Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC Payment Swift Copy.exe

Overview

General Information

Sample name:HSBC Payment Swift Copy.exe
Analysis ID:1544526
MD5:fa638e5dcb26f16f0c960ed10f387782
SHA1:85fefdf55321e998f93ebb52c63c275863e14e21
SHA256:4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769
Tags:exeuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Swift Copy.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe" MD5: FA638E5DCB26F16F0C960ED10F387782)
    • powershell.exe (PID: 7676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8140 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • HSBC Payment Swift Copy.exe (PID: 7992 cmdline: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe" MD5: FA638E5DCB26F16F0C960ED10F387782)
  • yVSkoplfDgy.exe (PID: 8048 cmdline: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe MD5: FA638E5DCB26F16F0C960ED10F387782)
    • schtasks.exe (PID: 6920 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • yVSkoplfDgy.exe (PID: 4600 cmdline: "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe" MD5: FA638E5DCB26F16F0C960ED10F387782)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["00.dynamic-dns.net:2195:1"], "Assigned name": "TEEWIRE10/27/24", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-ISGDIO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.3757629945.0000000001567000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.3762660229.000000000328F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6320c:$str_b2: Executing file:
          • 0x64328:$str_b3: GetDirectListeningPort
          • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x63e30:$str_b7: \update.vbs
          • 0x63234:$str_b9: Downloaded file:
          • 0x63220:$str_b10: Downloading file:
          • 0x632c4:$str_b12: Failed to upload file:
          • 0x642f0:$str_b13: StartForward
          • 0x64310:$str_b14: StopForward
          • 0x63dd8:$str_b15: fso.DeleteFile "
          • 0x63d6c:$str_b16: On Error Resume Next
          • 0x63e08:$str_b17: fso.DeleteFolder "
          • 0x632b4:$str_b18: Uploaded file:
          • 0x63274:$str_b19: Unable to delete:
          • 0x63da0:$str_b20: while fso.FileExists("
          • 0x63749:$str_c0: [Firefox StoredLogins not found]
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.HSBC Payment Swift Copy.exe.48be830.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0.2.HSBC Payment Swift Copy.exe.48be830.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x661e0:$a1: Remcos restarted by watchdog!
            • 0x66738:$a3: %02i:%02i:%02i:%03i
            • 0x66abd:$a4: * Remcos v
            0.2.HSBC Payment Swift Copy.exe.48be830.0.unpackREMCOS_RAT_variantsunknownunknown
            • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
            • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6020c:$str_b2: Executing file:
            • 0x61328:$str_b3: GetDirectListeningPort
            • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x60e30:$str_b7: \update.vbs
            • 0x60234:$str_b9: Downloaded file:
            • 0x60220:$str_b10: Downloading file:
            • 0x602c4:$str_b12: Failed to upload file:
            • 0x612f0:$str_b13: StartForward
            • 0x61310:$str_b14: StopForward
            • 0x60dd8:$str_b15: fso.DeleteFile "
            • 0x60d6c:$str_b16: On Error Resume Next
            • 0x60e08:$str_b17: fso.DeleteFolder "
            • 0x602b4:$str_b18: Uploaded file:
            • 0x60274:$str_b19: Unable to delete:
            • 0x60da0:$str_b20: while fso.FileExists("
            • 0x60749:$str_c0: [Firefox StoredLogins not found]
            0.2.HSBC Payment Swift Copy.exe.48be830.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x60100:$s1: \Classes\mscfile\shell\open\command
            • 0x60160:$s1: \Classes\mscfile\shell\open\command
            • 0x60148:$s2: eventvwr.exe
            16.2.yVSkoplfDgy.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 30 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ParentImage: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe, ParentProcessId: 7416, ParentProcessName: HSBC Payment Swift Copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ProcessId: 7676, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ParentImage: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe, ParentProcessId: 7416, ParentProcessName: HSBC Payment Swift Copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ProcessId: 7676, ProcessName: powershell.exe
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe, ParentImage: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe, ParentProcessId: 8048, ParentProcessName: yVSkoplfDgy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp", ProcessId: 6920, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ParentImage: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe, ParentProcessId: 7416, ParentProcessName: HSBC Payment Swift Copy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp", ProcessId: 7760, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ParentImage: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe, ParentProcessId: 7416, ParentProcessName: HSBC Payment Swift Copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ProcessId: 7676, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe", ParentImage: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe, ParentProcessId: 7416, ParentProcessName: HSBC Payment Swift Copy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp", ProcessId: 7760, ProcessName: schtasks.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe, ProcessId: 7992, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T14:45:18.505707+010020365941Malware Command and Control Activity Detected192.168.2.749710140.228.29.62195TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T14:45:20.347427+010028033043Unknown Traffic192.168.2.749722178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000010.00000002.1371326406.0000000001537000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["00.dynamic-dns.net:2195:1"], "Assigned name": "TEEWIRE10/27/24", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-ISGDIO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeReversingLabs: Detection: 28%
              Multi AV Scanner detection for submitted file
              Source: HSBC Payment Swift Copy.exeReversingLabs: Detection: 28%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.3757629945.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3762660229.000000000328F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1371326406.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7992, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 8048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 4600, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: HSBC Payment Swift Copy.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_004315EC
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3ab9089d-e
              Source: HSBC Payment Swift Copy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: HSBC Payment Swift Copy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: fbmp.pdb source: HSBC Payment Swift Copy.exe, yVSkoplfDgy.exe.0.dr
              Source: Binary string: fbmp.pdbSHA256Vg source: HSBC Payment Swift Copy.exe, yVSkoplfDgy.exe.0.dr
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041A01B
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040B28E
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040838E
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004087A0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00407848
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004068CD FindFirstFileW,FindNextFileW,16_2_004068CD
