageW 31404->31405 31406 7039cf4 31405->31406 31406->31403

                                    Executed Functions

                                    Function 050C4310 Relevance: 15.1, Strings: 10, Instructions: 2602COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2179009225.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_50c0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (o]q$4']q$4']q$4']q$4']q$4']q$4']q$4|bq$4|bq$$]q
                                    • API String ID: 0-3618750947
                                    • Opcode ID: 5cab371f0f28a0ee7d9ed72d684442932a06b98330b37aaf712f40ab8abd8f70
                                    • Instruction ID: c2b1bbcc0364f17efd8b9a5da60d41443f602cb667b004176e9e07868655fce7
                                    • Opcode Fuzzy Hash: 5cab371f0f28a0ee7d9ed72d684442932a06b98330b37aaf712f40ab8abd8f70
                                    • Instruction Fuzzy Hash: FE430874A01629DFCB64CF28D898AADBBB2BF49311F1185D9D409AB365CB31ED81CF50
                                    Function 07038AB1 Relevance: .2, Instructions: 164COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 29d1fbf742dd8c9fb3c8020dd1ce3188d4ae5b670b40200e866c89804165f73b
                                    • Instruction ID: 9a0bd93c39c8525f6e866067e376a695a58a7570a25873746a376cb36b084c37
                                    • Opcode Fuzzy Hash: 29d1fbf742dd8c9fb3c8020dd1ce3188d4ae5b670b40200e866c89804165f73b
                                    • Instruction Fuzzy Hash: 386117B1D15219CBDB64CF66C8407DDBBBABF8A300F10C2EAD50DA6251EBB05A85CF50
                                    Function 07030013 Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0114f1d80bf68b7c6fc647a49e37b5448d6da03ad797c2446dbeeabb4bff10c
                                    • Instruction ID: 8bc3f6bc9d4f13c659a24338d71b6244a94c7c5b4e83b1b454221e3d81f74faa
                                    • Opcode Fuzzy Hash: d0114f1d80bf68b7c6fc647a49e37b5448d6da03ad797c2446dbeeabb4bff10c
                                    • Instruction Fuzzy Hash: 50312DB0D052588FEB19CF66C8547DEBFF6AF8A300F18C16AD408AB265DB751545CF50
                                    Function 07030040 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b4c6f5fed2dc4d2e6721392cfef964c287033da1d21ca4b6f6d26ef71abe031
                                    • Instruction ID: 02d46e1d512f06d0ca8e1e90a2dcf6663e34f9670d18c033de08997c3b32de7f
                                    • Opcode Fuzzy Hash: 1b4c6f5fed2dc4d2e6721392cfef964c287033da1d21ca4b6f6d26ef71abe031
                                    • Instruction Fuzzy Hash: D621B3B1D016189BEB18CF9BC8447DEFAFBAFC9300F14C16AD419A6264DBB40945CF90
                                    Function 07038F9C Relevance: .0, Instructions: 8COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eddd6d0c01e8cddd15181bfa347926055945a026c356c11bfab80a2540a2a312
                                    • Instruction ID: b2b5386f6f2abc61d1ea91d30f9568665561a73ed7b7c883268789baa1e7a01a
                                    • Opcode Fuzzy Hash: eddd6d0c01e8cddd15181bfa347926055945a026c356c11bfab80a2540a2a312
                                    • Instruction Fuzzy Hash: 0DA002E0C7F200DAD1204E1450181BEE5BDD34F11AF057350713FB35534662D0414A1C
                                    Function 070358ED Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1652 70358ed-703598d 1655 70359c6-70359e6 1652->1655 1656 703598f-7035999 1652->1656 1663 70359e8-70359f2 1655->1663 1664 7035a1f-7035a4e 1655->1664 1656->1655 1657 703599b-703599d 1656->1657 1658 70359c0-70359c3 1657->1658 1659 703599f-70359a9 1657->1659 1658->1655 1661 70359ab 1659->1661 1662 70359ad-70359bc 1659->1662 1661->1662 1662->1662 1665 70359be 1662->1665 1663->1664 1666 70359f4-70359f6 1663->1666 1672 7035a50-7035a5a 1664->1672 1673 7035a87-7035b41 CreateProcessA 1664->1673 1665->1658 1667 7035a19-7035a1c 1666->1667 1668 70359f8-7035a02 1666->1668 1667->1664 1670 7035a06-7035a15 1668->1670 1671 7035a04 1668->1671 1670->1670 1674 7035a17 1670->1674 1671->1670 1672->1673 1675 7035a5c-7035a5e 1672->1675 1684 7035b43-7035b49 1673->1684 1685 7035b4a-7035bd0 1673->1685 1674->1667 1677 7035a81-7035a84 1675->1677 1678 7035a60-7035a6a 1675->1678 1677->1673 1679 7035a6e-7035a7d 1678->1679 1680 7035a6c 1678->1680 1679->1679 1682 7035a7f 1679->1682 1680->1679 1682->1677 1684->1685 1695 7035bd2-7035bd6 1685->1695 1696 7035be0-7035be4 1685->1696 1695->1696 1699 7035bd8 1695->1699 1697 7035be6-7035bea 1696->1697 1698 7035bf4-7035bf8 1696->1698 1697->1698 1700 7035bec 1697->1700 1701 7035bfa-7035bfe 1698->1701 1702 7035c08-7035c0c 1698->1702 1699->1696 1700->1698 1701->1702 1703 7035c00 1701->1703 1704 7035c1e-7035c25 1702->1704 1705 7035c0e-7035c14 1702->1705 1703->1702 1706 7035c27-7035c36 1704->1706 1707 7035c3c 1704->1707 1705->1704 1706->1707 1708 7035c3d 1707->1708 1708->1708
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07035B2E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 92d88a693b58027c7d5a387fbfdb0fa1860af7597dd901c2aecc6d72261661ad
                                    • Instruction ID: 5dad2bee0ff6e44bb0f69450ac29b0a349c630032756e97477c04e33fa861d7c
                                    • Opcode Fuzzy Hash: 92d88a693b58027c7d5a387fbfdb0fa1860af7597dd901c2aecc6d72261661ad
                                    • Instruction Fuzzy Hash: 98A169B1D1061ACFDB20CF68CC81BDEBBB6BF48314F04826AD859A7250DB749995CF91
                                    Function 070358F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1710 70358f8-703598d 1712 70359c6-70359e6 1710->1712 1713 703598f-7035999 1710->1713 1720 70359e8-70359f2 1712->1720 1721 7035a1f-7035a4e 1712->1721 1713->1712 1714 703599b-703599d 1713->1714 1715 70359c0-70359c3 1714->1715 1716 703599f-70359a9 1714->1716 1715->1712 1718 70359ab 1716->1718 1719 70359ad-70359bc 1716->1719 1718->1719 1719->1719 1722 70359be 1719->1722 1720->1721 1723 70359f4-70359f6 1720->1723 1729 7035a50-7035a5a 1721->1729 1730 7035a87-7035b41 CreateProcessA 1721->1730 1722->1715 1724 7035a19-7035a1c 1723->1724 1725 70359f8-7035a02 1723->1725 1724->1721 1727 7035a06-7035a15 1725->1727 1728 7035a04 1725->1728 1727->1727 1731 7035a17 1727->1731 1728->1727 1729->1730 1732 7035a5c-7035a5e 1729->1732 1741 7035b43-7035b49 1730->1741 1742 7035b4a-7035bd0 1730->1742 1731->1724 1734 7035a81-7035a84 1732->1734 1735 7035a60-7035a6a 1732->1735 1734->1730 1736 7035a6e-7035a7d 1735->1736 1737 7035a6c 1735->1737 1736->1736 1739 7035a7f 1736->1739 1737->1736 1739->1734 1741->1742 1752 7035bd2-7035bd6 1742->1752 1753 7035be0-7035be4 1742->1753 1752->1753 1756 7035bd8 1752->1756 1754 7035be6-7035bea 1753->1754 1755 7035bf4-7035bf8 1753->1755 1754->1755 1757 7035bec 1754->1757 1758 7035bfa-7035bfe 1755->1758 1759 7035c08-7035c0c 1755->1759 1756->1753 1757->1755 1758->1759 1760 7035c00 1758->1760 1761 7035c1e-7035c25 1759->1761 1762 7035c0e-7035c14 1759->1762 1760->1759 1763 7035c27-7035c36 1761->1763 1764 7035c3c 1761->1764 1762->1761 1763->1764 1765 7035c3d 1764->1765 1765->1765
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07035B2E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 6ae81a2bd90e4f75b4877f62b35e94582bd06316342306bf66c55703cdeffaef
                                    • Instruction ID: 419d3c2343474b9b3d3f25cb6d8d18f526061c3d571ac019aaa32d360f90b862
                                    • Opcode Fuzzy Hash: 6ae81a2bd90e4f75b4877f62b35e94582bd06316342306bf66c55703cdeffaef
                                    • Instruction Fuzzy Hash: 599159B1D1061ACFDB60CF68CC81B9DBBB6BF48314F04826AD819A7250DB749995CF91
                                    Function 00AC6314 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1875 ac6314-ac63e1 CreateActCtxA 1877 ac63ea-ac6444 1875->1877 1878 ac63e3-ac63e9 1875->1878 1885 ac6446-ac6449 1877->1885 1886 ac6453-ac6457 1877->1886 1878->1877 1885->1886 1887 ac6468 1886->1887 1888 ac6459-ac6465 1886->1888 1890 ac6469 1887->1890 1888->1887 1890->1890
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00AC63D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2169187718.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ac0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: f81006d16a1d0e7fb3f0dd92fefd0b231b44da90f3adde3f957b8a56fe2d0266
                                    • Instruction ID: 9da54168db23d662ec7f59a8b5254b7d2b34124f163862ac5a4730b00138767f
                                    • Opcode Fuzzy Hash: f81006d16a1d0e7fb3f0dd92fefd0b231b44da90f3adde3f957b8a56fe2d0266
                                    • Instruction Fuzzy Hash: 6A4102B0C00619CFDB24DFA9C944BDEBBB5BF49304F20806AD418AB255DBB55946CF90
                                    Function 00AC4EA4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00AC63D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2169187718.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ac0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: d3b5b07d0c93a06ad013f72f8ffa625a3f0ea7b54cb2b73fba53595da4d3bd8e
                                    • Instruction ID: c45f099d58553c3d5d332c8fb4fa98979dd00db9fa9318361a75ce318a8549b7
                                    • Opcode Fuzzy Hash: d3b5b07d0c93a06ad013f72f8ffa625a3f0ea7b54cb2b73fba53595da4d3bd8e
                                    • Instruction Fuzzy Hash: 9741E1B0C0071DCBDB24DFA9C944B9EBBF5BF49304F20806AD418AB255DB756946CF90
                                    Function 07035668 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07035700
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 20eeb7ca778a8c4fb57f517be616d1ee701a6a8e60ac30a277a93e8675885d09
                                    • Instruction ID: 3f86208e9a2cbaf4e4d59df8ee0cc91512618bcde99e0b55987d89359683c58d
                                    • Opcode Fuzzy Hash: 20eeb7ca778a8c4fb57f517be616d1ee701a6a8e60ac30a277a93e8675885d09
                                    • Instruction Fuzzy Hash: 812146B59003499FDB10CFA9C885BEEBBF5FF48310F108429E959A7250C7789951CBA0
                                    Function 07035670 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07035700
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: e1efecf5e56a9369d945c1fac9b0444b65d58335dfb65696ad9666c7e9344162
                                    • Instruction ID: 657c70af8fbe89ae2cbbafbd14840838dbc736d0b21fc81ca4a71faab33aa4a4
                                    • Opcode Fuzzy Hash: e1efecf5e56a9369d945c1fac9b0444b65d58335dfb65696ad9666c7e9344162
                                    • Instruction Fuzzy Hash: EF2139B5900349DFCB10DFAAC885BEEBBF5FF48310F108429E959A7250C7789954CBA0
                                    Function 07035758 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070357E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 2d3e6f55c01fb727272f894ac8d1235143190f9c8e2014776951a29ee1cca057
                                    • Instruction ID: ef24dae4e6721b1d80805a5c686c97d299e16314d85f95f520a3bb7effdea326
                                    • Opcode Fuzzy Hash: 2d3e6f55c01fb727272f894ac8d1235143190f9c8e2014776951a29ee1cca057
                                    • Instruction Fuzzy Hash: 512116B5C003499FDB10DFAAC885AEEFBF5FF48310F50842AE959A7250C738A551CBA4
                                    Function 07035098 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0703511E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 54e73891e4bae8a93b4b4d18c86c8f77c0f4a7ea76c77d3dec9315067df6609c
                                    • Instruction ID: ec9808ade2e852ad46cf7747dbe703628af75447e79ec5a041741822e3e8dee8
                                    • Opcode Fuzzy Hash: 54e73891e4bae8a93b4b4d18c86c8f77c0f4a7ea76c77d3dec9315067df6609c
                                    • Instruction Fuzzy Hash: EE2139B19002098FDB10DFAAC8857EEFBF4EF48314F50842AD859A7240DB789945CFA1
                                    Function 07035760 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070357E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 7acb3c5846d0fa379bf140c2016b00e347077ef77de83eeb203bfcd601ec3071
                                    • Instruction ID: 19c85f0114dc6b6c6f145df090e5754938f76462f64e4b73e1ab50935f6b130b
                                    • Opcode Fuzzy Hash: 7acb3c5846d0fa379bf140c2016b00e347077ef77de83eeb203bfcd601ec3071
                                    • Instruction Fuzzy Hash: 1A2137B1C003499FCB10DFAAC885AEEFBF5FF48310F10842AE559A7250C738A940CBA0
                                    Function 070350A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0703511E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 8aec7f85a7314f53100f1138224457b1342b6b133196247afda17461db1ca3a0
                                    • Instruction ID: 8cc25a93f197b3326d9ae30a0eb2afe324b9fd3f1daf28bc0e0270cf2cbc30fd
                                    • Opcode Fuzzy Hash: 8aec7f85a7314f53100f1138224457b1342b6b133196247afda17461db1ca3a0
                                    • Instruction Fuzzy Hash: 512118B59003098FDB10DFAAC8857EEBBF4EF48314F148429D559A7240DB78A945CFA5
                                    Function 070355AA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0703561E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 86e101000628045eec907c6689271c58cb43327ea9bfa3518181cc2d2eac76ff
                                    • Instruction ID: 04630dcedcf402b84d497317bbbad6a4d60defa8ba427a9a267ad858d0fffb35
                                    • Opcode Fuzzy Hash: 86e101000628045eec907c6689271c58cb43327ea9bfa3518181cc2d2eac76ff
                                    • Instruction Fuzzy Hash: ED1129B58002499FDB10DFAAC844ADEFFF9EF48324F108419E559A7250C779A950CBA0
                                    Function 070355B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0703561E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 3c6300ffe9d51660d6bd0a1628572231dee962100bbb0f1b10ff2b0ebf7b982e
                                    • Instruction ID: 64ddf1567a9f0ea50d67db5949d8ba616b8f2b5f32774eb0b9942e342d759750
                                    • Opcode Fuzzy Hash: 3c6300ffe9d51660d6bd0a1628572231dee962100bbb0f1b10ff2b0ebf7b982e
                                    • Instruction Fuzzy Hash: 091137B58002499FCB10DFAAC844AEEFFF9EF48324F108819E519A7250C779A550CFA0
                                    Function 07034FE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: e5def40a42f2b03f990c87eca1edc6db2a56821cb68a7ba026fee62d64cf9d4f
                                    • Instruction ID: f3ce2106046dea48a2dac7444bfaa80e57ec4e407194fc362e307f65e2b01fd2
                                    • Opcode Fuzzy Hash: e5def40a42f2b03f990c87eca1edc6db2a56821cb68a7ba026fee62d64cf9d4f
                                    • Instruction Fuzzy Hash: A21158B59003498EDB20DFAAC8447EEFFF9EF88314F248819D459A7240C739A945CBA0
                                    Function 07034FF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 1efb0b94591550dacc639184e54d58376ccc19e2fa929928eea9b25fd10781ce
                                    • Instruction ID: f62c7104485a3af513fac81fea4008cc79ca98a1dd637b5a169b778a7629d12c
                                    • Opcode Fuzzy Hash: 1efb0b94591550dacc639184e54d58376ccc19e2fa929928eea9b25fd10781ce
                                    • Instruction Fuzzy Hash: 971158B18003488BCB20DFAAC8447EEFBF8EF88324F208419C519A7240CB39A544CBA0
                                    Function 07037F24 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07039CE5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 2b1e1f0691cef1dd805db25d23ee5e50490fef4b92dc9542ebe2704040c45a48
                                    • Instruction ID: e73676eb513f0ec76ae02946e7a90719eb9ef8865b385701602ab7e1ea481c1b
                                    • Opcode Fuzzy Hash: 2b1e1f0691cef1dd805db25d23ee5e50490fef4b92dc9542ebe2704040c45a48
                                    • Instruction Fuzzy Hash: F51136B58103499FCB10DF8AC844BDEBBF8FB48314F108419E559A3200C378A940CFA0
                                    Function 07039C80 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07039CE5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 322c8e5b945d7aaafcb467bea83b037d9c134c30db395b2e8f40779b58cef026
                                    • Instruction ID: 583fbf31a7839bdd8d5fe10eb1aa9b2883a6719816fdadc8e3f14a72504d480a
                                    • Opcode Fuzzy Hash: 322c8e5b945d7aaafcb467bea83b037d9c134c30db395b2e8f40779b58cef026
                                    • Instruction Fuzzy Hash: 5F1106B580034A9FDB10DF99D988BDEBFF8FB48314F10844AE559A3601C378A544CFA4
                                    Function 006DD274 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167910072.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6dd000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89b6f3cfcbe49442b55d4f7f36e6832381f30bae5b51e0c947ae3c848800abef
                                    • Instruction ID: c71cbe70efb3c9f1a29c2c251d07851bef85a69e523fb2460482a0eaa09397e4
                                    • Opcode Fuzzy Hash: 89b6f3cfcbe49442b55d4f7f36e6832381f30bae5b51e0c947ae3c848800abef
                                    • Instruction Fuzzy Hash: 1F210771904240EFCB15EF54D9C0F2ABF66FB98314F24C56AE9094B356C33AD816DBA2
                                    Function 006DD53C Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167910072.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6dd000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1184b3030f44e87513d863a0d5cb931649dcb6b15b2ce36535605a2204c89a95
                                    • Instruction ID: 047406a3527bb85dea9eea9085c9a8ce934b4d71c141569b763a55e9e4eae5de
                                    • Opcode Fuzzy Hash: 1184b3030f44e87513d863a0d5cb931649dcb6b15b2ce36535605a2204c89a95
                                    • Instruction Fuzzy Hash: 9A214971900244DFCB05EF14E9C0F26BF66FB98318F20C56AE9094B356C33AD856DBA1
                                    Function 006ED0EC Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167951645.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6ed000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b852131de1a97171e745678553552285a33906bda71691a077f4a2933492c1f9
                                    • Instruction ID: 0a77609c14b040631b2089e8fce53d5a9dfece238c41ddaaf8a72c3d36a446ea
                                    • Opcode Fuzzy Hash: b852131de1a97171e745678553552285a33906bda71691a077f4a2933492c1f9
                                    • Instruction Fuzzy Hash: 78210475545384EFDB04DF14D9C4B66BB66FB98314F20C56DD8094B396C33AD806CAA1