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0044BA59 FindFirstFileExA,16_2_0044BA59
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040AA71
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00417AAB
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040AC78
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,16_2_00406D28
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 4x nop then jmp 08F819EEh0_2_08F820F4
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 4x nop then jmp 0A190F7Eh11_2_0A19167B

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49710 -> 140.228.29.6:2195
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 00.dynamic-dns.net
              Source: global trafficTCP traffic: 192.168.2.7:49710 -> 140.228.29.6:2195
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: OARNET-ASUS OARNET-ASUS
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49722 -> 178.237.33.50:80
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,16_2_0041936B
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: teebro1800.dynamic-dns.net
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, yVSkoplfDgy.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, yVSkoplfDgy.exe, 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, yVSkoplfDgy.exe, 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpU
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1354847338.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Swift Copy.exe, 00000000.00000002.1354847338.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, yVSkoplfDgy.exe, 0000000B.00000002.1392275406.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: HSBC Payment Swift Copy.exe, yVSkoplfDgy.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000016_2_00409340
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\HSBC Payment Swift Copy.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,16_2_0040A65A
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,16_2_00414EC1
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,16_2_0040A65A
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,16_2_00409468

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.3757629945.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3762660229.000000000328F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1371326406.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7992, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 8048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 4600, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041A76C SystemParametersInfoW,16_2_0041A76C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7416, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: yVSkoplfDgy.exe PID: 8048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: yVSkoplfDgy.exe PID: 4600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: HSBC Payment Swift Copy.exe
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C2F70 NtQueryInformationProcess,0_2_075C2F70
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C2F68 NtQueryInformationProcess,0_2_075C2F68
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07412F70 NtQueryInformationProcess,11_2_07412F70
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07412F68 NtQueryInformationProcess,11_2_07412F68
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_00414DB4
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_029E48590_2_029E4859
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_029E48680_2_029E4868
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075AEF180_2_075AEF18
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075A33900_2_075A3390
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075AEF090_2_075AEF09
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C03080_2_075C0308
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C4CC00_2_075C4CC0
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CB70F0_2_075CB70F
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CB7300_2_075CB730
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CD7B80_2_075CD7B8
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CD7A70_2_075CD7A7
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C23800_2_075C2380
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C02F90_2_075C02F9
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C30F00_2_075C30F0
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C1F370_2_075C1F37
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C4F300_2_075C4F30
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C4F200_2_075C4F20
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CCE080_2_075CCE08
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C4EDF0_2_075C4EDF
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CDCB00_2_075CDCB0
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C4CB20_2_075C4CB2
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075CBB680_2_075CBB68
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075C28400_2_075C2840
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_08F830A00_2_08F830A0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_028D485911_2_028D4859
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_028D486811_2_028D4868
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_056C314011_2_056C3140
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_056C313011_2_056C3130
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_056CAE5011_2_056CAE50
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_056C4E0011_2_056C4E00
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_073FEF1811_2_073FEF18
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_073FEED811_2_073FEED8
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741030811_2_07410308
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741727911_2_07417279
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07414CC011_2_07414CC0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741B70F11_2_0741B70F
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741B73011_2_0741B730
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741D7A711_2_0741D7A7
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741D7B811_2_0741D7B8
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741238011_2_07412380
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_074102F911_2_074102F9
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_074130F011_2_074130F0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07414F2011_2_07414F20
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07414F3011_2_07414F30
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07411F3711_2_07411F37
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741CE0811_2_0741CE08
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07414E9811_2_07414E98
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741DCA011_2_0741DCA0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741DCB011_2_0741DCB0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_07414CB211_2_07414CB2
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741BB6811_2_0741BB68
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0741284011_2_07412840
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_0A19250011_2_0A192500
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0042515216_2_00425152
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0043528616_2_00435286
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004513D416_2_004513D4
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0045050B16_2_0045050B
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0043651016_2_00436510
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004316FB16_2_004316FB
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0043569E16_2_0043569E
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0044370016_2_00443700
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004257FB16_2_004257FB
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004128E316_2_004128E3
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0042596416_2_00425964
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041B91716_2_0041B917
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0043D9CC16_2_0043D9CC
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00435AD316_2_00435AD3
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00424BC316_2_00424BC3
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0043DBFB16_2_0043DBFB
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0044ABA916_2_0044ABA9
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00433C0B16_2_00433C0B
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00434D8A16_2_00434D8A
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0043DE2A16_2_0043DE2A
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041CEAF16_2_0041CEAF
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00435F0816_2_00435F08
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: String function: 00402073 appears 51 times
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: String function: 00432B90 appears 53 times
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: String function: 00432525 appears 41 times
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HSBC Payment Swift Copy.exe
              Source: HSBC Payment Swift Copy.exe, 00000000.00000000.1299449943.0000000000802000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefbmp.exe8 vs HSBC Payment Swift Copy.exe
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1353839271.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HSBC Payment Swift Copy.exe
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1363403628.0000000008D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HSBC Payment Swift Copy.exe
              Source: HSBC Payment Swift Copy.exeBinary or memory string: OriginalFilenamefbmp.exe8 vs HSBC Payment Swift Copy.exe
              Source: HSBC Payment Swift Copy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7416, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: yVSkoplfDgy.exe PID: 8048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: yVSkoplfDgy.exe PID: 4600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: HSBC Payment Swift Copy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: yVSkoplfDgy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, HahAPHeXkA1dNuR4GJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.SetAccessControl
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, HahAPHeXkA1dNuR4GJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.AddAccessRule
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, HahAPHeXkA1dNuR4GJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.SetAccessControl
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, UMRDH1gWHwBA0dwVfU.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, HahAPHeXkA1dNuR4GJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, HahAPHeXkA1dNuR4GJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@19/17@2/2
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_00415C90
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,16_2_0040E2E7
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,16_2_00419493
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,16_2_00418A00
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeFile created: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1528:120:WilError_03
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ISGDIO
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMutant created: \Sessions\1\BaseNamedObjects\hZSWqQAOebI
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5D45.tmpJump to behavior
              Source: HSBC Payment Swift Copy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: HSBC Payment Swift Copy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: HSBC Payment Swift Copy.exeReversingLabs: Detection: 28%
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeFile read: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess created: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess created: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: HSBC Payment Swift Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: HSBC Payment Swift Copy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: HSBC Payment Swift Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: fbmp.pdb source: HSBC Payment Swift Copy.exe, yVSkoplfDgy.exe.0.dr
              Source: Binary string: fbmp.pdbSHA256Vg source: HSBC Payment Swift Copy.exe, yVSkoplfDgy.exe.0.dr

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, UMRDH1gWHwBA0dwVfU.cs.Net Code: cUaYubeLxX System.Reflection.Assembly.Load(byte[])
              Source: 0.2.HSBC Payment Swift Copy.exe.7500000.3.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, UMRDH1gWHwBA0dwVfU.cs.Net Code: cUaYubeLxX System.Reflection.Assembly.Load(byte[])
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, UMRDH1gWHwBA0dwVfU.cs.Net Code: cUaYubeLxX System.Reflection.Assembly.Load(byte[])
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, UMRDH1gWHwBA0dwVfU.cs.Net Code: cUaYubeLxX System.Reflection.Assembly.Load(byte[])
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, UMRDH1gWHwBA0dwVfU.cs.Net Code: cUaYubeLxX System.Reflection.Assembly.Load(byte[])
              Source: HSBC Payment Swift Copy.exeStatic PE information: 0xDDC53ABB [Wed Nov 26 13:06:03 2087 UTC]
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,16_2_0041A8DA
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeCode function: 0_2_075A0D2A push eax; ret 0_2_075A0D33
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 11_2_073F0D00 push eax; ret 11_2_073F0D33
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004000D8 push es; iretd 16_2_004000D9
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040008C push es; iretd 16_2_0040008D
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004542E6 push ecx; ret 16_2_004542F9
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0045B4FD push esi; ret 16_2_0045B506
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00432BD6 push ecx; ret 16_2_00432BE9
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00454C08 push eax; ret 16_2_00454C26
              Source: HSBC Payment Swift Copy.exeStatic PE information: section name: .text entropy: 7.800028536529113
              Source: yVSkoplfDgy.exe.0.drStatic PE information: section name: .text entropy: 7.800028536529113