                                    Function 006ED1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167951645.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6ed000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3ae4d79c80963e0cd20e6b457233ca149547d145c6dc9aaa13a47c6cda079db8
                                    • Instruction ID: d60a54644295da60f1b8031e5c843f2007e8c771a7d8757865f96482e19e5d8e
                                    • Opcode Fuzzy Hash: 3ae4d79c80963e0cd20e6b457233ca149547d145c6dc9aaa13a47c6cda079db8
                                    • Instruction Fuzzy Hash: 7721F275504384EFDB05DF25D9C0B26BBA6FB88314F20C56DEA094B396C33AD906DA61
                                    Function 006DD26F Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167910072.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6dd000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                    • Instruction ID: b0912dab148a52c6d16cf0024c85e846af7fc881fb29d6323f60f31911ee6891
                                    • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                    • Instruction Fuzzy Hash: EF21D276804240CFCB16DF00D9C4B56BF72FB89314F24C1AAD9480B356C33AD416CBA2
                                    Function 006DD537 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167910072.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6dd000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction ID: 2a956476e62bcacfd6c1d61cb558603d90bb404e348414deacc5e77a24129d42
                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction Fuzzy Hash: 2711D376904280CFCB16DF10D5C4B56BF72FB94314F24C5AAD9494B356C336D85ACBA2
                                    Function 006ED1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167951645.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6ed000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction ID: bf25036823362e7365348875fbd4585e5948ea58054212d7b2ebbc135ef9710f
                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction Fuzzy Hash: F511BB75504380DFCB02CF10C5C4B15BBA2FB84314F24C6A9DA494B396C33AD80ACB62
                                    Function 006ED0E7 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167951645.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6ed000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction ID: 08fb0b89b286eb76ac7ddc1f601a58a2bb1e2959158bc0e93b0374eb9d9f6655
                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction Fuzzy Hash: 0B118B75505380DFDB06CF14D9C4B55BBA2FB88314F24C6A9D8494B796C33AD84ACBA2
                                    Function 006DD759 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167910072.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6dd000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 864e16d0e64334860c2d9615999684d5ae7ff17309ba130f562a0cf1a2abf489
                                    • Instruction ID: 1a558eedcd1407aa38f67051f118f9dd3f0483dceb1a243c582b7f9cafd0dffb
                                    • Opcode Fuzzy Hash: 864e16d0e64334860c2d9615999684d5ae7ff17309ba130f562a0cf1a2abf489
                                    • Instruction Fuzzy Hash: BB01DB718043449AD720AA5ACD84BA7FF9DEF55360F28C4ABED1D0A386C3799C41C671
                                    Function 006DD758 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2167910072.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6dd000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2672215f700c53a397f6f94ac07a140e0c73a2b556c3640f7715f02b30b007c9
                                    • Instruction ID: 66e69491c91330a8022f04b7d03294c2e946f08beb3a0e93ea5a90414d106515
                                    • Opcode Fuzzy Hash: 2672215f700c53a397f6f94ac07a140e0c73a2b556c3640f7715f02b30b007c9
                                    • Instruction Fuzzy Hash: 33F062714043449EE7209A1ADC84BA2FFA8EF55774F18C45BED584A386C2799844CAB5

                                    Non-executed Functions

                                    Function 050C3448 Relevance: 7.0, Strings: 5, Instructions: 721COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2179009225.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_50c0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (o]q$(o]q$,aq$,aq$Haq
                                    • API String ID: 0-2157538030
                                    • Opcode ID: 52a8f9c9bfa5b08aff79a4880d5162faef365f3071b2418a6e1c3104c727cd44
                                    • Instruction ID: 6677e4d038c6ddcdf7f9ea7c8b04f62776c24bec3347cc3bf796aa90d33e2274
                                    • Opcode Fuzzy Hash: 52a8f9c9bfa5b08aff79a4880d5162faef365f3071b2418a6e1c3104c727cd44
                                    • Instruction Fuzzy Hash: C5526D34A105159FCB58DF69E488AAD7BF2FF8A710B15C5ADE8069B361DB30EC41CB90
                                    Function 050C3FD9 Relevance: 2.4, Strings: 1, Instructions: 1119COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2179009225.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_50c0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4']q
                                    • API String ID: 0-1259897404
                                    • Opcode ID: 319ef7af223d14f1ef0c383e496acb49aa7bf20e316bfad4f3c77abfc2a0aa50
                                    • Instruction ID: acb9319f1efcfe0f82acbca49af51e485ca58c78b7c2153deff3d8d65170df90
                                    • Opcode Fuzzy Hash: 319ef7af223d14f1ef0c383e496acb49aa7bf20e316bfad4f3c77abfc2a0aa50
                                    • Instruction Fuzzy Hash: FBB21A74A00619CFCB68CF68D898AADBBB2BF4A311F2585D9D415AB361C731ED81CF50
                                    Function 0703B990 Relevance: .4, Instructions: 357COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 32eb060021de0716e2c1130d6fd966b686fac0a89a4ee5b54509ebd8dffe2e47
                                    • Instruction ID: c9fd1e323ad6d30dc597ed8aa99f320254e4b29eaa1f1c58549e88eafe313b74
                                    • Opcode Fuzzy Hash: 32eb060021de0716e2c1130d6fd966b686fac0a89a4ee5b54509ebd8dffe2e47
                                    • Instruction Fuzzy Hash: 46D1AAF07006049FDB25DB76C550BAEB7EAAF89708F10856ED15ACB291DF34E901CB51
                                    Function 070347C8 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4bf436f9d87a4b62fb764fcc2e6a792ac48e4453594f366ea1e36fe4bec0fb0b
                                    • Instruction ID: e6ee489988281b3d1fc8eed6d9d826fb4f000f21699414b630c99ce79466c93d
                                    • Opcode Fuzzy Hash: 4bf436f9d87a4b62fb764fcc2e6a792ac48e4453594f366ea1e36fe4bec0fb0b
                                    • Instruction Fuzzy Hash: B0E1FBB4E001598FCB54DFA9C5809AEFBF6FF89305F248269E414AB356D730A981CF61
                                    Function 07033528 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 15935aabeac69ed87c30d7289776b19af32c79a107ac7707151c791927ad46c6
                                    • Instruction ID: b746dff7cc2a0a539aa449126a110b7bdfba341662fee27dd93b462c5af439a1
                                    • Opcode Fuzzy Hash: 15935aabeac69ed87c30d7289776b19af32c79a107ac7707151c791927ad46c6
                                    • Instruction Fuzzy Hash: 7DE1F7B4E001198FDB14DFA9C5809AEFBF6FF89305F248269D415AB356D730A981CFA1
                                    Function 07032CB8 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 28f7aef52c5b8e4b12d785d95c171990d847663c006783a1be005b68f1cf5926
                                    • Instruction ID: 19bf1e21a3396b653db16dbf055ca0f53c8f6359e2d4b80051bef416efbed3ec
                                    • Opcode Fuzzy Hash: 28f7aef52c5b8e4b12d785d95c171990d847663c006783a1be005b68f1cf5926
                                    • Instruction Fuzzy Hash: 7AE1E8B4E001198FCB54DFA9C6809AEFBF6FF89305F248269D414AB356D731A981CF61
                                    Function 07035178 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1ba18cfb4cb2891045962b8770e487ae87971a8f1d938e3750d95a56e018f93
                                    • Instruction ID: f117d51f47344b7eacf4f7c4a73c927e0e81fd5e5c7f939922b24007c9f26436
                                    • Opcode Fuzzy Hash: c1ba18cfb4cb2891045962b8770e487ae87971a8f1d938e3750d95a56e018f93
                                    • Instruction Fuzzy Hash: F5E1FAB4E001198FDB54DFA9C9809AEFBF6FF89305F248269D414AB356D730A941CF61
                                    Function 070330F0 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee88f0d73f65c0b372f49e474c913be73ee7626abc27b83e8d42b665763e4e2c
                                    • Instruction ID: 1f1c5139e94f5857a0267b0070f74d93d9b33460c837c1839de01aa96351729b
                                    • Opcode Fuzzy Hash: ee88f0d73f65c0b372f49e474c913be73ee7626abc27b83e8d42b665763e4e2c
                                    • Instruction Fuzzy Hash: 47E107B4E001198FDB14DFA8C5809AEFBF6BF89305F24C269D814AB356D731A981CF61
                                    Function 050CAF50 Relevance: .3, Instructions: 269COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2179009225.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_50c0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b352ae82e44c72fb2892d5d524f471f12da0f625ec14e914784d5addfeee7c2
                                    • Instruction ID: 9dd0c31cda8c4b45cb1665e2c232528f7c151e1058f166b148814bc6a6407aeb
                                    • Opcode Fuzzy Hash: 2b352ae82e44c72fb2892d5d524f471f12da0f625ec14e914784d5addfeee7c2
                                    • Instruction Fuzzy Hash: EFD11931C2065A8ACB11EF74D950AADB7B6FF95300F10C79AD1097B226EB706AC9CF51
                                    Function 050CAF60 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2179009225.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_50c0000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 95a4f7f23bd6e60ab101bc8c8f4c8072fba2119acbe06b9b4c1a4866f2b8d1f6
                                    • Instruction ID: 8585b7fb2e7c86429ffeaaf14bbc6f11689b8c729a452925af2280349f7bb65d
                                    • Opcode Fuzzy Hash: 95a4f7f23bd6e60ab101bc8c8f4c8072fba2119acbe06b9b4c1a4866f2b8d1f6
                                    • Instruction Fuzzy Hash: F6D11931C2065A8ACB11EF64D950AADF7B6FF95300F10C79AD1093B226EB706AC9CF51
                                    Function 07035168 Relevance: .1, Instructions: 135COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2180823485.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7030000_UD61dgs2rz.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e841fea9c1da76d97f1dab592353a536c87ff0fddd5c41663bd667180ddfc155
                                    • Instruction ID: aa3c55aeccd96299cd842d6e44a50896bc0946748e9f4106b6a28389d7a54113
                                    • Opcode Fuzzy Hash: e841fea9c1da76d97f1dab592353a536c87ff0fddd5c41663bd667180ddfc155
                                    • Instruction Fuzzy Hash: 7C512FB4E012198FCB14DFA9C9409AEFBF6BF89305F24C269D418AB356D7309941CFA1

                                    Execution Graph

                                    Execution Coverage:11.6%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:166
                                    Total number of Limit Nodes:5
                                    execution_graph 19012 7285f08 19013 7286036 19012->19013 19014 7285f12 19012->19014 19018 7287a28 19014->19018 19036 7287a96 19014->19036 19055 7287a38 19014->19055 19019 7287a38 19018->19019 19020 7287a76 19019->19020 19073 7287d49 19019->19073 19078 7288071 19019->19078 19083 728801f 19019->19083 19088 728833c 19019->19088 19092 72880b8 19019->19092 19097 7288198 19019->19097 19102 72886c7 19019->19102 19107 7288645 19019->19107 19112 7287f65 19019->19112 19121 7288044 19019->19121 19126 7288662 19019->19126 19135 7288221 19019->19135 19140 728810f 19019->19140 19149 7287e4c 19019->19149 19154 72883aa 19019->19154 19020->19013 19037 7287a24 19036->19037 19039 7287a99 19036->19039 19038 7287a76 19037->19038 19040 7287d49 2 API calls 19037->19040 19041 72883aa 2 API calls 19037->19041 19042 7287e4c 2 API calls 19037->19042 19043 728810f 4 API calls 19037->19043 19044 7288221 2 API calls 19037->19044 19045 7288662 4 API calls 19037->19045 19046 7288044 2 API calls 19037->19046 19047 7287f65 4 API calls 19037->19047 19048 7288645 2 API calls 19037->19048 19049 72886c7 2 API calls 19037->19049 19050 7288198 2 API calls 19037->19050 19051 72880b8 2 API calls 19037->19051 19052 728833c 2 API calls 19037->19052 19053 728801f 2 API calls 19037->19053 19054 7288071 2 API calls 19037->19054 19038->19013 19039->19013 19040->19038 19041->19038 19042->19038 19043->19038 19044->19038 19045->19038 19046->19038 19047->19038 19048->19038 19049->19038 19050->19038 19051->19038 19052->19038 19053->19038 19054->19038 19056 7287a52 19055->19056 19057 7287a76 19056->19057 19058 7287d49 2 API calls 19056->19058 19059 72883aa 2 API calls 19056->19059 19060 7287e4c 2 API calls 19056->19060 19061 728810f 4 API calls 19056->19061 19062 7288221 2 API calls 19056->19062 19063 7288662 4 API calls 19056->19063 19064 7288044 2 API calls 19056->19064 19065 7287f65 4 API calls 19056->19065 19066 7288645 2 API calls 19056->19066 19067 72886c7 2 API calls 19056->19067 19068 7288198 2 API calls 19056->19068 19069 72880b8 2 API calls 19056->19069 19070 728833c 2 API calls 19056->19070 19071 728801f 2 API calls 19056->19071 19072 7288071 2 API calls 19056->19072 19057->19013 19058->19057 19059->19057 19060->19057 19061->19057 19062->19057 19063->19057 19064->19057 19065->19057 19066->19057 19067->19057 19068->19057 19069->19057 19070->19057 19071->19057 19072->19057 19074 7287d8b 19073->19074 19075 7287e46 19074->19075 19158 72858f8 19074->19158 19162 72858ed 19074->19162 19075->19020 19079 72885c1 19078->19079 19166 7285098 19079->19166 19170 72850a0 19079->19170 19080 72885dc 19084 7288025 19083->19084 19174 7288be8 19084->19174 19179 7288bd8 19084->19179 19085 72886f1 19085->19085 19192 7285758 19088->19192 19196 7285760 19088->19196 19089 7288369 19089->19020 19093 72880be 19092->19093 19200 72855aa 19093->19200 19204 72855b0 19093->19204 19094 72880da 19098 7288347 19097->19098 19099 7288369 19098->19099 19100 7285758 ReadProcessMemory 19098->19100 19101 7285760 ReadProcessMemory 19098->19101 19099->19020 19100->19099 19101->19099 19103 72886cd 19102->19103 19105 7288be8 2 API calls 19103->19105 19106 7288bd8 2 API calls 19103->19106 19104 72886f1 19105->19104 19106->19104 19108 7288652 19107->19108 19110 7288be8 2 API calls 19108->19110 19111 7288bd8 2 API calls 19108->19111 19109 72886f1 19110->19109 19111->19109 19115 7287f71 19112->19115 19113 7287f83 19119 7285098 Wow64SetThreadContext 19113->19119 19120 72850a0 Wow64SetThreadContext 19113->19120 19114 7288340 19114->19020 19115->19020 19115->19113 19116 728885d 19115->19116 19208 7285668 19115->19208 19212 7285670 19115->19212 19116->19020 19119->19114 19120->19114 19122 7288067 19121->19122 19124 7285668 WriteProcessMemory 19122->19124 19125 7285670 WriteProcessMemory 19122->19125 19123 72881d2 19123->19020 19124->19123 19125->19123 19127 7287f71 19126->19127 19127->19020 19128 728885d 19127->19128 19129 7287f83 19127->19129 19133 7285668 WriteProcessMemory 19127->19133 19134 7285670 WriteProcessMemory 19127->19134 19128->19020 19131 7285098 Wow64SetThreadContext 19129->19131 19132 72850a0 Wow64SetThreadContext 19129->19132 19130 7288340 19130->19020 19131->19130 19132->19130 19133->19127 19134->19127 19136 728803d 19135->19136 19138 7288be8 2 API calls 19136->19138 19139 7288bd8 2 API calls 19136->19139 19137 72886f1 19138->19137 19139->19137 19141 7287f71 19140->19141 19141->19020 19141->19140 19142 728885d 19141->19142 19143 7287f83 19141->19143 19145 7285668 WriteProcessMemory 19141->19145 19146 7285670 WriteProcessMemory 19141->19146 19142->19020 19147 7285098 Wow64SetThreadContext 19143->19147 19148 72850a0 Wow64SetThreadContext 19143->19148 19144 7288340 19144->19020 19145->19141 19146->19141 19147->19144 19148->19144 19150 7287e39 19149->19150 19151 7287e46 19150->19151 19152 72858f8 CreateProcessA 19150->19152 19153 72858ed CreateProcessA 19150->19153 19151->19020 19152->19151 19153->19151 19156 7285668 WriteProcessMemory 19154->19156 19157 7285670 WriteProcessMemory 19154->19157 19155 72883ce 19156->19155 19157->19155 19159 7285981 CreateProcessA 19158->19159 19161 7285b43 19159->19161 19163 72858f8 CreateProcessA 19162->19163 19165 7285b43 19163->19165 19167 72850a0 Wow64SetThreadContext 19166->19167 19169 728512d 19167->19169 19169->19080 19171 72850e5 Wow64SetThreadContext 19170->19171 19173 728512d 19171->19173 19173->19080 19175 7288bfd 19174->19175 19184 7284fe8 19175->19184 19188 7284ff0 19175->19188 19176 7288c10 19176->19085 19180 7288be8 19179->19180 19182 7284fe8 ResumeThread 19180->19182 19183 7284ff0 ResumeThread 19180->19183 19181 7288c10 19181->19085 19182->19181 19183->19181 19185 7284ff0 ResumeThread 19184->19185 19187 7285061 19185->19187 19187->19176 19189 7285030 ResumeThread 19188->19189 19191 7285061 19189->19191 19191->19176 19193 7285760 ReadProcessMemory 19192->19193 19195 72857ef 19193->19195 19195->19089 19197 72857ab ReadProcessMemory 19196->19197 19199 72857ef 19197->19199 19199->19089 19201 72855b0 VirtualAllocEx 19200->19201 19203 728562d 19201->19203 19203->19094 19205 72855f0 VirtualAllocEx 19204->19205 19207 728562d 19205->19207 19207->19094 19209 72856b8 WriteProcessMemory 19208->19209 19211 728570f 19209->19211 19211->19115 19213 72856b8 WriteProcessMemory 19212->19213 19215 728570f 19213->19215 19215->19115 19216 7288ca0 19217 7288e2b 19216->19217 19218 7288cc6 19216->19218 19218->19217 19220 728718c 19218->19220 19221 7288f20 PostMessageW 19220->19221 19222 7288f8c 19221->19222 19222->19218

                                    Executed Functions

                                    Function 072858ED Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 689 72858ed-728598d 692 728598f-7285999 689->692 693 72859c6-72859e6 689->693 692->693 694 728599b-728599d 692->694 700 72859e8-72859f2 693->700 701 7285a1f-7285a4e 693->701 695 728599f-72859a9 694->695 696 72859c0-72859c3 694->696 698 72859ab 695->698 699 72859ad-72859bc 695->699 696->693 698->699 699->699 702 72859be 699->702 700->701 703 72859f4-72859f6 700->703 709 7285a50-7285a5a 701->709 710 7285a87-7285b41 CreateProcessA 701->710 702->696 705 72859f8-7285a02 703->705 706 7285a19-7285a1c 703->706 707 7285a04 705->707 708 7285a06-7285a15 705->708 706->701 707->708 708->708 711 7285a17 708->711 709->710 712 7285a5c-7285a5e 709->712 721 7285b4a-7285bd0 710->721 722 7285b43-7285b49 710->722 711->706 714 7285a60-7285a6a 712->714 715 7285a81-7285a84 712->715 716 7285a6c 714->716 717 7285a6e-7285a7d 714->717 715->710 716->717 717->717 719 7285a7f 717->719 719->715 732 7285be0-7285be4 721->732 733 7285bd2-7285bd6 721->733 722->721 735 7285bf4-7285bf8 732->735 736 7285be6-7285bea 732->736 733->732 734 7285bd8 733->734 734->732 737 7285c08-7285c0c 735->737 738 7285bfa-7285bfe 735->738 736->735 739 7285bec 736->739 741 7285c1e-7285c25 737->741 742 7285c0e-7285c14 737->742 738->737 740 7285c00 738->740 739->735 740->737 743 7285c3c 741->743 744 7285c27-7285c36 741->744 742->741 746 7285c3d 743->746 744->743 746->746
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07285B2E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 444d3a175d8251227b58d2811fa382faf23f1bca4552c486a276f9eb92edd085
                                    • Instruction ID: 0efbc8143ac524eb8ceba0a0c458a902142670e022cf75b04e457b7fe4705e94
                                    • Opcode Fuzzy Hash: 444d3a175d8251227b58d2811fa382faf23f1bca4552c486a276f9eb92edd085
                                    • Instruction Fuzzy Hash: DFA19CB1D1131ACFDB64DF69C880BEDBBB2BF48314F048169D809A7280DB759995CF91
                                    Function 072858F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 747 72858f8-728598d 749 728598f-7285999 747->749 750 72859c6-72859e6 747->750 749->750 751 728599b-728599d 749->751 757 72859e8-72859f2 750->757 758 7285a1f-7285a4e 750->758 752 728599f-72859a9 751->752 753 72859c0-72859c3 751->753 755 72859ab 752->755 756 72859ad-72859bc 752->756 753->750 755->756 756->756 759 72859be 756->759 757->758 760 72859f4-72859f6 757->760 766 7285a50-7285a5a 758->766 767 7285a87-7285b41 CreateProcessA 758->767 759->753 762 72859f8-7285a02 760->762 763 7285a19-7285a1c 760->763 764 7285a04 762->764 765 7285a06-7285a15 762->765 763->758 764->765 765->765 768 7285a17 765->768 766->767 769 7285a5c-7285a5e 766->769 778 7285b4a-7285bd0 767->778 779 7285b43-7285b49 767->779 768->763 771 7285a60-7285a6a 769->771 772 7285a81-7285a84 769->772 773 7285a6c 771->773 774 7285a6e-7285a7d 771->774 772->767 773->774 774->774 776 7285a7f 774->776 776->772 789 7285be0-7285be4 778->789 790 7285bd2-7285bd6 778->790 779->778 792 7285bf4-7285bf8 789->792 793 7285be6-7285bea 789->793 790->789 791 7285bd8 790->791 791->789 794 7285c08-7285c0c 792->794 795 7285bfa-7285bfe 792->795 793->792 796 7285bec 793->796 798 7285c1e-7285c25 794->798 799 7285c0e-7285c14 794->799 795->794 797 7285c00 795->797 796->792 797->794 800 7285c3c 798->800 801 7285c27-7285c36 798->801 799->798 803 7285c3d 800->803 801->800 803->803
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07285B2E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 826935af20eceed3a490fd899218ccf6a642bfe793b8ead59438a6995960f5cd
                                    • Instruction ID: 7de22058309b998798d5a1b169c1a3682fb2e0a00a18fdea80f9fb8c84b89be6
                                    • Opcode Fuzzy Hash: 826935af20eceed3a490fd899218ccf6a642bfe793b8ead59438a6995960f5cd
                                    • Instruction Fuzzy Hash: C2917CB1D1121ACFDB64DF69C880BEDBBB2BF48314F048169D809A7280DB759995CF91
                                    Function 029B4EA4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 912 29b4ea4-29b63e1 CreateActCtxA 915 29b63ea-29b6444 912->915 916 29b63e3-29b63e9 912->916 923 29b6453-29b6457 915->923 924 29b6446-29b6449 915->924 916->915 925 29b6459-29b6465 923->925 926 29b6468 923->926 924->923 925->926 927 29b6469 926->927 927->927
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 029B63D1
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2223471309.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_29b0000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: b39eb9e75b254dad757214ebfecabdb7b02b81b2cdd2e030c35a7965f661509f
                                    • Instruction ID: 3a5e1f69845c7cc0b818ce0a581f4f259e6549fd134c36edcbb9c5798686b0c5
                                    • Opcode Fuzzy Hash: b39eb9e75b254dad757214ebfecabdb7b02b81b2cdd2e030c35a7965f661509f
                                    • Instruction Fuzzy Hash: A541E2B0C00619CBDB25DFA9C944BDEBBFABF49304F20806AD418AB255DB756946CF90
                                    Function 029B6314 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 929 29b6314-29b63e1 CreateActCtxA 931 29b63ea-29b6444 929->931 932 29b63e3-29b63e9 929->932 939 29b6453-29b6457 931->939 940 29b6446-29b6449 931->940 932->931 941 29b6459-29b6465 939->941 942 29b6468 939->942 940->939 941->942 943 29b6469 942->943 943->943
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 029B63D1
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2223471309.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_29b0000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 7315040aaeca101dade1f3c8a279b8509c1c4b9cf9828e4fad060dad4ff470ec
                                    • Instruction ID: 9f7a91dd5cf30c61d0d99eaaf063b230f15d32f291992aae4840a034c8239b40
                                    • Opcode Fuzzy Hash: 7315040aaeca101dade1f3c8a279b8509c1c4b9cf9828e4fad060dad4ff470ec
                                    • Instruction Fuzzy Hash: 5B41F2B0C00619CBDB25DFA9C944BDEBBBABF49304F20806AD418AB255DB756946CF90
                                    Function 07285668 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 945 7285668-72856be 947 72856ce-728570d WriteProcessMemory 945->947 948 72856c0-72856cc 945->948 950 728570f-7285715 947->950 951 7285716-7285746 947->951 948->947 950->951
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07285700
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 9d726aa1a9ea235579fc78de964d34a7660fa0a1795fceaed52ed7d396b95b7d
                                    • Instruction ID: b51e775b4e74f095b210fa235aa153d448bb13e454109ab165067b749b427319
                                    • Opcode Fuzzy Hash: 9d726aa1a9ea235579fc78de964d34a7660fa0a1795fceaed52ed7d396b95b7d
                                    • Instruction Fuzzy Hash: CB2135B59102499FCB10DFAAC885BEEBBF1FF48310F108429E959A7241C7789950CBA0
                                    Function 07285670 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 955 7285670-72856be 957 72856ce-728570d WriteProcessMemory 955->957 958 72856c0-72856cc 955->958 960 728570f-7285715 957->960 961 7285716-7285746 957->961 958->957 960->961
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07285700
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 2249f65b71fa76b8eb0bd1f6882d583d45cf652b027b6332ae75e234e59258ee
                                    • Instruction ID: 8bc8bdc4e8a8618642aeae362b6bb5f4043a4289cf47c460ce8f3fe6de072359
                                    • Opcode Fuzzy Hash: 2249f65b71fa76b8eb0bd1f6882d583d45cf652b027b6332ae75e234e59258ee
                                    • Instruction Fuzzy Hash: 152125B5D103199FCB10DFAAC885BEEBBF5FF48310F10842AE919A7240C7799954CBA0
                                    Function 07285758 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 976 7285758-72857ed ReadProcessMemory 980 72857ef-72857f5 976->980 981 72857f6-7285826 976->981 980->981
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072857E0
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 77d15cb925980bc8163ac692b6f1a5f7d7caa0d3de53d5811a0a6d5e7b00e274
                                    • Instruction ID: 946aa7029ff794ef7cf45ebfb522ed91774d14c963f32dfc7f8348d00a8890cb
                                    • Opcode Fuzzy Hash: 77d15cb925980bc8163ac692b6f1a5f7d7caa0d3de53d5811a0a6d5e7b00e274
                                    • Instruction Fuzzy Hash: D32139B5C003499FCB14DFAAC885AEEFBF5FF48310F50842AE559A7250CB799544CBA1
                                    Function 07285098 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 965 7285098-72850eb 968 72850fb-728512b Wow64SetThreadContext 965->968 969 72850ed-72850f9 965->969 971 728512d-7285133 968->971 972 7285134-7285164 968->972 969->968 971->972
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0728511E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 17024ef4e51dafc30c91e3872468fbf8c7cb1953a6749a9117746b6d6f60c9ed
                                    • Instruction ID: 0c0bb69c03012c4dbe796d2f9bac02a59cb042f2c73c5a41fc17499911ef2d22
                                    • Opcode Fuzzy Hash: 17024ef4e51dafc30c91e3872468fbf8c7cb1953a6749a9117746b6d6f60c9ed
                                    • Instruction Fuzzy Hash: 3B2138B1D003099FDB14DFAAC4857EEBBF4EF48324F148429D459A7240DB789985CFA1
                                    Function 07285760 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072857E0
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: fc1c29e8fc5b52966c5478a1dc3b27405e0b931e729e169f6a5302e5d2ceeff2
                                    • Instruction ID: 20cdefeb6a3523ea769d8a6a5ab8ab290ab1876c4fa4ece1d51970a018947939
                                    • Opcode Fuzzy Hash: fc1c29e8fc5b52966c5478a1dc3b27405e0b931e729e169f6a5302e5d2ceeff2
                                    • Instruction Fuzzy Hash: 272137B1C003499FCB10DFAAC884AEEFBF5FF48310F50842AE519A7240C7799940CBA0
                                    Function 072850A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0728511E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 9e841a00b170706abe7dd90893eb2c5e89becc4bc22ab5b554449517a4f3b5c3
                                    • Instruction ID: 0af87e13a80d9d8d7236eccafa945b2b560dea53518518c8fc4c73e782258d72
                                    • Opcode Fuzzy Hash: 9e841a00b170706abe7dd90893eb2c5e89becc4bc22ab5b554449517a4f3b5c3
                                    • Instruction Fuzzy Hash: 212135B1D002098FDB10DFAAC4857EEBBF4EF48314F14842AD459A7280CB78A985CFA0
                                    Function 072855AA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0728561E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 2c9214d7987f4077a6b01152ab10fcf658d104fc420db12b8a0c02982206a94a
                                    • Instruction ID: 4d71eed268dd9ac63fc4ccfa896dba77d434aa75a4f962ecba195a561d282898
                                    • Opcode Fuzzy Hash: 2c9214d7987f4077a6b01152ab10fcf658d104fc420db12b8a0c02982206a94a
                                    • Instruction Fuzzy Hash: 4F113AB58002499FCB20DFAAD845AEEFFF5FF48324F148419E519A7250CB799550CFA1
                                    Function 072855B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0728561E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 0b085eb7dcb7254772cb9beafe2f186cca67f4d80f613412a66cd33040cda4a2
                                    • Instruction ID: df29c41ea19e67e4421a8a4143993a5d76cd45de38892e55fab847538f33fd66
                                    • Opcode Fuzzy Hash: 0b085eb7dcb7254772cb9beafe2f186cca67f4d80f613412a66cd33040cda4a2
                                    • Instruction Fuzzy Hash: 4E1137B58002499FCB20DFAAC844AEEFFF5FF48320F148419E519A7250C779A550CFA0
                                    Function 07284FE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 96678a7e3970b669fbbebf4af16991f164af80b68e2189f745569978a72770cf
                                    • Instruction ID: cf98161cf411c7f4d3e0c8209568d3a31a40525c9c35f6462457ecb7c5946baf
                                    • Opcode Fuzzy Hash: 96678a7e3970b669fbbebf4af16991f164af80b68e2189f745569978a72770cf
                                    • Instruction Fuzzy Hash: 1A1158B5C003498BCB20EFAAD4457EEFFF5EF88320F208419D519A7240DB79A544CBA0
                                    Function 07284FF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: ce622b4e904115c7c632b1a2e976cb035582daca5538437d7a9bc20c8ebf2238
                                    • Instruction ID: 714d60320a6519f43bcda71c52367ead86401bd6aac167231012e353e68ca36c
                                    • Opcode Fuzzy Hash: ce622b4e904115c7c632b1a2e976cb035582daca5538437d7a9bc20c8ebf2238
                                    • Instruction Fuzzy Hash: D61136B1D003498FCB24EFAAC4457EEFBF5EF88324F248419D519A7240DB79A944CBA0
                                    Function 0728718C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07288F7D
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: de35b6f906dcca67e11816cd23f98690cc839ed01306d07579299ba056b8d4bd
                                    • Instruction ID: 28a379330d6f7ad51cf8e25bf57772dc415ceaa210fe805a2102e2b546761482
                                    • Opcode Fuzzy Hash: de35b6f906dcca67e11816cd23f98690cc839ed01306d07579299ba056b8d4bd
                                    • Instruction Fuzzy Hash: 151106B58103499FDB20EF99D889BDEBBF8FB58310F508419E558A7240C375A944CFE1
                                    Function 07288F19 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07288F7D
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2230688924.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7280000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: e952284152ac2d097ca56bc37328bf13e822b1878f808f120b9ab91b18c86f69
                                    • Instruction ID: 55ac94d0be581e0186dfb30ba366762183908801ac076f1f5ae3e94ef5bd5814
                                    • Opcode Fuzzy Hash: e952284152ac2d097ca56bc37328bf13e822b1878f808f120b9ab91b18c86f69
                                    • Instruction Fuzzy Hash: BA1122B58003498FDB20EF99D488BDEBFF4EB58310F10841AE558A3200C379A980CFA0
                                    Function 00EFD53C Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222235219.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_efd000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5dc4e8184f8c91efe9881a852ace9d41fb8962aadec5ee6e23623cd2188cf604
                                    • Instruction ID: 3c0576815f368a54941e2b662fb253b3e7724cf8832d099106a1e8545715a5ca
                                    • Opcode Fuzzy Hash: 5dc4e8184f8c91efe9881a852ace9d41fb8962aadec5ee6e23623cd2188cf604
                                    • Instruction Fuzzy Hash: 262125B1508208DFCB05DF14DDC0F36BF66FB98318F208569EA095B256C33AD816DBA1
                                    Function 00F0D1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222291530.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_f0d000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f3bd9a8b7718db65a130192e311dc8a181022dd3db070ce1b3d824d4b7d80f1
                                    • Instruction ID: b269fd54f5bfe438592e50f20d94125da1850c4dc8dd04d2fceadcf6f3d3ded9
                                    • Opcode Fuzzy Hash: 0f3bd9a8b7718db65a130192e311dc8a181022dd3db070ce1b3d824d4b7d80f1
                                    • Instruction Fuzzy Hash: 94210471904304EFDB05DFA4D9C0F26BBA5FB88324F20C56DE9094B296C33AD806FA61
                                    Function 00F0D0EC Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222291530.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_f0d000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 214b8f6783d0cdc83ffbb9dbc44df524b79278734e3c0ce63233df6146777217
                                    • Instruction ID: 4397f9ce67126a6d5f4866a700a686081fd1633cbbc63ed8ed51af41aca9945a
                                    • Opcode Fuzzy Hash: 214b8f6783d0cdc83ffbb9dbc44df524b79278734e3c0ce63233df6146777217
                                    • Instruction Fuzzy Hash: 4B21F275944204EFEB04DF94D980B26BB65FB84324F20C56DD8094B296CB7AD806EAA1
                                    Function 00EFD537 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222235219.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_efd000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction ID: 061d88c8731a5e69750656ecc54ceb6faa760ba2a41d7c2ee7cbf01065ad601c
                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction Fuzzy Hash: 6811E676508244CFCB06CF10D9C4B26BF72FB94318F24C6A9D9494B256C336D85ADBA2
                                    Function 00F0D0E7 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222291530.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_f0d000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction ID: aa6995092d4a548c99866cf82429f0d060001e84f231d4325e013e270cd53330
                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction Fuzzy Hash: CE118E75904240DFEB05CF54D9C4B15FB62FB44324F24C6A9D8494B696C33AD84AEBA1
                                    Function 00F0D1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222291530.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_f0d000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction ID: 30f9bb25226084f36c8e961a4eeb0eadc6786f624f69c9015c0170e78f70efe4
                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction Fuzzy Hash: 6211BB75904280DFCB16CF54C9C4B15FBA1FB84324F24C6A9D8494B696C33AD80AEB62
                                    Function 00EFD759 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222235219.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_efd000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d2c5bc16bb60e96673a7a01fa3d285bd74c2ad75eb9ac1ad7945030368ac1da5
                                    • Instruction ID: dd047c1d1366c137dda17fc4f753dd2ff2d307b687c58a274114b322ded69898
                                    • Opcode Fuzzy Hash: d2c5bc16bb60e96673a7a01fa3d285bd74c2ad75eb9ac1ad7945030368ac1da5
                                    • Instruction Fuzzy Hash: F7012B310093489AD720AB55CC84B77FF9DEF45324F28C82BEE091E2DAC3399840C671
                                    Function 00EFD758 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2222235219.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_efd000_HODoCxSdp.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 611b568d3f3628f978cb3cf9c3f9e9537f54567def1ca8ce8087e4e622892f39
                                    • Instruction ID: 619ef1453c0e4d577096a76cf1c1d8a0d0ea65af7ea7da28ba0269813515117b
                                    • Opcode Fuzzy Hash: 611b568d3f3628f978cb3cf9c3f9e9537f54567def1ca8ce8087e4e622892f39
                                    • Instruction Fuzzy Hash: 70F0C2714093449EE7209A06DC84B62FFA8EF51728F18C85AEE081E28AC2799840CAB0