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, jsGVHo3VrO7nIDP5IF.csHigh entropy of concatenated method names: 'LWPychysJn', 'hAJyMZ5mae', 'wWTybGUnEc', 'Mrnyl75iQE', 'sjZygTejMF', 'KPabWYDsD1', 'MUJbh9xqvL', 'WRNbTMmyJe', 'qBpb601C4o', 'ehabLkFlmo'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, pj4GOALE1qxs1GI0N4.csHigh entropy of concatenated method names: 'BKno3TyVdX', 'LuboENZy60', 'LXro4lHsMf', 'm4NoIFaUwB', 'T08oF0Sia4', 'WD5oGsX0NX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, A3gbyBHOJnnH9cUkAsk.csHigh entropy of concatenated method names: 'WAkAsVbp2Z', 'TXiArU5QGh', 'Of7AuAWXij', 'dyrAmmDHPb', 'kHMAVibiN9', 'cQUAjxscc8', 'T1wAQNtNRk', 'MjgAeLy2Yr', 'XntAUNGO2E', 'rVFAp1a32N'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, NKaJP9z0sWiDBOX1bP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YBfAfrilAC', 'cxSAwWk2Yj', 'Y4GAZjAeTJ', 'zVcABoU5dO', 'Y4CAopBtF3', 'jr5AAQ11vV', 'nIbAR7nJEI'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, zvfabWpX0E0St3LcA3.csHigh entropy of concatenated method names: 'Jp3bVhVHhX', 'YNYbQU2WBn', 'dPZ94swqg7', 'lK09IN7wJZ', 'zQZ9GbXkjF', 'lOl902gPRk', 'GaZ9DXRMx3', 'yHX9aWWdvT', 'mWH9drh7hm', 'Wiy9NrrHb6'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, YfCo8Eh2Qp5YuLr6yM.csHigh entropy of concatenated method names: 'ElcB66Jnr9', 'Xl2BSkP00H', 'SmOoOvkxND', 'tOeoHVoUYo', 'AqXBqFrTHS', 'GsoB7mR3Va', 'sQrBJCLIhU', 'xOeBFcuvd0', 'Q70BCdldS9', 'Ns5BXE9Vf4'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, uCnVMCMm3s35KTSK7U.csHigh entropy of concatenated method names: 'Dispose', 'FtIHLMVeWw', 'Viv2EZF0Ve', 'eBlyyLHnx5', 'c8oHSx50uo', 'yeXHzKC7AQ', 'ProcessDialogKey', 'hhZ2Oj4GOA', 'H1q2Hxs1GI', 'KN422HHHaE'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, bJ9NKd2DHc7Nb1FbcF.csHigh entropy of concatenated method names: 'zZEu6LiXw', 'sDgmO1McF', 'fq0jCbc0Z', 'ReXQ8Ykt6', 'icQUqngsU', 'NF0pG2fIR', 'LcHIEEBq4U3Ktmruu9', 'sIPaXsenWMWBhehPjb', 'rwdoYVdtF', 'wPPRQqFfK'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, JMxSgMHxtd33BgujFAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRuRFWcgv3', 'uv5RCV2TGK', 'tZ6RXMsy9K', 'GptRkUf6GS', 'ULcRWRiwyW', 'rAXRhn3mVp', 'yvrRTMVrho'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, HahAPHeXkA1dNuR4GJ.csHigh entropy of concatenated method names: 'QdnMFAtFB7', 'f9VMCQgQ0M', 'PB9MXvrrWB', 'dd1MkZIgq0', 'sBEMWWtbHZ', 'uXLMhXHEbr', 'xTeMT2klbL', 'np4M6O8wde', 'nFHMLPuVjt', 'kg0MSxhPe5'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, oqO2yGFGOnqYqV2uSi.csHigh entropy of concatenated method names: 'CxhwNVK5Q8', 'ztsw7OPNqK', 'xXUwF44uMI', 'G9kwCNK1ea', 'CedwEedNdq', 'TLnw4JJj39', 'wsOwIiSpRR', 'SBdwGt4EZU', 'HGZw0ZAMXY', 'P4UwDg7dK0'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, nGeEpeH2mO1eRdSOHV9.csHigh entropy of concatenated method names: 'LjCRsrXINx', 'BnFRrtAsFJ', 'Gf6Ruts0dN', 'Giftfbk07EOxiYMUcKf', 'cpw8HJkfwgLwFg5B1cW', 'Meb9yBkhxhY8H5vC2DF', 'mrKCWJk3viMSK4yWeUl', 'LHMKAUklsjIDRRcGqZt'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, yC6lR7krJjH8ts2hvJ.csHigh entropy of concatenated method names: 'lBcB8BPEmg', 'UnTBiRAFLS', 'ToString', 'jhVBt7FyO9', 'nL1BMQ4tu9', 'fy5B9THaED', 'lgqBbrO2QP', 'kVJBy11eUO', 'I7DBl6t2bF', 'NsYBgw7atX'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, vGrleP9avAfjIoUO6i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WX42LTYCCp', 'd7r2Si8tHh', 'jEV2zJA1Ns', 'Fb9xO4WFyG', 'sukxHaq3ul', 'qMBx2U2m38', 'ixgxxtYvwG', 'Meurtd2opUuUok1XNG9'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, UMRDH1gWHwBA0dwVfU.csHigh entropy of concatenated method names: 'BofxcJTxxC', 'xxcxtowmam', 'dYZxMerCoX', 'a9Kx9wYkHv', 'M34xbmFTdk', 'B9WxymKsij', 'BPQxlWY6rG', 'WZKxgZyCHv', 'Y8exPkCwqi', 'Jyax8pVFdK'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, mox50u6oseXKC7AQ9h.csHigh entropy of concatenated method names: 'PvXotj9kpS', 'OQEoMd53co', 'UC3o9txCsN', 'k0kobmq5mA', 'WnxoyGbcfb', 'A1aolNr1Qf', 'v2kogF7Ms8', 'P9foPx6T8k', 'FG1o8ASVQH', 'fHBoipdRqS'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, jaX6ECYgOfnGjyjRgn.csHigh entropy of concatenated method names: 'Ie4HlahAPH', 'SkAHg1dNuR', 'zUeH8Eh8NE', 's0wHiUuvfa', 'GLcHwA3lsG', 'BHoHZVrO7n', 'eYvuC8lN8Te8phFyn5', 'l0drlSKsBEy5aXKxEm', 'aW5HH3euXV', 'rOiHxRVf0h'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, WCwsuCDMaq6BOoYbLG.csHigh entropy of concatenated method names: 'u4DltqeLgJ', 'Feul9PKpVG', 'pVelyd1Hp6', 'glIySEtxP1', 'EGcyzQD6Jl', 'huglO3uxan', 'bCWlHqRK7W', 'aCSl22gyxB', 'CKclxqQv4p', 'nG3lY18MoK'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, vZFnsuUUeEh8NEA0wU.csHigh entropy of concatenated method names: 'omh9mXg2mo', 'E6Q9jhMkyA', 'O0L9eiyN4Y', 'Ism9UMfeMh', 'DdC9wXZiPs', 'PsO9ZqQ9AI', 'agE9B0JAVL', 'Bq79oS7jbY', 'nkU9ANiRwG', 'C0V9R7PmII'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, aHHaEsSu3xvFZEeV0Q.csHigh entropy of concatenated method names: 'aKEAHLWZ1L', 'Q0lAxnLEO4', 'RPFAY2lJf8', 'uTuAt1E75G', 'k9mAM9nVh2', 'Ko2AbcSo3F', 'ShuAyUa9wl', 'Ck5oTjgbNy', 'MEGo6FRZdS', 'Wd8oLcu60o'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, dYAaZxJTfwcVsHoZfm.csHigh entropy of concatenated method names: 'gA2fefPgpm', 'SoGfUsMV7B', 'Gflf3XT966', 'aIjfEJB2il', 'RJ2fI5unCa', 'afBfG6iML5', 'JyhfDTxpLG', 'KqKfa6eqa0', 'GnCfNx2vjQ', 'BfEfqVnFAR'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, PN5OFAXQDjdn15EqRJ.csHigh entropy of concatenated method names: 'ToString', 'bh0ZqJxVSV', 'n3WZE9RJgU', 'dwDZ4n8T6P', 'beTZIRTf98', 'NR1ZGKMacY', 'V68Z0h51AN', 'zNMZDf1Wwy', 'zNgZaPYcog', 'uDSZd4KeCi'
              Source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, pus0yvdtSq7eZL1AO4.csHigh entropy of concatenated method names: 'GXWlsjYrXr', 'hr5lrniP3r', 'AoAluNVZNG', 'EGmlmGfTwZ', 'rr9lVdGgKO', 'UTNlj4CXnv', 'jIZlQrGCqd', 'zgGleAJbJk', 'ucelUXXUvg', 'r6GlpLRomi'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, jsGVHo3VrO7nIDP5IF.csHigh entropy of concatenated method names: 'LWPychysJn', 'hAJyMZ5mae', 'wWTybGUnEc', 'Mrnyl75iQE', 'sjZygTejMF', 'KPabWYDsD1', 'MUJbh9xqvL', 'WRNbTMmyJe', 'qBpb601C4o', 'ehabLkFlmo'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, pj4GOALE1qxs1GI0N4.csHigh entropy of concatenated method names: 'BKno3TyVdX', 'LuboENZy60', 'LXro4lHsMf', 'm4NoIFaUwB', 'T08oF0Sia4', 'WD5oGsX0NX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, A3gbyBHOJnnH9cUkAsk.csHigh entropy of concatenated method names: 'WAkAsVbp2Z', 'TXiArU5QGh', 'Of7AuAWXij', 'dyrAmmDHPb', 'kHMAVibiN9', 'cQUAjxscc8', 'T1wAQNtNRk', 'MjgAeLy2Yr', 'XntAUNGO2E', 'rVFAp1a32N'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, NKaJP9z0sWiDBOX1bP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YBfAfrilAC', 'cxSAwWk2Yj', 'Y4GAZjAeTJ', 'zVcABoU5dO', 'Y4CAopBtF3', 'jr5AAQ11vV', 'nIbAR7nJEI'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, zvfabWpX0E0St3LcA3.csHigh entropy of concatenated method names: 'Jp3bVhVHhX', 'YNYbQU2WBn', 'dPZ94swqg7', 'lK09IN7wJZ', 'zQZ9GbXkjF', 'lOl902gPRk', 'GaZ9DXRMx3', 'yHX9aWWdvT', 'mWH9drh7hm', 'Wiy9NrrHb6'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, YfCo8Eh2Qp5YuLr6yM.csHigh entropy of concatenated method names: 'ElcB66Jnr9', 'Xl2BSkP00H', 'SmOoOvkxND', 'tOeoHVoUYo', 'AqXBqFrTHS', 'GsoB7mR3Va', 'sQrBJCLIhU', 'xOeBFcuvd0', 'Q70BCdldS9', 'Ns5BXE9Vf4'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, uCnVMCMm3s35KTSK7U.csHigh entropy of concatenated method names: 'Dispose', 'FtIHLMVeWw', 'Viv2EZF0Ve', 'eBlyyLHnx5', 'c8oHSx50uo', 'yeXHzKC7AQ', 'ProcessDialogKey', 'hhZ2Oj4GOA', 'H1q2Hxs1GI', 'KN422HHHaE'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, bJ9NKd2DHc7Nb1FbcF.csHigh entropy of concatenated method names: 'zZEu6LiXw', 'sDgmO1McF', 'fq0jCbc0Z', 'ReXQ8Ykt6', 'icQUqngsU', 'NF0pG2fIR', 'LcHIEEBq4U3Ktmruu9', 'sIPaXsenWMWBhehPjb', 'rwdoYVdtF', 'wPPRQqFfK'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, JMxSgMHxtd33BgujFAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRuRFWcgv3', 'uv5RCV2TGK', 'tZ6RXMsy9K', 'GptRkUf6GS', 'ULcRWRiwyW', 'rAXRhn3mVp', 'yvrRTMVrho'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, HahAPHeXkA1dNuR4GJ.csHigh entropy of concatenated method names: 'QdnMFAtFB7', 'f9VMCQgQ0M', 'PB9MXvrrWB', 'dd1MkZIgq0', 'sBEMWWtbHZ', 'uXLMhXHEbr', 'xTeMT2klbL', 'np4M6O8wde', 'nFHMLPuVjt', 'kg0MSxhPe5'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, oqO2yGFGOnqYqV2uSi.csHigh entropy of concatenated method names: 'CxhwNVK5Q8', 'ztsw7OPNqK', 'xXUwF44uMI', 'G9kwCNK1ea', 'CedwEedNdq', 'TLnw4JJj39', 'wsOwIiSpRR', 'SBdwGt4EZU', 'HGZw0ZAMXY', 'P4UwDg7dK0'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, nGeEpeH2mO1eRdSOHV9.csHigh entropy of concatenated method names: 'LjCRsrXINx', 'BnFRrtAsFJ', 'Gf6Ruts0dN', 'Giftfbk07EOxiYMUcKf', 'cpw8HJkfwgLwFg5B1cW', 'Meb9yBkhxhY8H5vC2DF', 