                                    Execution Graph

                                    Execution Coverage:1.7%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:3.7%
                                    Total number of Nodes:616
                                    Total number of Limit Nodes:12
                                    execution_graph 45800 404e06 WaitForSingleObject 45801 404e20 SetEvent FindCloseChangeNotification 45800->45801 45802 404e37 closesocket 45800->45802 45803 404eb8 45801->45803 45804 404e44 45802->45804 45805 404e5a 45804->45805 45813 4050c4 83 API calls 45804->45813 45807 404e6c WaitForSingleObject 45805->45807 45808 404eae SetEvent CloseHandle 45805->45808 45814 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45807->45814 45808->45803 45810 404e7b SetEvent WaitForSingleObject 45815 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45810->45815 45812 404e93 SetEvent CloseHandle CloseHandle 45812->45808 45813->45805 45814->45810 45815->45812 45816 40163e 45817 401646 45816->45817 45818 401649 45816->45818 45819 401688 45818->45819 45822 401676 45818->45822 45824 43229f 45819->45824 45821 40167c 45823 43229f new 22 API calls 45822->45823 45823->45821 45828 4322a4 45824->45828 45826 4322d0 45826->45821 45828->45826 45831 439adb 45828->45831 45838 440480 7 API calls 2 library calls 45828->45838 45839 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45828->45839 45840 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45828->45840 45837 443649 __Getctype 45831->45837 45832 443687 45842 43ad91 20 API calls __dosmaperr 45832->45842 45833 443672 RtlAllocateHeap 45835 443685 45833->45835 45833->45837 45835->45828 45837->45832 45837->45833 45841 440480 7 API calls 2 library calls 45837->45841 45838->45828 45841->45837 45842->45835 45843 43263c 45844 432648 ___DestructExceptionObject 45843->45844 45869 43234b 45844->45869 45846 43264f 45848 432678 45846->45848 46133 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45846->46133 45855 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45848->45855 46134 441763 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 45848->46134 45850 432691 45852 432697 ___DestructExceptionObject 45850->45852 46135 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 45850->46135 45853 432717 45880 4328c9 45853->45880 45855->45853 46136 4408e7 35 API calls 4 library calls 45855->46136 45864 432743 45866 43274c 45864->45866 46137 4408c2 28 API calls _abort 45864->46137 46138 4324c2 13 API calls 2 library calls 45866->46138 45870 432354 45869->45870 46139 4329da IsProcessorFeaturePresent 45870->46139 45872 432360 46140 436cd1 10 API calls 4 library calls 45872->46140 45874 432365 45879 432369 45874->45879 46141 4415bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45874->46141 45876 432380 45876->45846 45877 432372 45877->45876 46142 436cfa 8 API calls 3 library calls 45877->46142 45879->45846 46143 434c30 45880->46143 45883 43271d 45884 4416b4 45883->45884 46145 44c239 45884->46145 45886 432726 45889 40d3f0 45886->45889 45887 4416bd 45887->45886 46149 443d25 35 API calls 45887->46149 46151 41a8da LoadLibraryA GetProcAddress 45889->46151 45891 40d40c 46158 40dd83 45891->46158 45893 40d415 46173 4020d6 45893->46173 45896 4020d6 28 API calls 45897 40d433 45896->45897 46179 419d87 45897->46179 45901 40d445 46205 401e6d 45901->46205 45903 40d44e 45904 40d461 45903->45904 45905 40d4b8 45903->45905 46211 40e609 45904->46211 45906 401e45 22 API calls 45905->45906 45908 40d4c6 45906->45908 45912 401e45 22 API calls 45908->45912 45911 40d47f 46226 40f98d 45911->46226 45913 40d4e5 45912->45913 46242 4052fe 45913->46242 45916 40d4f4 46247 408209 45916->46247 45925 40d4a3 45927 401fb8 11 API calls 45925->45927 45929 40d4ac 45927->45929 46128 4407f6 GetModuleHandleW 45929->46128 45930 401fb8 11 API calls 45931 40d520 45930->45931 45932 401e45 22 API calls 45931->45932 45933 40d529 45932->45933 46264 401fa0 45933->46264 45935 40d534 45936 401e45 22 API calls 45935->45936 45937 40d54f 45936->45937 45938 401e45 22 API calls 45937->45938 45939 40d569 45938->45939 45940 40d5cf 45939->45940 46268 40822a 28 API calls 45939->46268 45942 401e45 22 API calls 45940->45942 45948 40d5dc 45942->45948 45943 40d594 45944 401fc2 28 API calls 45943->45944 45945 40d5a0 45944->45945 45946 401fb8 11 API calls 45945->45946 45950 40d5a9 45946->45950 45947 40d650 45952 40d660 CreateMutexA GetLastError 45947->45952 45948->45947 45949 401e45 22 API calls 45948->45949 45951 40d5f5 45949->45951 46269 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45950->46269 45955 40d5fc OpenMutexA 45951->45955 45953 40d987 45952->45953 45954 40d67f 45952->45954 45958 401fb8 11 API calls 45953->45958 45995 40d9ec 45953->45995 45956 40d688 45954->45956 45957 40d68a GetModuleFileNameW 45954->45957 45960 40d622 45955->45960 45961 40d60f WaitForSingleObject CloseHandle 45955->45961 45956->45957 46272 4192ae 33 API calls 45957->46272 45982 40d99a ___scrt_fastfail 45958->45982 46270 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45960->46270 45961->45960 45963 40d5c5 45963->45940 45965 40dd0f 45963->45965 45964 40d6a0 45967 40d6f5 45964->45967 45970 401e45 22 API calls 45964->45970 46302 41239a 30 API calls 45965->46302 45969 401e45 22 API calls 45967->45969 45977 40d720 45969->45977 45975 40d6bf 45970->45975 45971 40dd22 46303 410eda 65 API calls ___scrt_fastfail 45971->46303 45973 40dcfa 46004 40dd6a 45973->46004 46304 402073 28 API calls 45973->46304 45974 40d63b 45974->45947 46271 41239a 30 API calls 45974->46271 45975->45967 45983 40d6f7 45975->45983 45988 40d6db 45975->45988 45976 40d731 45981 401e45 22 API calls 45976->45981 45977->45976 46276 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45977->46276 45991 40d73a 45981->45991 46284 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45982->46284 46274 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45983->46274 45984 40dd3a 46305 4052dd 28 API calls 45984->46305 45988->45967 46273 4067a0 36 API calls ___scrt_fastfail 45988->46273 45997 401e45 22 API calls 45991->45997 45994 40d70d 45994->45967 46275 4066a6 58 API calls 45994->46275 46000 401e45 22 API calls 45995->46000 45999 40d755 45997->45999 46005 401e45 22 API calls 45999->46005 46002 40da10 46000->46002 46285 402073 28 API calls 46002->46285 46306 413980 161 API calls _strftime 46004->46306 46008 40d76f 46005->46008 46011 401e45 22 API calls 46008->46011 46010 40da22 46286 41215f 14 API calls 46010->46286 46013 40d789 46011->46013 46017 401e45 22 API calls 46013->46017 46014 40da38 46015 401e45 22 API calls 46014->46015 46016 40da44 46015->46016 46287 439867 39 API calls _strftime 46016->46287 46021 40d7a3 46017->46021 46019 40da51 46023 40da7e 46019->46023 46288 41aa4f 81 API calls ___scrt_fastfail 46019->46288 46020 40d810 46020->45982 46024 401e45 22 API calls 46020->46024 46059 40d89f ___scrt_fastfail 46020->46059 46021->46020 46022 401e45 22 API calls 46021->46022 46031 40d7b8 _wcslen 46022->46031 46289 402073 28 API calls 46023->46289 46028 40d831 46024->46028 46027 40da8d 46290 402073 28 API calls 46027->46290 46034 401e45 22 API calls 46028->46034 46029 40da70 CreateThread 46029->46023 46562 41b212 10 API calls 46029->46562 46031->46020 46036 401e45 22 API calls 46031->46036 46032 40da9c 46291 4194da 79 API calls 46032->46291 46037 40d843 46034->46037 46035 40daa1 46038 401e45 22 API calls 46035->46038 46039 40d7d3 46036->46039 46041 401e45 22 API calls 46037->46041 46040 40daad 46038->46040 46043 401e45 22 API calls 46039->46043 46044 401e45 22 API calls 46040->46044 46042 40d855 46041->46042 46047 401e45 22 API calls 46042->46047 46045 40d7e8 46043->46045 46046 40dabf 46044->46046 46277 40c5ed 31 API calls 46045->46277 46051 401e45 22 API calls 46046->46051 46048 40d87e 46047->46048 46055 401e45 22 API calls 46048->46055 46050 40d7fb 46278 401ef3 28 API calls 46050->46278 46053 40dad5 46051->46053 46058 401e45 22 API calls 46053->46058 46054 40d807 46279 401ee9 11 API calls 46054->46279 46057 40d88f 46055->46057 46280 40b871 46 API calls _wcslen 46057->46280 46060 40daf5 46058->46060 46281 412338 31 API calls 46059->46281 46292 439867 39 API calls _strftime 46060->46292 46063 40d942 ctype 46067 401e45 22 API calls 46063->46067 46065 40db02 46066 401e45 22 API calls 46065->46066 46068 40db0d 46066->46068 46070 40d959 46067->46070 46069 401e45 22 API calls 46068->46069 46071 40db1e 46069->46071 46070->45995 46072 401e45 22 API calls 46070->46072 46293 408f1f 166 API calls _wcslen 46071->46293 46073 40d976 46072->46073 46282 419bca 28 API calls 46073->46282 46075 40d982 46283 40de34 88 API calls 46075->46283 46077 40db33 46079 401e45 22 API calls 46077->46079 46081 40db3c 46079->46081 46080 40db83 46083 401e45 22 API calls 46080->46083 46081->46080 46082 43229f new 22 API calls 46081->46082 46084 40db53 46082->46084 46088 40db91 46083->46088 46085 401e45 22 API calls 46084->46085 46086 40db65 46085->46086 46091 40db6c CreateThread 46086->46091 46087 40dbd9 46090 401e45 22 API calls 46087->46090 46088->46087 46089 43229f new 22 API calls 46088->46089 46092 40dba5 46089->46092 46096 40dbe2 46090->46096 46091->46080 46559 417f6a 101 API calls 2 library calls 46091->46559 46093 401e45 22 API calls 46092->46093 46094 40dbb6 46093->46094 46097 40dbbd CreateThread 46094->46097 46095 40dc4c 46098 401e45 22 API calls 46095->46098 46096->46095 46099 401e45 22 API calls 46096->46099 46097->46087 46556 417f6a 101 API calls 2 library calls 46097->46556 46101 40dc55 46098->46101 46100 40dbfc 46099->46100 46103 401e45 22 API calls 46100->46103 46102 40dc99 46101->46102 46104 401e45 22 API calls 46101->46104 46299 4195f8 79 API calls 46102->46299 46105 40dc11 46103->46105 46107 40dc69 46104->46107 46294 40c5a1 31 API calls 46105->46294 46113 401e45 22 API calls 46107->46113 46108 40dca2 46300 401ef3 28 API calls 46108->46300 46110 40dcad 46301 401ee9 11 API calls 46110->46301 46116 40dc7e 46113->46116 46114 40dc24 46295 401ef3 28 API calls 46114->46295 46115 40dcb6 CreateThread 46120 40dce5 46115->46120 46121 40dcd9 CreateThread 46115->46121 46557 40e18d 122 API calls 46115->46557 46297 439867 39 API calls _strftime 46116->46297 46119 40dc30 46296 401ee9 11 API calls 46119->46296 46120->45973 46123 40dcee CreateThread 46120->46123 46121->46120 46558 410b5c 137 API calls 46121->46558 46123->45973 46560 411140 38 API calls ___scrt_fastfail 46123->46560 46125 40dc39 CreateThread 46125->46095 46561 401bc9 49 API calls _strftime 46125->46561 46126 40dc8b 46298 40b0a3 7 API calls 46126->46298 46129 432739 46128->46129 46129->45864 46130 44091f 46129->46130 46564 44069c 46130->46564 46133->45846 46134->45850 46135->45855 46136->45853 46137->45866 46138->45852 46139->45872 46140->45874 46141->45877 46142->45879 46144 4328dc GetStartupInfoW 46143->46144 46144->45883 46146 44c24b 46145->46146 46147 44c242 46145->46147 46146->45887 46150 44c138 48 API calls 5 library calls 46147->46150 46149->45887 46150->46146 46152 41a919 LoadLibraryA GetProcAddress 46151->46152 46153 41a909 GetModuleHandleA GetProcAddress 46151->46153 46154 41a947 GetModuleHandleA GetProcAddress 46152->46154 46155 41a937 GetModuleHandleA GetProcAddress 46152->46155 46153->46152 46156 41a973 24 API calls 46154->46156 46157 41a95f GetModuleHandleA GetProcAddress 46154->46157 46155->46154 46156->45891 46157->46156 46307 419493 FindResourceA 46158->46307 46161 439adb new 21 API calls 46162 40ddad ctype 46161->46162 46310 402097 46162->46310 46165 401fc2 28 API calls 46166 40ddd3 46165->46166 46167 401fb8 11 API calls 46166->46167 46168 40dddc 46167->46168 46169 439adb new 21 API calls 46168->46169 46170 40dded ctype 46169->46170 46316 4062ee 46170->46316 46172 40de20 46172->45893 46174 4020ec 46173->46174 46175 4023ae 11 API calls 46174->46175 46176 402106 46175->46176 46177 402549 28 API calls 46176->46177 46178 402114 46177->46178 46178->45896 46351 4020bf 46179->46351 46181 419e0a 46182 401fb8 11 API calls 46181->46182 46183 419e3c 46182->46183 46185 401fb8 11 API calls 46183->46185 46184 419e0c 46367 404182 28 API calls 46184->46367 46186 419e44 46185->46186 46189 401fb8 11 API calls 46186->46189 46191 40d43c 46189->46191 46190 419e18 46192 401fc2 28 API calls 46190->46192 46201 40e563 46191->46201 46194 419e21 46192->46194 46193 401fc2 28 API calls 46200 419d9a 46193->46200 46195 401fb8 11 API calls 46194->46195 46197 419e29 46195->46197 46196 401fb8 11 API calls 46196->46200 46198 41ab9a 28 API calls 46197->46198 46198->46181 46200->46181 46200->46184 46200->46193 46200->46196 46355 404182 28 API calls 46200->46355 46356 41ab9a 46200->46356 46202 40e56f 46201->46202 46204 40e576 46201->46204 46393 402143 11 API calls 46202->46393 46204->45901 46206 402143 46205->46206 46207 40217f 46206->46207 46394 402710 11 API calls 46206->46394 46207->45903 46209 402164 46395 4026f2 11 API calls std::_Deallocate 46209->46395 46212 40e624 46211->46212 46396 40f57c 46212->46396 46218 40e663 46219 40d473 46218->46219 46412 40f663 46218->46412 46221 401e45 46219->46221 46222 401e4d 46221->46222 46223 401e55 46222->46223 46507 402138 22 API calls 46222->46507 46223->45911 46228 40f997 __EH_prolog 46226->46228 46508 40fcfb 46228->46508 46229 40f663 36 API calls 46230 40fb90 46229->46230 46512 40fce0 46230->46512 46232 40d491 46234 40e5ba 46232->46234 46233 40fa1a 46233->46229 46518 40f4c6 46234->46518 46237 40d49a 46239 40dd70 46237->46239 46238 40f663 36 API calls 46238->46237 46528 40e5da 70 API calls 46239->46528 46241 40dd7b 46243 4020bf 11 API calls 46242->46243 46244 40530a 46243->46244 46529 403280 46244->46529 46246 405326 46246->45916 46534 4051cf 46247->46534 46249 408217 46538 402035 46249->46538 46252 401fc2 46253 401fd1 46252->46253 46254 402019 46252->46254 46255 4023ae 11 API calls 46253->46255 46261 401fb8 46254->46261 46256 401fda 46255->46256 46257 40201c 46256->46257 46258 401ff5 46256->46258 46259 40265a 11 API calls 46257->46259 46553 403078 28 API calls 46258->46553 46259->46254 46262 4023ae 11 API calls 46261->46262 46263 401fc1 46262->46263 46263->45930 46265 401fb2 46264->46265 46266 401fa9 46264->46266 46265->45935 46554 4025c0 28 API calls 46266->46554 46268->45943 46269->45963 46270->45974 46271->45947 46272->45964 46273->45967 46274->45994 46275->45967 46276->45976 46277->46050 46278->46054 46279->46020 46280->46059 46281->46063 46282->46075 46283->45953 46284->45995 46285->46010 46286->46014 46287->46019 46288->46029 46289->46027 46290->46032 46291->46035 46292->46065 46293->46077 46294->46114 46295->46119 46296->46125 46297->46126 46298->46102 46299->46108 46300->46110 46301->46115 46302->45971 46304->45984 46555 418ccd 104 API calls 46306->46555 46308 4194b0 LoadResource LockResource SizeofResource 46307->46308 46309 40dd9e 46307->46309 46308->46309 46309->46161 46311 40209f 46310->46311 46319 4023ae 46311->46319 46313 4020aa 46323 4024ea 46313->46323 46315 4020b9 46315->46165 46317 402097 28 API calls 46316->46317 46318 406302 46317->46318 46318->46172 46320 402408 46319->46320 46321 4023b8 46319->46321 46320->46313 46321->46320 46330 402787 11 API calls std::_Deallocate 46321->46330 46324 4024fa 46323->46324 46325 402500 46324->46325 46326 402515 46324->46326 46331 402549 46325->46331 46341 4028c8 28 API calls 46326->46341 46329 402513 46329->46315 46330->46320 46342 402868 46331->46342 46333 40255d 46334 402572 46333->46334 46335 402587 46333->46335 46347 402a14 22 API calls 46334->46347 46349 4028c8 28 API calls 46335->46349 46338 40257b 46348 4029ba 22 API calls 46338->46348 46340 402585 46340->46329 46341->46329 46343 402870 46342->46343 46344 402878 46343->46344 46350 402c83 22 API calls 46343->46350 46344->46333 46347->46338 46348->46340 46349->46340 46352 4020c7 46351->46352 46353 4023ae 11 API calls 46352->46353 46354 4020d2 46353->46354 46354->46200 46355->46200 46357 41aba7 46356->46357 46358 41ac06 46357->46358 46362 41abb7 46357->46362 46359 41ac20 46358->46359 46360 41ad46 28 API calls 46358->46360 46377 41aec3 28 API calls 46359->46377 46360->46359 46363 41abef 46362->46363 46368 41ad46 46362->46368 46376 41aec3 28 API calls 46363->46376 46364 41ac02 46364->46200 46367->46190 46370 41ad4e 46368->46370 46369 41ad80 46369->46363 46370->46369 46371 41ad84 46370->46371 46374 41ad68 46370->46374 46388 402705 22 API calls 46371->46388 46378 41adb7 46374->46378 46376->46364 46377->46364 46379 41adc1 __EH_prolog 46378->46379 46389 4026f7 22 API calls 46379->46389 46381 41add4 46390 41aeda 11 API calls 46381->46390 46383 41ae32 46383->46369 46384 41adfa 46384->46383 46391 402710 11 API calls 46384->46391 46386 41ae19 46392 4026f2 11 API calls std::_Deallocate 46386->46392 46389->46381 46390->46384 46391->46386 46392->46383 46393->46204 46394->46209 46395->46207 46416 40f821 46396->46416 46399 40f55d 46494 40f7fb 46399->46494 46401 40f565 46499 40f44c 46401->46499 46403 40e651 46404 40f502 46403->46404 46405 40f510 46404->46405 46411 40f53f std::ios_base::_Ios_base_dtor 46404->46411 46504 4335cb 65 API calls 46405->46504 46407 40f51d 46408 40f44c 20 API calls 46407->46408 46407->46411 46409 40f52e 46408->46409 46505 40fbc8 77 API calls 6 library calls 46409->46505 46411->46218 46413 40f66b 46412->46413 46414 40f67e 46412->46414 46506 40f854 36 API calls 46413->46506 46414->46219 46423 40d2ce 46416->46423 46420 40f83c 46421 40e631 46420->46421 46422 40f663 36 API calls 46420->46422 46421->46399 46422->46421 46424 40d2ff 46423->46424 46425 43229f new 22 API calls 46424->46425 46426 40d306 46425->46426 46433 40cb7a 46426->46433 46429 40f887 46430 40f896 46429->46430 46468 40f8b7 46430->46468 46432 40f89c std::ios_base::_Ios_base_dtor 46432->46420 46436 4332ea 46433->46436 46435 40cb84 46435->46429 46437 4332f6 __EH_prolog3 46436->46437 46448 4330a5 46437->46448 46440 433332 46454 4330fd 46440->46454 46443 433314 46462 43347f 37 API calls _Atexit 46443->46462 46445 433370 std::locale::_Init 46445->46435 46446 43331c 46463 433240 21 API calls 2 library calls 46446->46463 46449 4330b4 46448->46449 46451 4330bb 46448->46451 46464 442df9 EnterCriticalSection _abort 46449->46464 46452 4330b9 46451->46452 46465 43393c EnterCriticalSection 46451->46465 46452->46440 46461 43345a 22 API calls 2 library calls 46452->46461 46455 433107 46454->46455 46456 442e02 46454->46456 46457 43311a 46455->46457 46466 43394a LeaveCriticalSection 46455->46466 46467 442de2 LeaveCriticalSection 46456->46467 46457->46445 46460 442e09 46460->46445 46461->46443 46462->46446 46463->46440 46464->46452 46465->46452 46466->46457 46467->46460 46469 4330a5 std::_Lockit::_Lockit 2 API calls 46468->46469 46470 40f8c9 46469->46470 46489 40cae9 4 API calls 2 library calls 46470->46489 46472 40f8dc 46473 40f8ef 46472->46473 46490 40ccd4 77 API calls new 46472->46490 46474 4330fd std::_Lockit::~_Lockit 2 API calls 46473->46474 46475 40f925 46474->46475 46475->46432 46477 40f8ff 46478 40f906 46477->46478 46479 40f92d 46477->46479 46491 4332b6 22 API calls new 46478->46491 46492 436ec6 RaiseException 46479->46492 46482 40f943 46483 40f984 46482->46483 46493 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46482->46493 46483->46432 46489->46472 46490->46477 46491->46473 46492->46482 46495 43229f new 22 API calls 46494->46495 46496 40f80b 46495->46496 46497 40cb7a 41 API calls 46496->46497 46498 40f813 46497->46498 46498->46401 46500 40f469 46499->46500 46501 40f48b 46500->46501 46503 43aa1a 20 API calls 2 library calls 46500->46503 46501->46403 46503->46501 46504->46407 46505->46411 46506->46414 46510 40fd0e 46508->46510 46509 40fd3c 46509->46233 46510->46509 46516 40fe14 36 API calls 46510->46516 46513 40fce8 46512->46513 46515 40fcf3 46513->46515 46517 40fe79 36 API calls __EH_prolog 46513->46517 46515->46232 46516->46509 46517->46515 46519 40f4d0 46518->46519 46520 40f4d4 46518->46520 46523 40f44c 20 API calls 46519->46523 46526 40f30b 67 API calls 46520->46526 46522 40f4d9 46527 43a716 64 API calls 3 library calls 46522->46527 46525 40e5c5 46523->46525 46525->46237 46525->46238 46526->46522 46527->46519 46528->46241 46531 40328a 46529->46531 46530 4032a9 46530->46246 46531->46530 46533 4028c8 28 API calls 46531->46533 46533->46530 46535 4051db 46534->46535 46544 405254 46535->46544 46537 4051e8 46537->46249 46539 402041 46538->46539 46540 4023ae 11 API calls 46539->46540 46541 40205b 46540->46541 46549 40265a 46541->46549 46545 405262 46544->46545 46548 402884 22 API calls 46545->46548 46550 40266b 46549->46550 46551 4023ae 11 API calls 46550->46551 46552 40206d 46551->46552 46552->46252 46553->46254 46554->46265 46563 411253 61 API calls 46558->46563 46565 4406a8 _abort 46564->46565 46566 4406c0 46565->46566 46568 4407f6 _abort GetModuleHandleW 46565->46568 46586 442d9a EnterCriticalSection 46566->46586 46569 4406b4 46568->46569 46569->46566 46598 44083a GetModuleHandleExW 46569->46598 46570 440766 46587 4407a6 46570->46587 46573 4406c8 46573->46570 46575 44073d 46573->46575 46606 441450 20 API calls _abort 46573->46606 46576 440755 46575->46576 46607 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46575->46607 46608 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46576->46608 46577 440783 46590 4407b5 46577->46590 46578 4407af 46609 454909 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46578->46609 46586->46573 46610 442de2 LeaveCriticalSection 46587->46610 46589 44077f 46589->46577 46589->46578 46611 4461f8 46590->46611 46593 4407e3 46596 44083a _abort 8 API calls 46593->46596 46594 4407c3 GetPEB 46594->46593 46595 4407d3 GetCurrentProcess TerminateProcess 46594->46595 46595->46593 46597 4407eb ExitProcess 46596->46597 46599 440864 GetProcAddress 46598->46599 46600 440887 46598->46600 46601 440879 46599->46601 46602 440896 46600->46602 46603 44088d FreeLibrary 46600->46603 46601->46600 46604 432d4b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46602->46604 46603->46602 46605 4408a0 46604->46605 46605->46566 46606->46575 46607->46576 46608->46570 46610->46589 46612 44621d 46611->46612 46616 446213 46611->46616 46617 4459f9 46612->46617 46615 4407bf 46615->46593 46615->46594 46624 432d4b 46616->46624 46618 445a25 46617->46618 46619 445a29 46617->46619 46618->46619 46623 445a49 46618->46623 46631 445a95 46618->46631 46619->46616 46621 445a55 GetProcAddress 46622 445a65 __crt_fast_encode_pointer 46621->46622 46622->46619 46623->46619 46623->46621 46625 432d56 IsProcessorFeaturePresent 46624->46625 46626 432d54 46624->46626 46628 432d98 46625->46628 46626->46615 46638 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46628->46638 46630 432e7b 46630->46615 46632 445ab6 LoadLibraryExW 46631->46632 46633 445aab 46631->46633 46634 445ad3 GetLastError 46632->46634 46635 445aeb 46632->46635 46633->46618 46634->46635 46637 445ade LoadLibraryExW 46634->46637 46635->46633 46636 445b02 FreeLibrary 46635->46636 46636->46633 46637->46635 46638->46630

                                    Executed Functions

                                    Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                    • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                    • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                    • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                    • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule$LibraryLoad
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                    • API String ID: 551388010-2474455403
                                    • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                    • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                    • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                    • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                    Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 455 4407d3-4407dd GetCurrentProcess TerminateProcess 454->455 455->453
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                    • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                    • ExitProcess.KERNEL32 ref: 004407EF
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                    • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                    • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                    • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                    Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 81 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->81 82 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->82 90 40d991-40d99a call 401fb8 81->90 91 40d67f-40d686 81->91 98 40d622-40d63f call 401f8b call 411f34 82->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 82->99 109 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->109 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 107 40d6b0-40d6b4 95->107 108 40d6a9-40d6ab 95->108 124 40d651 98->124 125 40d641-40d650 call 401f8b call 41239a 98->125 99->98 134 40dd2c 105->134 113 40d6b6-40d6c9 call 401e45 call 401f8b 107->113 114 40d717-40d72a call 401e45 call 401f8b 107->114 108->107 175 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 109->175 113->114 139 40d6cb-40d6d1 113->139 141 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 114->141 142 40d72c call 40e501 114->142 124->81 125->124 140 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 134->140 139->114 145 40d6d3-40d6d9 139->145 189 40dd6a-40dd6f call 413980 140->189 217 40d815-40d819 141->217 218 40d7af-40d7c8 call 401e45 call 401f8b call 439891 141->218 142->141 151 40d6f7-40d710 call 401f8b call 411eea 145->151 152 40d6db-40d6ee call 4060ea 145->152 151->114 178 40d712 call 4066a6 151->178 152->114 166 40d6f0-40d6f5 call 4067a0 152->166 166->114 221 40da61-40da63 175->221 222 40da65-40da67 175->222 178->114 217->109 220 40d81f-40d826 217->220 218->217 249 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 218->249 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 234 40d8b6-40d8de call 40245c call 43254d 224->234 225->234 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 255 40d8f0 234->255 256 40d8e0-40d8ee call 434c30 234->256 249->217 262 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 255->262 256->262 262->175 332 40d96d-40d98c call 401e45 call 419bca call 40de34 262->332 332->175 346 40d98e-40d990 332->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 372 40dc4c-40dc5e call 401e45 call 401f8b 359->372 373 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->373 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 372->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 372->384 373->372 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->134 416 40dd03-40dd06 412->416 413->412 416->189 418 40dd08-40dd0d 416->418 418->140
                                    APIs
                                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                      • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                      • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                      • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                      • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                    • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                    • API String ID: 1529173511-1365410817
                                    • Opcode ID: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
                                    • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                    • Opcode Fuzzy Hash: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
                                    • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                    Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                    • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                    • closesocket.WS2_32(?), ref: 00404E3A
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                    • String ID:
                                    • API String ID: 2403171778-0
                                    • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                    • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                    • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                    • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                    Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 445 445ade-445ae9 LoadLibraryExW 441->445 446 445aeb 441->446 443 445b02-445b03 FreeLibrary 442->443 444 445b09 442->444 443->444 448 445b0b-445b0c 444->448 447 445aed-445aef 445->447 446->447 447->442 449 445af1-445af8 447->449 448->440 449->448
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                    • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                    • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                    • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                    • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                    Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 468 445a3c-445a3f 464->468 467 445a51-445a53 465->467 469 445a55-445a63 GetProcAddress 467->469 470 445a7e-445a8c 467->470 471 445a70-445a76 468->471 472 445a41-445a47 468->472 473 445a65-445a6e call 432123 469->473 474 445a78 469->474 470->460 471->467 472->464 475 445a49 472->475 473->462 474->470 475->465
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc__crt_fast_encode_pointer
                                    • String ID:
                                    • API String ID: 2279764990-0
                                    • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                    • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                    • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                    • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                    Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 478 40163e-401644 479 401646-401648 478->479 480 401649-401654 478->480 481 401656 480->481 482 40165b-401665 480->482 481->482 483 401667-40166d 482->483 484 401688-401689 call 43229f 482->484 483->484 486 40166f-401674 483->486 487 40168e-40168f 484->487 486->481 488 401676-401686 call 43229f 486->488 489 401691-401693 487->489 488->489
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                    • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                    • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                    • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                    Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 492 443649-443655 493 443687-443692 call 43ad91 492->493 494 443657-443659 492->494 502 443694-443696 493->502 495 443672-443683 RtlAllocateHeap 494->495 496 44365b-44365c 494->496 498 443685 495->498 499 44365e-443665 call 442a57 495->499 496->495 498->502 499->493 504 443667-443670 call 440480 499->504 504->493 504->495
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                    • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                    • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                    • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                    Non-executed Functions

                                    Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                      • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                      • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                      • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                    • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                    • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                    • API String ID: 3018269243-1736093966
                                    • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                    • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                    • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                    • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                    Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                    • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                      • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                      • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                      • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                      • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                      • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                      • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                    • DeleteFileA.KERNEL32(?), ref: 0040768E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                    • API String ID: 1385304114-1507758755
                                    • Opcode ID: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
                                    • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                    • Opcode Fuzzy Hash: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
                                    • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                    Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056C6
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    • __Init_thread_footer.LIBCMT ref: 00405703
                                    • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                    • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                      • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                    • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                    • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                    • CloseHandle.KERNEL32 ref: 00405A03
                                    • CloseHandle.KERNEL32 ref: 00405A0B
                                    • CloseHandle.KERNEL32 ref: 00405A1D
                                    • CloseHandle.KERNEL32 ref: 00405A25
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: SystemDrive$cmd.exe
                                    • API String ID: 2994406822-3633465311
                                    • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                    • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                    • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                    • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                    Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                    • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                    • FindClose.KERNEL32(00000000), ref: 0040AC53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                    • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                    • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                    • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                    Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                    • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                    • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                    • FindClose.KERNEL32(00000000), ref: 0040AE11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$File$FirstNext
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 3527384056-432212279
                                    • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                    • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                    • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                    • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                    Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 00414EC2
                                    • EmptyClipboard.USER32 ref: 00414ED0
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                    • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                    • CloseClipboard.USER32 ref: 00414F55
                                    • OpenClipboard.USER32 ref: 00414F5C
                                    • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                    • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                    • CloseClipboard.USER32 ref: 00414F84
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID:
                                    • API String ID: 3520204547-0
                                    • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                    • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                    • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                    • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                    Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7