'mrKCWJk3viMSK4yWeUl', 'LHMKAUklsjIDRRcGqZt'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, yC6lR7krJjH8ts2hvJ.csHigh entropy of concatenated method names: 'lBcB8BPEmg', 'UnTBiRAFLS', 'ToString', 'jhVBt7FyO9', 'nL1BMQ4tu9', 'fy5B9THaED', 'lgqBbrO2QP', 'kVJBy11eUO', 'I7DBl6t2bF', 'NsYBgw7atX'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, vGrleP9avAfjIoUO6i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WX42LTYCCp', 'd7r2Si8tHh', 'jEV2zJA1Ns', 'Fb9xO4WFyG', 'sukxHaq3ul', 'qMBx2U2m38', 'ixgxxtYvwG', 'Meurtd2opUuUok1XNG9'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, UMRDH1gWHwBA0dwVfU.csHigh entropy of concatenated method names: 'BofxcJTxxC', 'xxcxtowmam', 'dYZxMerCoX', 'a9Kx9wYkHv', 'M34xbmFTdk', 'B9WxymKsij', 'BPQxlWY6rG', 'WZKxgZyCHv', 'Y8exPkCwqi', 'Jyax8pVFdK'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, mox50u6oseXKC7AQ9h.csHigh entropy of concatenated method names: 'PvXotj9kpS', 'OQEoMd53co', 'UC3o9txCsN', 'k0kobmq5mA', 'WnxoyGbcfb', 'A1aolNr1Qf', 'v2kogF7Ms8', 'P9foPx6T8k', 'FG1o8ASVQH', 'fHBoipdRqS'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, jaX6ECYgOfnGjyjRgn.csHigh entropy of concatenated method names: 'Ie4HlahAPH', 'SkAHg1dNuR', 'zUeH8Eh8NE', 's0wHiUuvfa', 'GLcHwA3lsG', 'BHoHZVrO7n', 'eYvuC8lN8Te8phFyn5', 'l0drlSKsBEy5aXKxEm', 'aW5HH3euXV', 'rOiHxRVf0h'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, WCwsuCDMaq6BOoYbLG.csHigh entropy of concatenated method names: 'u4DltqeLgJ', 'Feul9PKpVG', 'pVelyd1Hp6', 'glIySEtxP1', 'EGcyzQD6Jl', 'huglO3uxan', 'bCWlHqRK7W', 'aCSl22gyxB', 'CKclxqQv4p', 'nG3lY18MoK'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, vZFnsuUUeEh8NEA0wU.csHigh entropy of concatenated method names: 'omh9mXg2mo', 'E6Q9jhMkyA', 'O0L9eiyN4Y', 'Ism9UMfeMh', 'DdC9wXZiPs', 'PsO9ZqQ9AI', 'agE9B0JAVL', 'Bq79oS7jbY', 'nkU9ANiRwG', 'C0V9R7PmII'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, aHHaEsSu3xvFZEeV0Q.csHigh entropy of concatenated method names: 'aKEAHLWZ1L', 'Q0lAxnLEO4', 'RPFAY2lJf8', 'uTuAt1E75G', 'k9mAM9nVh2', 'Ko2AbcSo3F', 'ShuAyUa9wl', 'Ck5oTjgbNy', 'MEGo6FRZdS', 'Wd8oLcu60o'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, dYAaZxJTfwcVsHoZfm.csHigh entropy of concatenated method names: 'gA2fefPgpm', 'SoGfUsMV7B', 'Gflf3XT966', 'aIjfEJB2il', 'RJ2fI5unCa', 'afBfG6iML5', 'JyhfDTxpLG', 'KqKfa6eqa0', 'GnCfNx2vjQ', 'BfEfqVnFAR'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, PN5OFAXQDjdn15EqRJ.csHigh entropy of concatenated method names: 'ToString', 'bh0ZqJxVSV', 'n3WZE9RJgU', 'dwDZ4n8T6P', 'beTZIRTf98', 'NR1ZGKMacY', 'V68Z0h51AN', 'zNMZDf1Wwy', 'zNgZaPYcog', 'uDSZd4KeCi'
              Source: 0.2.HSBC Payment Swift Copy.exe.8d70000.4.raw.unpack, pus0yvdtSq7eZL1AO4.csHigh entropy of concatenated method names: 'GXWlsjYrXr', 'hr5lrniP3r', 'AoAluNVZNG', 'EGmlmGfTwZ', 'rr9lVdGgKO', 'UTNlj4CXnv', 'jIZlQrGCqd', 'zgGleAJbJk', 'ucelUXXUvg', 'r6GlpLRomi'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, jsGVHo3VrO7nIDP5IF.csHigh entropy of concatenated method names: 'LWPychysJn', 'hAJyMZ5mae', 'wWTybGUnEc', 'Mrnyl75iQE', 'sjZygTejMF', 'KPabWYDsD1', 'MUJbh9xqvL', 'WRNbTMmyJe', 'qBpb601C4o', 'ehabLkFlmo'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, pj4GOALE1qxs1GI0N4.csHigh entropy of concatenated method names: 'BKno3TyVdX', 'LuboENZy60', 'LXro4lHsMf', 'm4NoIFaUwB', 'T08oF0Sia4', 'WD5oGsX0NX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, A3gbyBHOJnnH9cUkAsk.csHigh entropy of concatenated method names: 'WAkAsVbp2Z', 'TXiArU5QGh', 'Of7AuAWXij', 'dyrAmmDHPb', 'kHMAVibiN9', 'cQUAjxscc8', 'T1wAQNtNRk', 'MjgAeLy2Yr', 'XntAUNGO2E', 'rVFAp1a32N'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, NKaJP9z0sWiDBOX1bP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YBfAfrilAC', 'cxSAwWk2Yj', 'Y4GAZjAeTJ', 'zVcABoU5dO', 'Y4CAopBtF3', 'jr5AAQ11vV', 'nIbAR7nJEI'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, zvfabWpX0E0St3LcA3.csHigh entropy of concatenated method names: 'Jp3bVhVHhX', 'YNYbQU2WBn', 'dPZ94swqg7', 'lK09IN7wJZ', 'zQZ9GbXkjF', 'lOl902gPRk', 'GaZ9DXRMx3', 'yHX9aWWdvT', 'mWH9drh7hm', 'Wiy9NrrHb6'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, YfCo8Eh2Qp5YuLr6yM.csHigh entropy of concatenated method names: 'ElcB66Jnr9', 'Xl2BSkP00H', 'SmOoOvkxND', 'tOeoHVoUYo', 'AqXBqFrTHS', 'GsoB7mR3Va', 'sQrBJCLIhU', 'xOeBFcuvd0', 'Q70BCdldS9', 'Ns5BXE9Vf4'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, uCnVMCMm3s35KTSK7U.csHigh entropy of concatenated method names: 'Dispose', 'FtIHLMVeWw', 'Viv2EZF0Ve', 'eBlyyLHnx5', 'c8oHSx50uo', 'yeXHzKC7AQ', 'ProcessDialogKey', 'hhZ2Oj4GOA', 'H1q2Hxs1GI', 'KN422HHHaE'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, bJ9NKd2DHc7Nb1FbcF.csHigh entropy of concatenated method names: 'zZEu6LiXw', 'sDgmO1McF', 'fq0jCbc0Z', 'ReXQ8Ykt6', 'icQUqngsU', 'NF0pG2fIR', 'LcHIEEBq4U3Ktmruu9', 'sIPaXsenWMWBhehPjb', 'rwdoYVdtF', 'wPPRQqFfK'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, JMxSgMHxtd33BgujFAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRuRFWcgv3', 'uv5RCV2TGK', 'tZ6RXMsy9K', 'GptRkUf6GS', 'ULcRWRiwyW', 'rAXRhn3mVp', 'yvrRTMVrho'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, HahAPHeXkA1dNuR4GJ.csHigh entropy of concatenated method names: 'QdnMFAtFB7', 'f9VMCQgQ0M', 'PB9MXvrrWB', 'dd1MkZIgq0', 'sBEMWWtbHZ', 'uXLMhXHEbr', 'xTeMT2klbL', 'np4M6O8wde', 'nFHMLPuVjt', 'kg0MSxhPe5'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, oqO2yGFGOnqYqV2uSi.csHigh entropy of concatenated method names: 'CxhwNVK5Q8', 'ztsw7OPNqK', 'xXUwF44uMI', 'G9kwCNK1ea', 'CedwEedNdq', 'TLnw4JJj39', 'wsOwIiSpRR', 'SBdwGt4EZU', 'HGZw0ZAMXY', 'P4UwDg7dK0'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, nGeEpeH2mO1eRdSOHV9.csHigh entropy of concatenated method names: 'LjCRsrXINx', 'BnFRrtAsFJ', 'Gf6Ruts0dN', 'Giftfbk07EOxiYMUcKf', 'cpw8HJkfwgLwFg5B1cW', 'Meb9yBkhxhY8H5vC2DF', 'mrKCWJk3viMSK4yWeUl', 'LHMKAUklsjIDRRcGqZt'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, yC6lR7krJjH8ts2hvJ.csHigh entropy of concatenated method names: 'lBcB8BPEmg', 'UnTBiRAFLS', 'ToString', 'jhVBt7FyO9', 'nL1BMQ4tu9', 'fy5B9THaED', 'lgqBbrO2QP', 'kVJBy11eUO', 'I7DBl6t2bF', 'NsYBgw7atX'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, vGrleP9avAfjIoUO6i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WX42LTYCCp', 'd7r2Si8tHh', 'jEV2zJA1Ns', 'Fb9xO4WFyG', 'sukxHaq3ul', 'qMBx2U2m38', 'ixgxxtYvwG', 'Meurtd2opUuUok1XNG9'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csHigh entropy of concatenated method names: 'BofxcJTxxC', 'xxcxtowmam', 'dYZxMerCoX', 'a9Kx9wYkHv', 'M34xbmFTdk', 'B9WxymKsij', 'BPQxlWY6rG', 'WZKxgZyCHv', 'Y8exPkCwqi', 'Jyax8pVFdK'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, mox50u6oseXKC7AQ9h.csHigh entropy of concatenated method names: 'PvXotj9kpS', 'OQEoMd53co', 'UC3o9txCsN', 'k0kobmq5mA', 'WnxoyGbcfb', 'A1aolNr1Qf', 'v2kogF7Ms8', 'P9foPx6T8k', 'FG1o8ASVQH', 'fHBoipdRqS'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, jaX6ECYgOfnGjyjRgn.csHigh entropy of concatenated method names: 'Ie4HlahAPH', 'SkAHg1dNuR', 'zUeH8Eh8NE', 's0wHiUuvfa', 'GLcHwA3lsG', 'BHoHZVrO7n', 'eYvuC8lN8Te8phFyn5', 'l0drlSKsBEy5aXKxEm', 'aW5HH3euXV', 'rOiHxRVf0h'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, WCwsuCDMaq6BOoYbLG.csHigh entropy of concatenated method names: 'u4DltqeLgJ', 'Feul9PKpVG', 'pVelyd1Hp6', 'glIySEtxP1', 'EGcyzQD6Jl', 'huglO3uxan', 'bCWlHqRK7W', 'aCSl22gyxB', 'CKclxqQv4p', 'nG3lY18MoK'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, vZFnsuUUeEh8NEA0wU.csHigh entropy of concatenated method names: 'omh9mXg2mo', 'E6Q9jhMkyA', 'O0L9eiyN4Y', 'Ism9UMfeMh', 'DdC9wXZiPs', 'PsO9ZqQ9AI', 'agE9B0JAVL', 'Bq79oS7jbY', 'nkU9ANiRwG', 'C0V9R7PmII'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, aHHaEsSu3xvFZEeV0Q.csHigh entropy of concatenated method names: 'aKEAHLWZ1L', 'Q0lAxnLEO4', 'RPFAY2lJf8', 'uTuAt1E75G', 'k9mAM9nVh2', 'Ko2AbcSo3F', 'ShuAyUa9wl', 'Ck5oTjgbNy', 'MEGo6FRZdS', 'Wd8oLcu60o'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, dYAaZxJTfwcVsHoZfm.csHigh entropy of concatenated method names: 'gA2fefPgpm', 'SoGfUsMV7B', 'Gflf3XT966', 'aIjfEJB2il', 'RJ2fI5unCa', 'afBfG6iML5', 'JyhfDTxpLG', 'KqKfa6eqa0', 'GnCfNx2vjQ', 'BfEfqVnFAR'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, PN5OFAXQDjdn15EqRJ.csHigh entropy of concatenated method names: 'ToString', 'bh0ZqJxVSV', 'n3WZE9RJgU', 'dwDZ4n8T6P', 'beTZIRTf98', 'NR1ZGKMacY', 'V68Z0h51AN', 'zNMZDf1Wwy', 'zNgZaPYcog', 'uDSZd4KeCi'