                                    • API String ID: 0-3177665633
                                    • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                    • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                    • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                    • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                    Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                    • GetLastError.KERNEL32 ref: 00418771
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                    • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                    • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                    • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                    Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                    • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                    • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                    • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                    • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                    • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                    Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                      • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                    • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 2341273852-0
                                    • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                    • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                    • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                    • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                    Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                    • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                    • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                      • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                    • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                    • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                    • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                      • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                      • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                    • String ID: $.F
                                    • API String ID: 3950776272-1421728423
                                    • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                    • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                    • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                    • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                    Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                    • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                    • GetLastError.KERNEL32 ref: 00409375
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                    • TranslateMessage.USER32(?), ref: 004093D2
                                    • DispatchMessageA.USER32(?), ref: 004093DD
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 00409389
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                    • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                    • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                    • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                    Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                    • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
                                    • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                    • Opcode Fuzzy Hash: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
                                    • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                    Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00446741
                                    • _free.LIBCMT ref: 00446765
                                    • _free.LIBCMT ref: 004468EC
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                    • _free.LIBCMT ref: 00446AB8
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                    • String ID:
                                    • API String ID: 314583886-0
                                    • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                    • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                                    • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                    • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                                    Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                      • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                      • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                    • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                    • ExitProcess.KERNEL32 ref: 0040E2B4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                    • API String ID: 2281282204-1386060931
                                    • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                    • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                    • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                    • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                    Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                    • InternetCloseHandle.WININET(00000000), ref: 00419407
                                    • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 004193A2
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                    • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                    • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                    • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                    Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                    • GetLastError.KERNEL32 ref: 0040A999
                                    Strings
                                    • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                    • UserProfile, xrefs: 0040A95F
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                    • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                    • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                    • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                    Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                    • GetLastError.KERNEL32 ref: 00415CDB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                    • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                    • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                    • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                    Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00408393
                                      • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                      • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                      • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                      • Part of subcall function 00404E06: FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                    • FindClose.KERNEL32(00000000), ref: 004086F4
                                      • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                      • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                    • String ID:
                                    • API String ID: 2435342581-0
                                    • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                    • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                    • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                    • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                    Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0040949C
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                    • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                    • GetKeyState.USER32(00000010), ref: 004094B8
                                    • GetKeyboardState.USER32(?), ref: 004094C5
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                    • String ID:
                                    • API String ID: 3566172867-0
                                    • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                    • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                    • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                    • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                    Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                    • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                    • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                    • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                    • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                    • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                    • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                    Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: H"G$`'G$`'G
                                    • API String ID: 341183262-2774397156
                                    • Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                                    • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                    • Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                                    • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                    Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                      • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                      • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                      • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                      • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                    • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-1420736420
                                    • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                    • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                    • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                    • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                    Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                                    • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                    • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                    • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                    • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                    Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                    • wsprintfW.USER32 ref: 0040A13F
                                      • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 1497725170-248792730
                                    • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                    • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                    • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                    • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                    Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                    • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                    • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                    • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                    • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                    • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                    • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                    Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004087A5
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                    • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                    • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                    • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                    Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                                    • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                    • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID:
                                    • API String ID: 745075371-0
                                    • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                    • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                    • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                    • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                    Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040784D
                                    • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID:
                                    • API String ID: 1771804793-0
                                    • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                    • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                    • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                    • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                    Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                    • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                      • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                      • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 1735047541-0
                                    • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                    • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                    • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                    • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                    Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: A%E$A%E
                                    • API String ID: 0-137320553
                                    • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                    • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                    • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                    • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                    Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                      • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                      • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                      • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                    • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                    • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                    • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                    Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                                    • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                    • _wcschr.LIBVCRUNTIME ref: 0044F038
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID:
                                    • API String ID: 4212172061-0
                                    • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                    • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                    • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                    • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                    Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: open
                                    • API String ID: 2825088817-2758837156
                                    • Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                                    • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                    • Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                                    • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                    Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                    • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                    • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                    • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                    Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                    • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                    • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                    • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                    Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                    • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                    • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                    • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                    Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 0040A65D
                                    • GetClipboardData.USER32(0000000D), ref: 0040A669
                                    • CloseClipboard.USER32 ref: 0040A671
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                    • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                    • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                    • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                    Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-3916222277
                                    • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                    • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                    • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                    • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                    Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .
                                    • API String ID: 0-248832578
                                    • Opcode ID: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                                    • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                                    • Opcode Fuzzy Hash: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                                    • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                                    Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                    • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                    • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                    • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                    Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID:
                                    • API String ID: 4113138495-0
                                    • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                    • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                    • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                    • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                    Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                    • String ID:
                                    • API String ID: 1663032902-0
                                    • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                    • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                    • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                    • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                    Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                    • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                    • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                    • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                    • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                    Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale_abort_free
                                    • String ID:
                                    • API String ID: 2692324296-0
                                    • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                    • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                    • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                    • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                    Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                    • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                    • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                    • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                    • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                    Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                    • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                    • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                    • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                    Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                    • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                    • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                    • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                    • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                    Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                    • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                    • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                    • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                    • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                    Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                    • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                    • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                    • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                    Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                    • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                    • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                    • Instruction Fuzzy Hash:
                                    Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 656 416e7e-416ec5 CreateDCA CreateCompatibleDC call 4172df 659 416ec7-416ec9 656->659 660 416ecb-416ee6 call 417321 656->660 659->660 661 416eea-416eec 659->661 660->661 663 416f3e-416f45 call 402073 661->663 664 416eee-416ef0 661->664 669 416f4a-416f56 663->669 664->663 666 416ef2-416f29 call 417357 CreateCompatibleBitmap 664->666 671 416f57-416f61 SelectObject 666->671 672 416f2b-416f37 DeleteDC * 2 666->672 674 416f63 671->674 675 416f72-416f99 StretchBlt 671->675 673 416f38 DeleteObject 672->673 673->663 676 416f64-416f70 DeleteDC * 2 674->676 675->674 677 416f9b-416fa0 675->677 676->673 678 416fa2-416fb7 677->678 679 41701c-41702e GetObjectA 677->679 678->679 684 416fb9-416fcd GetIconInfo 678->684 679->674 680 417034-417046 679->680 682 417048-41704a 680->682 683 41704c-417056 680->683 685 417083 682->685 686 417087-417092 683->686 687 417058-417062 683->687 684->679 688 416fcf-417018 DeleteObject * 2 DrawIcon 684->688 685->686 690 417093-4170cd LocalAlloc 686->690 687->686 689 417064-41706e 687->689 688->679 689->686 691 417070-417076 689->691 692 4170d9-417110 GlobalAlloc 690->692 693 4170cf-4170d6 690->693 696 417080-417082 691->696 697 417078-41707e 691->697 694 417112-417116 692->694 695 41711b-417130 GetDIBits 692->695 693->692 694->676 698 417132-417153 DeleteDC * 2 DeleteObject GlobalFree 695->698 699 417158-417220 call 4020bf * 2 call 4024ea call 403356 call 4024ea call 403356 call 4024ea call 403356 DeleteObject GlobalFree DeleteDC 695->699 696->685 697->690 698->663 716 417222-417223 DeleteDC 699->716 717 417225-417249 call 402035 call 401fb8 * 2 699->717 716->717 717->669
                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                      • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                    • DeleteDC.GDI32(00000000), ref: 00416F32
                                    • DeleteDC.GDI32(00000000), ref: 00416F35
                                    • DeleteObject.GDI32(00000000), ref: 00416F38
                                    • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                    • DeleteDC.GDI32(00000000), ref: 00416F6A
                                    • DeleteDC.GDI32(00000000), ref: 00416F6D
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                    • GetIconInfo.USER32(?,?), ref: 00416FC5
                                    • DeleteObject.GDI32(?), ref: 00416FF4
                                    • DeleteObject.GDI32(?), ref: 00417001
                                    • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                    • DeleteDC.GDI32(?), ref: 0041713C
                                    • DeleteDC.GDI32(00000000), ref: 0041713F
                                    • DeleteObject.GDI32(00000000), ref: 00417142
                                    • GlobalFree.KERNEL32(?), ref: 0041714D
                                    • DeleteObject.GDI32(00000000), ref: 00417201
                                    • GlobalFree.KERNEL32(?), ref: 00417208
                                    • DeleteDC.GDI32(?), ref: 00417218
                                    • DeleteDC.GDI32(00000000), ref: 00417223
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                    • String ID: DISPLAY
                                    • API String ID: 479521175-865373369
                                    • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                    • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                    • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                    • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                    Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                    • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                    • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                    • ResumeThread.KERNEL32(?), ref: 00416773
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                    • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                    • GetLastError.KERNEL32 ref: 004167B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                    • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                    • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                    • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                    Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                      • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                      • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                      • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                    • ExitProcess.KERNEL32 ref: 0040C389
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                    • API String ID: 1861856835-1953526029
                                    • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                    • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                    • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                    • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                    Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                    • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                    • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                    • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                    • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                    • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                      • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                    • Sleep.KERNEL32(000001F4), ref: 004110E7
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                    • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                    • GetCurrentProcessId.KERNEL32 ref: 00411114
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                    • API String ID: 2649220323-71629269
                                    • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                    • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                    • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                    • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                    Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040B882
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                    • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                    • _wcslen.LIBCMT ref: 0040B968
                                    • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                    • _wcslen.LIBCMT ref: 0040BA25
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                    • ExitProcess.KERNEL32 ref: 0040BC36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                    • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                    • API String ID: 2743683619-2376316431
                                    • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                    • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                    • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                    • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                    Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                      • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                      • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                      • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                      • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                    • ExitProcess.KERNEL32 ref: 0040BFD7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                    • API String ID: 3797177996-2974882535
                                    • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                    • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                    • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                    • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                    Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                    • SetEvent.KERNEL32 ref: 004191CF
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                    • CloseHandle.KERNEL32 ref: 004191F0
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                    • API String ID: 738084811-1354618412
                                    • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                    • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                    • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                    • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                    Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                    • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                    • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                    • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                    • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                    • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                    • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                    Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                    • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                    • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                    • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                    • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                    • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                    • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                    • API String ID: 2490988753-3443138237
                                    • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                    • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                    • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                    • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                    Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                    • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                    • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                    • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                    Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                      • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                    • _free.LIBCMT ref: 0044E4DF
                                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                    • _free.LIBCMT ref: 0044E501
                                    • _free.LIBCMT ref: 0044E516
                                    • _free.LIBCMT ref: 0044E521
                                    • _free.LIBCMT ref: 0044E543
                                    • _free.LIBCMT ref: 0044E556
                                    • _free.LIBCMT ref: 0044E564
                                    • _free.LIBCMT ref: 0044E56F
                                    • _free.LIBCMT ref: 0044E5A7
                                    • _free.LIBCMT ref: 0044E5AE
                                    • _free.LIBCMT ref: 0044E5CB
                                    • _free.LIBCMT ref: 0044E5E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID: pF
                                    • API String ID: 161543041-2973420481
                                    • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                    • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                    • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                    • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                    Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                      • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                      • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                      • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                    • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                    • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                    • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                    • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                    • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                    • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                    • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                    • Sleep.KERNEL32(00000064), ref: 00411C63
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$$.F$@#G$@#G
                                    • API String ID: 1223786279-2596709126
                                    • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                    • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                    • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                    • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                    Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: pF
                                    • API String ID: 269201875-2973420481
                                    • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                    • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                    • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                    • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                    Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040DE79
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                      • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                    • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                    • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                    • API String ID: 193334293-3226144251
                                    • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                    • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                    • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                    • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                    Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                                    • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                    • API String ID: 1332880857-3714951968
                                    • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                    • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                                    • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                    • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                                    Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                    • GetCursorPos.USER32(?), ref: 0041B39E
                                    • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                    • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                    • ExitProcess.KERNEL32 ref: 0041B41A
                                    • CreatePopupMenu.USER32 ref: 0041B420
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                    • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                    • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                    • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                    Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                    • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                    • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                    • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                    Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                    • __aulldiv.LIBCMT ref: 00407D89
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                    • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                    • CloseHandle.KERNEL32(00000000), ref: 00408038
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                    • API String ID: 3086580692-2596673759
                                    • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                    • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                    • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                    • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                    Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                      • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                      • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                      • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                      • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                    • ExitProcess.KERNEL32 ref: 0040C57D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                    • API String ID: 1913171305-2600661426
                                    • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                    • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                    • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                    • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                    Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(?,?,?), ref: 004048C0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                    • WSAGetLastError.WS2_32 ref: 00404A01
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-2151626615
                                    • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                    • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                    • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                    • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                    Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                    • __dosmaperr.LIBCMT ref: 00452ED6
                                    • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                    • __dosmaperr.LIBCMT ref: 00452EF5
                                    • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                    • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                    • GetLastError.KERNEL32 ref: 00453091
                                    • __dosmaperr.LIBCMT ref: 00453098
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                    • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                    • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                    • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                    Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                    • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                    • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                    • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                    Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 00409C81
                                    • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                    • GetForegroundWindow.USER32 ref: 00409C92
                                    • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                    • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                      • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                    • String ID: [${ User has been idle for $ minutes }$]
                                    • API String ID: 911427763-3954389425
                                    • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                    • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                    • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                    • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                    Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                    • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                    • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                    • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                    Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                                    • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                                    • __dosmaperr.LIBCMT ref: 00438646
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                                    • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                                    • __dosmaperr.LIBCMT ref: 00438683
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                                    • __dosmaperr.LIBCMT ref: 004386D7
                                    • _free.LIBCMT ref: 004386E3
                                    • _free.LIBCMT ref: 004386EA
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                    • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                                    • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                    • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                                    Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: pF$tF
                                    • API String ID: 269201875-2954683558
                                    • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                    • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                    • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                    • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                    Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 0040549F
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                    • TranslateMessage.USER32(?), ref: 0040555E
                                    • DispatchMessageA.USER32(?), ref: 00405569
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                                    • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                    • Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                                    • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                    Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                    • CloseHandle.KERNEL32(00000000), ref: 00416123
                                    • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: <$@$@%G$@%G$Temp
                                    • API String ID: 1704390241-4139030828
                                    • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                    • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                    • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                    • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                    Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                    • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                    • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                    • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                    Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00445645
                                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                    • _free.LIBCMT ref: 00445651
                                    • _free.LIBCMT ref: 0044565C
                                    • _free.LIBCMT ref: 00445667
                                    • _free.LIBCMT ref: 00445672
                                    • _free.LIBCMT ref: 0044567D
                                    • _free.LIBCMT ref: 00445688
                                    • _free.LIBCMT ref: 00445693
                                    • _free.LIBCMT ref: 0044569E
                                    • _free.LIBCMT ref: 004456AC
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                    • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                    • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                    • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                    Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00417F6F
                                    • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                    • Sleep.KERNEL32(000003E8), ref: 004180B3
                                    • GetLocalTime.KERNEL32(?), ref: 004180BB
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                    • API String ID: 489098229-3790400642
                                    • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                    • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                    • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                    • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                    Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 00409738
                                      • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                      • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                      • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                      • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: H"G$H"G
                                    • API String ID: 3795512280-1424798214
                                    • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                    • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                    • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                    • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                    Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                    • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                    • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                    • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                    Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                    • Sleep.KERNEL32(00000064), ref: 00415A46
                                    • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                    • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                    • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                    • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                    Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                    • ExitProcess.KERNEL32 ref: 00406782
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteExitProcessShell
                                    • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                    • API String ID: 1124553745-1488154373
                                    • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                    • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                    • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                    • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                    Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                    • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocConsoleShowWindow
                                    • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                    • API String ID: 4118500197-4025029772
                                    • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                    • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                    • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                    • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                    Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                      • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                      • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                      • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                    • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                    • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                    • TranslateMessage.USER32(?), ref: 0041B29E
                                    • DispatchMessageA.USER32(?), ref: 0041B2A8
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                    • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                    • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                    • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                    Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                    • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                    • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                    • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                    Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                                    • __alloca_probe_16.LIBCMT ref: 004510CA
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                                    • __alloca_probe_16.LIBCMT ref: 00451174
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                                    • __freea.LIBCMT ref: 004511E3
                                    • __freea.LIBCMT ref: 004511EF
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                    • String ID:
                                    • API String ID: 201697637-0
                                    • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                    • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                    • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                    • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                    Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                      • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                    • _memcmp.LIBVCRUNTIME ref: 00442935
                                    • _free.LIBCMT ref: 004429A6
                                    • _free.LIBCMT ref: 004429BF
                                    • _free.LIBCMT ref: 004429F1
                                    • _free.LIBCMT ref: 004429FA
                                    • _free.LIBCMT ref: 00442A06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                    • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                    • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                    • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                    Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                    • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                    • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                    • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                    Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                    • API String ID: 3578746661-168337528
                                    • Opcode ID: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
                                    • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                    • Opcode Fuzzy Hash: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
                                    • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                    Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                      • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                      • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                    • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                    • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                    • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                    Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                    • __alloca_probe_16.LIBCMT ref: 00447056
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                    • __alloca_probe_16.LIBCMT ref: 0044713B
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                    • __freea.LIBCMT ref: 004471AB
                                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                    • __freea.LIBCMT ref: 004471B4
                                    • __freea.LIBCMT ref: 004471D9
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 3864826663-0
                                    • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                    • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                    • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                    • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                    Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                    • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                    • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                    • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                    Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 00414F41
                                    • EmptyClipboard.USER32 ref: 00414F4F
                                    • CloseClipboard.USER32 ref: 00414F55
                                    • OpenClipboard.USER32 ref: 00414F5C
                                    • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                    • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                    • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                    • CloseClipboard.USER32 ref: 00414F84
                                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID:
                                    • API String ID: 2172192267-0
                                    • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                    • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                    • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                    • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                    Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                    • __fassign.LIBCMT ref: 00447814
                                    • __fassign.LIBCMT ref: 0044782F
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                    • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                    • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                    • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                    • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                    • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                    Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: $-E$$-E
                                    • API String ID: 269201875-3140958853
                                    • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                    • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                    • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                    • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                    Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 00401D30
                                      • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                    • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                    • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                    • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav
                                    • API String ID: 3809562944-3597965672
                                    • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                    • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                    • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                    • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                    Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                      • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                      • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                    • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                    • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                    • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                    Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                    • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                    • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                    • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                    Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                    • _free.LIBCMT ref: 0044E128
                                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                    • _free.LIBCMT ref: 0044E133
                                    • _free.LIBCMT ref: 0044E13E
                                    • _free.LIBCMT ref: 0044E192
                                    • _free.LIBCMT ref: 0044E19D
                                    • _free.LIBCMT ref: 0044E1A8
                                    • _free.LIBCMT ref: 0044E1B3
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                    • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                    • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                    • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                    Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                      • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                      • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                      • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                    • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 1866151309-2070987746