              Source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, pus0yvdtSq7eZL1AO4.csHigh entropy of concatenated method names: 'GXWlsjYrXr', 'hr5lrniP3r', 'AoAluNVZNG', 'EGmlmGfTwZ', 'rr9lVdGgKO', 'UTNlj4CXnv', 'jIZlQrGCqd', 'zgGleAJbJk', 'ucelUXXUvg', 'r6GlpLRomi'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, jsGVHo3VrO7nIDP5IF.csHigh entropy of concatenated method names: 'LWPychysJn', 'hAJyMZ5mae', 'wWTybGUnEc', 'Mrnyl75iQE', 'sjZygTejMF', 'KPabWYDsD1', 'MUJbh9xqvL', 'WRNbTMmyJe', 'qBpb601C4o', 'ehabLkFlmo'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, pj4GOALE1qxs1GI0N4.csHigh entropy of concatenated method names: 'BKno3TyVdX', 'LuboENZy60', 'LXro4lHsMf', 'm4NoIFaUwB', 'T08oF0Sia4', 'WD5oGsX0NX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, A3gbyBHOJnnH9cUkAsk.csHigh entropy of concatenated method names: 'WAkAsVbp2Z', 'TXiArU5QGh', 'Of7AuAWXij', 'dyrAmmDHPb', 'kHMAVibiN9', 'cQUAjxscc8', 'T1wAQNtNRk', 'MjgAeLy2Yr', 'XntAUNGO2E', 'rVFAp1a32N'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, NKaJP9z0sWiDBOX1bP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YBfAfrilAC', 'cxSAwWk2Yj', 'Y4GAZjAeTJ', 'zVcABoU5dO', 'Y4CAopBtF3', 'jr5AAQ11vV', 'nIbAR7nJEI'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, zvfabWpX0E0St3LcA3.csHigh entropy of concatenated method names: 'Jp3bVhVHhX', 'YNYbQU2WBn', 'dPZ94swqg7', 'lK09IN7wJZ', 'zQZ9GbXkjF', 'lOl902gPRk', 'GaZ9DXRMx3', 'yHX9aWWdvT', 'mWH9drh7hm', 'Wiy9NrrHb6'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, YfCo8Eh2Qp5YuLr6yM.csHigh entropy of concatenated method names: 'ElcB66Jnr9', 'Xl2BSkP00H', 'SmOoOvkxND', 'tOeoHVoUYo', 'AqXBqFrTHS', 'GsoB7mR3Va', 'sQrBJCLIhU', 'xOeBFcuvd0', 'Q70BCdldS9', 'Ns5BXE9Vf4'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, uCnVMCMm3s35KTSK7U.csHigh entropy of concatenated method names: 'Dispose', 'FtIHLMVeWw', 'Viv2EZF0Ve', 'eBlyyLHnx5', 'c8oHSx50uo', 'yeXHzKC7AQ', 'ProcessDialogKey', 'hhZ2Oj4GOA', 'H1q2Hxs1GI', 'KN422HHHaE'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, bJ9NKd2DHc7Nb1FbcF.csHigh entropy of concatenated method names: 'zZEu6LiXw', 'sDgmO1McF', 'fq0jCbc0Z', 'ReXQ8Ykt6', 'icQUqngsU', 'NF0pG2fIR', 'LcHIEEBq4U3Ktmruu9', 'sIPaXsenWMWBhehPjb', 'rwdoYVdtF', 'wPPRQqFfK'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, JMxSgMHxtd33BgujFAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRuRFWcgv3', 'uv5RCV2TGK', 'tZ6RXMsy9K', 'GptRkUf6GS', 'ULcRWRiwyW', 'rAXRhn3mVp', 'yvrRTMVrho'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, HahAPHeXkA1dNuR4GJ.csHigh entropy of concatenated method names: 'QdnMFAtFB7', 'f9VMCQgQ0M', 'PB9MXvrrWB', 'dd1MkZIgq0', 'sBEMWWtbHZ', 'uXLMhXHEbr', 'xTeMT2klbL', 'np4M6O8wde', 'nFHMLPuVjt', 'kg0MSxhPe5'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, oqO2yGFGOnqYqV2uSi.csHigh entropy of concatenated method names: 'CxhwNVK5Q8', 'ztsw7OPNqK', 'xXUwF44uMI', 'G9kwCNK1ea', 'CedwEedNdq', 'TLnw4JJj39', 'wsOwIiSpRR', 'SBdwGt4EZU', 'HGZw0ZAMXY', 'P4UwDg7dK0'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, nGeEpeH2mO1eRdSOHV9.csHigh entropy of concatenated method names: 'LjCRsrXINx', 'BnFRrtAsFJ', 'Gf6Ruts0dN', 'Giftfbk07EOxiYMUcKf', 'cpw8HJkfwgLwFg5B1cW', 'Meb9yBkhxhY8H5vC2DF', 'mrKCWJk3viMSK4yWeUl', 'LHMKAUklsjIDRRcGqZt'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, yC6lR7krJjH8ts2hvJ.csHigh entropy of concatenated method names: 'lBcB8BPEmg', 'UnTBiRAFLS', 'ToString', 'jhVBt7FyO9', 'nL1BMQ4tu9', 'fy5B9THaED', 'lgqBbrO2QP', 'kVJBy11eUO', 'I7DBl6t2bF', 'NsYBgw7atX'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, vGrleP9avAfjIoUO6i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WX42LTYCCp', 'd7r2Si8tHh', 'jEV2zJA1Ns', 'Fb9xO4WFyG', 'sukxHaq3ul', 'qMBx2U2m38', 'ixgxxtYvwG', 'Meurtd2opUuUok1XNG9'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, UMRDH1gWHwBA0dwVfU.csHigh entropy of concatenated method names: 'BofxcJTxxC', 'xxcxtowmam', 'dYZxMerCoX', 'a9Kx9wYkHv', 'M34xbmFTdk', 'B9WxymKsij', 'BPQxlWY6rG', 'WZKxgZyCHv', 'Y8exPkCwqi', 'Jyax8pVFdK'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, mox50u6oseXKC7AQ9h.csHigh entropy of concatenated method names: 'PvXotj9kpS', 'OQEoMd53co', 'UC3o9txCsN', 'k0kobmq5mA', 'WnxoyGbcfb', 'A1aolNr1Qf', 'v2kogF7Ms8', 'P9foPx6T8k', 'FG1o8ASVQH', 'fHBoipdRqS'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, jaX6ECYgOfnGjyjRgn.csHigh entropy of concatenated method names: 'Ie4HlahAPH', 'SkAHg1dNuR', 'zUeH8Eh8NE', 's0wHiUuvfa', 'GLcHwA3lsG', 'BHoHZVrO7n', 'eYvuC8lN8Te8phFyn5', 'l0drlSKsBEy5aXKxEm', 'aW5HH3euXV', 'rOiHxRVf0h'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, WCwsuCDMaq6BOoYbLG.csHigh entropy of concatenated method names: 'u4DltqeLgJ', 'Feul9PKpVG', 'pVelyd1Hp6', 'glIySEtxP1', 'EGcyzQD6Jl', 'huglO3uxan', 'bCWlHqRK7W', 'aCSl22gyxB', 'CKclxqQv4p', 'nG3lY18MoK'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, vZFnsuUUeEh8NEA0wU.csHigh entropy of concatenated method names: 'omh9mXg2mo', 'E6Q9jhMkyA', 'O0L9eiyN4Y', 'Ism9UMfeMh', 'DdC9wXZiPs', 'PsO9ZqQ9AI', 'agE9B0JAVL', 'Bq79oS7jbY', 'nkU9ANiRwG', 'C0V9R7PmII'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, aHHaEsSu3xvFZEeV0Q.csHigh entropy of concatenated method names: 'aKEAHLWZ1L', 'Q0lAxnLEO4', 'RPFAY2lJf8', 'uTuAt1E75G', 'k9mAM9nVh2', 'Ko2AbcSo3F', 'ShuAyUa9wl', 'Ck5oTjgbNy', 'MEGo6FRZdS', 'Wd8oLcu60o'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, dYAaZxJTfwcVsHoZfm.csHigh entropy of concatenated method names: 'gA2fefPgpm', 'SoGfUsMV7B', 'Gflf3XT966', 'aIjfEJB2il', 'RJ2fI5unCa', 'afBfG6iML5', 'JyhfDTxpLG', 'KqKfa6eqa0', 'GnCfNx2vjQ', 'BfEfqVnFAR'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, PN5OFAXQDjdn15EqRJ.csHigh entropy of concatenated method names: 'ToString', 'bh0ZqJxVSV', 'n3WZE9RJgU', 'dwDZ4n8T6P', 'beTZIRTf98', 'NR1ZGKMacY', 'V68Z0h51AN', 'zNMZDf1Wwy', 'zNgZaPYcog', 'uDSZd4KeCi'
              Source: 11.2.yVSkoplfDgy.exe.46c8c38.2.raw.unpack, pus0yvdtSq7eZL1AO4.csHigh entropy of concatenated method names: 'GXWlsjYrXr', 'hr5lrniP3r', 'AoAluNVZNG', 'EGmlmGfTwZ', 'rr9lVdGgKO', 'UTNlj4CXnv', 'jIZlQrGCqd', 'zgGleAJbJk', 'ucelUXXUvg', 'r6GlpLRomi'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, jsGVHo3VrO7nIDP5IF.csHigh entropy of concatenated method names: 'LWPychysJn', 'hAJyMZ5mae', 'wWTybGUnEc', 'Mrnyl75iQE', 'sjZygTejMF', 'KPabWYDsD1', 'MUJbh9xqvL', 'WRNbTMmyJe', 'qBpb601C4o', 'ehabLkFlmo'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, pj4GOALE1qxs1GI0N4.csHigh entropy of concatenated method names: 'BKno3TyVdX', 'LuboENZy60', 'LXro4lHsMf', 'm4NoIFaUwB', 'T08oF0Sia4', 'WD5oGsX0NX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, A3gbyBHOJnnH9cUkAsk.csHigh entropy of concatenated method names: 'WAkAsVbp2Z', 'TXiArU5QGh', 'Of7AuAWXij', 'dyrAmmDHPb', 'kHMAVibiN9', 'cQUAjxscc8', 'T1wAQNtNRk', 'MjgAeLy2Yr', 'XntAUNGO2E', 'rVFAp1a32N'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, NKaJP9z0sWiDBOX1bP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YBfAfrilAC', 'cxSAwWk2Yj', 'Y4GAZjAeTJ', 'zVcABoU5dO', 'Y4CAopBtF3', 'jr5AAQ11vV', 'nIbAR7nJEI'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, zvfabWpX0E0St3LcA3.csHigh