                                    • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                    • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                    • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                    • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                    Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                    • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                    • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                    • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                    • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                    Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                    • GetLastError.KERNEL32 ref: 0040AA28
                                    Strings
                                    • UserProfile, xrefs: 0040A9EE
                                    • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                    • [Chrome Cookies not found], xrefs: 0040AA42
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                    • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                    • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                    • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                    Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 00438A09
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                    • __allrem.LIBCMT ref: 00438A3C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                    • __allrem.LIBCMT ref: 00438A71
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                    • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                    • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                    • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                    Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                    • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                    • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                    • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                    Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm
                                    • API String ID: 2936374016-3206640213
                                    • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                    • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                    • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                    • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                    Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                    • int.LIBCPMT ref: 0040F8D7
                                      • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                      • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                    • std::_Facet_Register.LIBCPMT ref: 0040F917
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                    • __Init_thread_footer.LIBCMT ref: 0040F97F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                    • String ID:
                                    • API String ID: 3815856325-0
                                    • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                    • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                    • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                    • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                    Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                    • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                    • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                    • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                    Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                    • _free.LIBCMT ref: 0044575C
                                    • _free.LIBCMT ref: 00445784
                                    • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                    • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                    • _abort.LIBCMT ref: 004457A3
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                    • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                    • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                    • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                    Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                    • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                    • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                    • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                    Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                    • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                    • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                    • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                    Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                    • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                    • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                    • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                    Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                    • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: h G
                                    • API String ID: 1958988193-3300504347
                                    • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                    • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                    • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                    • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                    Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041B310
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                    • GetLastError.KERNEL32 ref: 0041B335
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                    • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                    • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                    • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                    Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                      • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                    • _UnwindNestedFrames.LIBCMT ref: 00437631
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID: /zC
                                    • API String ID: 2633735394-4132788633
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                    Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                    • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                    • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                    • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID: ]tA
                                    • API String ID: 4116985748-3517819141
                                    • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                    • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                    • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                    • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                    Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                    • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                    • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                    • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                    • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                    Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                    • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                    • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                    • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                    Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                    • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                    • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    Strings
                                    • Connection KeepAlive | Disabled, xrefs: 004050D9
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: Connection KeepAlive | Disabled
                                    • API String ID: 2993684571-3818284553
                                    • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                    • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                    • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                    • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                    Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                    • Sleep.KERNEL32(00002710), ref: 00418DBD
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm triggered
                                    • API String ID: 614609389-2816303416
                                    • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                    • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                    • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                    • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                    Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                    • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                    • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                    • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                    Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                      • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                    • API String ID: 3469354165-3547787478
                                    • Opcode ID: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
                                    • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                    • Opcode Fuzzy Hash: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
                                    • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                    Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                    • _free.LIBCMT ref: 00442318
                                    • _free.LIBCMT ref: 0044232F
                                    • _free.LIBCMT ref: 0044234E
                                    • _free.LIBCMT ref: 00442369
                                    • _free.LIBCMT ref: 00442380
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID:
                                    • API String ID: 3033488037-0
                                    • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                    • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                    • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                    • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                    Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                    • _free.LIBCMT ref: 004468EC
                                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                    • _free.LIBCMT ref: 00446AB8
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                    • String ID:
                                    • API String ID: 1286116820-0
                                    • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                    • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                                    • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                    • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                                    Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                    • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                    • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                    • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                    Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                    • __alloca_probe_16.LIBCMT ref: 0044E391
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                    • __freea.LIBCMT ref: 0044E3FD
                                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 313313983-0
                                    • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                    • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                    • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                    • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                    Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                    • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                    • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                    • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                    • waveInStart.WINMM ref: 00401CDE
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID:
                                    • API String ID: 1356121797-0
                                    • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                    • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                    • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                    • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                    Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                      • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                    • _free.LIBCMT ref: 0044C59F
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                    • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                    • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                    • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                    Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID:
                                    • API String ID: 1852769593-0
                                    • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                    • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                    • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                    • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                    Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                    • int.LIBCPMT ref: 0040FBE8
                                      • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                      • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                    • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID:
                                    • API String ID: 2536120697-0
                                    • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                    • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                    • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                    • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                    Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                    • _free.LIBCMT ref: 004457E3
                                    • _free.LIBCMT ref: 0044580A
                                    • SetLastError.KERNEL32(00000000), ref: 00445817
                                    • SetLastError.KERNEL32(00000000), ref: 00445820
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                    • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                    • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                    • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                    Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0044DBB4
                                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                    • _free.LIBCMT ref: 0044DBC6
                                    • _free.LIBCMT ref: 0044DBD8
                                    • _free.LIBCMT ref: 0044DBEA
                                    • _free.LIBCMT ref: 0044DBFC
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                    • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                    • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                    • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                    Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00441566
                                      • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                      • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                    • _free.LIBCMT ref: 00441578
                                    • _free.LIBCMT ref: 0044158B
                                    • _free.LIBCMT ref: 0044159C
                                    • _free.LIBCMT ref: 004415AD
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                    • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                    • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                    • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                    Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]
                                    • API String ID: 3554306468-4262303796
                                    • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                    • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                    • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                    • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                    Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strpbrk.LIBCMT ref: 0044B918
                                    • _free.LIBCMT ref: 0044BA35
                                      • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                      • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                      • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                    • String ID: *?$.
                                    • API String ID: 2812119850-3972193922
                                    • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                    • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                                    • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                    • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                                    Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alloca_probe_16__freea
                                    • String ID: H"G$H"GH"G
                                    • API String ID: 1635606685-3036711414
                                    • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                    • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                    • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                    • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                    Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0040189E
                                    • ExitThread.KERNEL32 ref: 004018D6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                      • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: 8:G
                                    • API String ID: 1649129571-405301104
                                    • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                    • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                    • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                    • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                    Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\HODoCxSdp.exe,00000104), ref: 00440975
                                    • _free.LIBCMT ref: 00440A40
                                    • _free.LIBCMT ref: 00440A4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Users\user\AppData\Roaming\HODoCxSdp.exe
                                    • API String ID: 2506810119-238436932
                                    • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                    • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                    • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                    • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                    Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                      • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                      • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                      • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                    • _wcslen.LIBCMT ref: 00419744
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                    • String ID: .exe$program files (x86)\$program files\
                                    • API String ID: 37874593-1203593143
                                    • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                    • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                    • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                    • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                    Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                    • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                    • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                      • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                      • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                    • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                    • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                    • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                    Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                      • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                    • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                    • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$wsprintf
                                    • String ID: Online Keylogger Started
                                    • API String ID: 112202259-1258561607
                                    • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                    • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                    • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                    • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                    Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 00404F61
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                    • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                    Strings
                                    • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: Connection KeepAlive | Enabled | Timeout:
                                    • API String ID: 2532271599-507513762
                                    • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                    • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                    • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                    • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                    Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                    • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                    • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                    • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                    Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                    • CloseHandle.KERNEL32(?), ref: 004051AA
                                    • SetEvent.KERNEL32(?), ref: 004051B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                    • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                    • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                    • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                    Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                    • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                    • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                    • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                    Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: origmsc
                                    • API String ID: 3677997916-68016026
                                    • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                    • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                    • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                    • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                    Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                    • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                    • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                    • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                    Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                    Strings
                                    • http\shell\open\command, xrefs: 00412026
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: http\shell\open\command
                                    • API String ID: 3677997916-1487954565
                                    • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                    • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                    • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                    • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                    Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                    • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                    • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                    Strings
                                    • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Classes\mscfile\shell\open\command
                                    • API String ID: 1818849710-505396733
                                    • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                    • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                    • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                    • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                    Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                      • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                      • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                    • String ID: bad locale name
                                    • API String ID: 3628047217-1405518554
                                    • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                    • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                    • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                    • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                    Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                    • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                    • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: P0F
                                    • API String ID: 1818849710-3540264436
                                    • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                    • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                    • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                    • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                    Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                    • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                    • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                    • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                    • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                    Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                    • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                    • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                    • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                    • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                    Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID:
                                    • API String ID: 1036877536-0
                                    • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                    • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                    • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                    • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                    Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                    • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                    • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                    • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                    Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                    • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                    • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 3360349984-0
                                    • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                    • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                    • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                    • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                    Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                    • Cleared browsers logins and cookies., xrefs: 0040B036
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                    • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                    • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                    • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                    Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                      • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                      • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                    • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQuerySleepValue
                                    • String ID: H"G$exepath$!G
                                    • API String ID: 4119054056-2148977334
                                    • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                    • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                    • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                    • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                    Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                      • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                      • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                    • Sleep.KERNEL32(000001F4), ref: 0040955A
                                    • Sleep.KERNEL32(00000064), ref: 004095F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                    • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                    • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                    • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                    Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                    • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                    • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                    • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                    Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                    • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                    • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                    • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                    Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                    • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                    • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                    • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                    • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                    Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                      • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                    Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                    • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                    • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                    • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                    Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                      • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                      • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                      • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                      • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                    • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                    Strings
                                    • /sort "Visit Time" /stext ", xrefs: 00404092
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "
                                    • API String ID: 368326130-1573945896
                                    • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                    • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                    • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                    • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                    Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                    • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                    • API String ID: 1881088180-3686566968
                                    • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                    • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                    • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                    • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                    Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                    • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                    • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                    • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                    Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                    • IsWindowVisible.USER32(?), ref: 00415B37
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$TextVisible
                                    • String ID: (%G
                                    • API String ID: 1670992164-3377777310
                                    • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                    • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                    • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                    • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                    Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                    Strings
                                    • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: Connection KeepAlive | Enabled | Timeout:
                                    • API String ID: 481472006-507513762
                                    • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                    • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                    • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                    • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                    Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                    • ___raise_securityfailure.LIBCMT ref: 00432E76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                    • String ID: (F
                                    • API String ID: 3761405300-3109638091
                                    • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                    • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                    • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                    • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                    Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i
                                    • API String ID: 481472006-2430845779
                                    • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                    • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                    • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                    • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                    Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: alarm.wav$x(G
                                    • API String ID: 1174141254-2413638199
                                    • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                    • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                    • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                    • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                    Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                      • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                      • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                    • CloseHandle.KERNEL32(?), ref: 00409FFD
                                    • UnhookWindowsHookEx.USER32 ref: 0040A010
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                    • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                    • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                    • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                    Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                    • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                    • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                    • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                    Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                    • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                    • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                    • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                    Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                    • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                    • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                    • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                    Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040A597
                                      • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                      • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                      • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                      • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                      • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                      • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                      • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 3195419117-2658077756
                                    • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                    • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                    • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                    • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                    Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040A5F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                    • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                    • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                    • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                    Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                    • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: 6h@
                                    • API String ID: 2654517830-73392143
                                    • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                    • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                    • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                    • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                    Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                    • GetLastError.KERNEL32 ref: 0043B4E9
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                    • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                    • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                    • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                    Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00410955), ref: 004105F1
                                    • IsBadReadPtr.KERNEL32(?,00000014,00410955), ref: 004106BD
                                    • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                    • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2196279495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_400000_HODoCxSdp.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                    • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                    • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                    • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19