entropy of concatenated method names: 'Jp3bVhVHhX', 'YNYbQU2WBn', 'dPZ94swqg7', 'lK09IN7wJZ', 'zQZ9GbXkjF', 'lOl902gPRk', 'GaZ9DXRMx3', 'yHX9aWWdvT', 'mWH9drh7hm', 'Wiy9NrrHb6'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, YfCo8Eh2Qp5YuLr6yM.csHigh entropy of concatenated method names: 'ElcB66Jnr9', 'Xl2BSkP00H', 'SmOoOvkxND', 'tOeoHVoUYo', 'AqXBqFrTHS', 'GsoB7mR3Va', 'sQrBJCLIhU', 'xOeBFcuvd0', 'Q70BCdldS9', 'Ns5BXE9Vf4'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, uCnVMCMm3s35KTSK7U.csHigh entropy of concatenated method names: 'Dispose', 'FtIHLMVeWw', 'Viv2EZF0Ve', 'eBlyyLHnx5', 'c8oHSx50uo', 'yeXHzKC7AQ', 'ProcessDialogKey', 'hhZ2Oj4GOA', 'H1q2Hxs1GI', 'KN422HHHaE'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, bJ9NKd2DHc7Nb1FbcF.csHigh entropy of concatenated method names: 'zZEu6LiXw', 'sDgmO1McF', 'fq0jCbc0Z', 'ReXQ8Ykt6', 'icQUqngsU', 'NF0pG2fIR', 'LcHIEEBq4U3Ktmruu9', 'sIPaXsenWMWBhehPjb', 'rwdoYVdtF', 'wPPRQqFfK'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, JMxSgMHxtd33BgujFAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eRuRFWcgv3', 'uv5RCV2TGK', 'tZ6RXMsy9K', 'GptRkUf6GS', 'ULcRWRiwyW', 'rAXRhn3mVp', 'yvrRTMVrho'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, HahAPHeXkA1dNuR4GJ.csHigh entropy of concatenated method names: 'QdnMFAtFB7', 'f9VMCQgQ0M', 'PB9MXvrrWB', 'dd1MkZIgq0', 'sBEMWWtbHZ', 'uXLMhXHEbr', 'xTeMT2klbL', 'np4M6O8wde', 'nFHMLPuVjt', 'kg0MSxhPe5'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, oqO2yGFGOnqYqV2uSi.csHigh entropy of concatenated method names: 'CxhwNVK5Q8', 'ztsw7OPNqK', 'xXUwF44uMI', 'G9kwCNK1ea', 'CedwEedNdq', 'TLnw4JJj39', 'wsOwIiSpRR', 'SBdwGt4EZU', 'HGZw0ZAMXY', 'P4UwDg7dK0'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, nGeEpeH2mO1eRdSOHV9.csHigh entropy of concatenated method names: 'LjCRsrXINx', 'BnFRrtAsFJ', 'Gf6Ruts0dN', 'Giftfbk07EOxiYMUcKf', 'cpw8HJkfwgLwFg5B1cW', 'Meb9yBkhxhY8H5vC2DF', 'mrKCWJk3viMSK4yWeUl', 'LHMKAUklsjIDRRcGqZt'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, yC6lR7krJjH8ts2hvJ.csHigh entropy of concatenated method names: 'lBcB8BPEmg', 'UnTBiRAFLS', 'ToString', 'jhVBt7FyO9', 'nL1BMQ4tu9', 'fy5B9THaED', 'lgqBbrO2QP', 'kVJBy11eUO', 'I7DBl6t2bF', 'NsYBgw7atX'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, vGrleP9avAfjIoUO6i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WX42LTYCCp', 'd7r2Si8tHh', 'jEV2zJA1Ns', 'Fb9xO4WFyG', 'sukxHaq3ul', 'qMBx2U2m38', 'ixgxxtYvwG', 'Meurtd2opUuUok1XNG9'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, UMRDH1gWHwBA0dwVfU.csHigh entropy of concatenated method names: 'BofxcJTxxC', 'xxcxtowmam', 'dYZxMerCoX', 'a9Kx9wYkHv', 'M34xbmFTdk', 'B9WxymKsij', 'BPQxlWY6rG', 'WZKxgZyCHv', 'Y8exPkCwqi', 'Jyax8pVFdK'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, mox50u6oseXKC7AQ9h.csHigh entropy of concatenated method names: 'PvXotj9kpS', 'OQEoMd53co', 'UC3o9txCsN', 'k0kobmq5mA', 'WnxoyGbcfb', 'A1aolNr1Qf', 'v2kogF7Ms8', 'P9foPx6T8k', 'FG1o8ASVQH', 'fHBoipdRqS'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, jaX6ECYgOfnGjyjRgn.csHigh entropy of concatenated method names: 'Ie4HlahAPH', 'SkAHg1dNuR', 'zUeH8Eh8NE', 's0wHiUuvfa', 'GLcHwA3lsG', 'BHoHZVrO7n', 'eYvuC8lN8Te8phFyn5', 'l0drlSKsBEy5aXKxEm', 'aW5HH3euXV', 'rOiHxRVf0h'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, WCwsuCDMaq6BOoYbLG.csHigh entropy of concatenated method names: 'u4DltqeLgJ', 'Feul9PKpVG', 'pVelyd1Hp6', 'glIySEtxP1', 'EGcyzQD6Jl', 'huglO3uxan', 'bCWlHqRK7W', 'aCSl22gyxB', 'CKclxqQv4p', 'nG3lY18MoK'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, vZFnsuUUeEh8NEA0wU.csHigh entropy of concatenated method names: 'omh9mXg2mo', 'E6Q9jhMkyA', 'O0L9eiyN4Y', 'Ism9UMfeMh', 'DdC9wXZiPs', 'PsO9ZqQ9AI', 'agE9B0JAVL', 'Bq79oS7jbY', 'nkU9ANiRwG', 'C0V9R7PmII'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, aHHaEsSu3xvFZEeV0Q.csHigh entropy of concatenated method names: 'aKEAHLWZ1L', 'Q0lAxnLEO4', 'RPFAY2lJf8', 'uTuAt1E75G', 'k9mAM9nVh2', 'Ko2AbcSo3F', 'ShuAyUa9wl', 'Ck5oTjgbNy', 'MEGo6FRZdS', 'Wd8oLcu60o'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, dYAaZxJTfwcVsHoZfm.csHigh entropy of concatenated method names: 'gA2fefPgpm', 'SoGfUsMV7B', 'Gflf3XT966', 'aIjfEJB2il', 'RJ2fI5unCa', 'afBfG6iML5', 'JyhfDTxpLG', 'KqKfa6eqa0', 'GnCfNx2vjQ', 'BfEfqVnFAR'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, PN5OFAXQDjdn15EqRJ.csHigh entropy of concatenated method names: 'ToString', 'bh0ZqJxVSV', 'n3WZE9RJgU', 'dwDZ4n8T6P', 'beTZIRTf98', 'NR1ZGKMacY', 'V68Z0h51AN', 'zNMZDf1Wwy', 'zNgZaPYcog', 'uDSZd4KeCi'
              Source: 11.2.yVSkoplfDgy.exe.4611a18.0.raw.unpack, pus0yvdtSq7eZL1AO4.csHigh entropy of concatenated method names: 'GXWlsjYrXr', 'hr5lrniP3r', 'AoAluNVZNG', 'EGmlmGfTwZ', 'rr9lVdGgKO', 'UTNlj4CXnv', 'jIZlQrGCqd', 'zgGleAJbJk', 'ucelUXXUvg', 'r6GlpLRomi'
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004063C6 ShellExecuteW,URLDownloadToFileW,16_2_004063C6
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeFile created: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp"
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,16_2_00418A00

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,16_2_0041A8DA
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040E18D Sleep,ExitProcess,16_2_0040E18D
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: 29D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: 4BC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: 9370000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: A370000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: A590000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: B590000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: C080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: D080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: E080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 4A80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 9DE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 9FF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: AFF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: BB70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory allocated: 89C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_004186FE
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7681Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 592Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8620Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 723Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeWindow / User API: threadDelayed 1911Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeWindow / User API: threadDelayed 7620Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeAPI coverage: 5.0 %
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 7436Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 7681 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 592 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 8020Thread sleep count: 231 > 30Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 8020Thread sleep time: -115500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 8024Thread sleep count: 1911 > 30Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 8024Thread sleep time: -5733000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 8024Thread sleep count: 7620 > 30Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe TID: 8024Thread sleep time: -22860000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe TID: 8100Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041A01B
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040B28E
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040838E
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004087A0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00407848
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004068CD FindFirstFileW,FindNextFileW,16_2_004068CD
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0044BA59 FindFirstFileExA,16_2_0044BA59
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040AA71
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00417AAB
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040AC78
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,16_2_00406D28
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3759622785.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: HSBC Payment Swift Copy.exe, 00000000.00000002.1363403628.0000000008D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vMCiavHd7i
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3759622785.00000000015EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW^
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_004327AE
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,16_2_0041A8DA
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004407B5 mov eax, dword ptr fs:[00000030h]16_2_004407B5
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,16_2_00410763
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_004327AE
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004328FC SetUnhandledExceptionFilter,16_2_004328FC
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_004398AC
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00432D5C
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMemory written: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMemory written: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe16_2_00410B5C
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004175E1 mouse_event,16_2_004175E1
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeProcess created: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeProcess created: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"Jump to behavior
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerIO\
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerIO\59
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerIO\69
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerv
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager]
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager=
              Source: HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.drBinary or memory string: [Program Manager]
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004329DA cpuid 16_2_004329DA
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: EnumSystemLocalesW,16_2_0044F17B
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: EnumSystemLocalesW,16_2_0044F130
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: EnumSystemLocalesW,16_2_0044F216
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_0044F2A3
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetLocaleInfoA,16_2_0040E2BB
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetLocaleInfoW,16_2_0044F4F3
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_0044F61C
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetLocaleInfoW,16_2_0044F723
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_0044F7F0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: EnumSystemLocalesW,16_2_00445914
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: GetLocaleInfoW,16_2_00445E1C
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_0044EEB8
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Users\user\Desktop\HSBC Payment Swift Copy.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeQueries volume information: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_0040A0B0 GetLocalTime,wsprintfW,16_2_0040A0B0
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004195F8 GetUserNameW,16_2_004195F8
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: 16_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,16_2_004466BF
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.3757629945.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3762660229.000000000328F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1371326406.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7992, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 8048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 4600, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0040A953
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\16_2_0040AA71
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: \key3.db16_2_0040AA71

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\HSBC Payment Swift Copy.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ISGDIOJump to behavior
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ISGDIO
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.yVSkoplfDgy.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3b206a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.yVSkoplfDgy.exe.3aab088.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.48be830.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.4807610.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HSBC Payment Swift Copy.exe.47503f0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.3757629945.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3762660229.000000000328F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.1371326406.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Swift Copy.exe PID: 7992, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 8048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: yVSkoplfDgy.exe PID: 4600, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exeCode function: cmd.exe16_2_0040567A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		211
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol211
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		1
              Windows Service              		4
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Service Execution              		Login Hook122
              Process Injection              		12
              Software Packing              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Scheduled Task/Job              		1
              Timestomp              		LSA Secrets33
              System Information Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials121
              Security Software Discovery              		VNCGUI Input Capture12
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync31
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
              Virtualization/Sandbox Evasion              		Proc Filesystem3
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544526 Sample: HSBC Payment Swift Copy.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 49 teebro1800.dynamic-dns.net 2->49 51 geoplugin.net 2->51 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 12 other signatures 2->69 8 HSBC Payment Swift Copy.exe 7 2->8         started        12 yVSkoplfDgy.exe 5 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\yVSkoplfDgy.exe, PE32 8->39 dropped 41 C:\Users\...\yVSkoplfDgy.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmp5D45.tmp, XML 8->43 dropped 45 C:\Users\...\HSBC Payment Swift Copy.exe.log, ASCII 8->45 dropped 71 Adds a directory exclusion to Windows Defender 8->71 73 Injects a PE file into a foreign processes 8->73 14 HSBC Payment Swift Copy.exe 2 15 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        75 Multi AV Scanner detection for dropped file 12->75 77 Contains functionalty to change the wallpaper 12->77 79 Machine Learning detection for dropped file 12->79 81 4 other signatures 12->81 25 yVSkoplfDgy.exe 12->25         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 53 teebro1800.dynamic-dns.net 140.228.29.6, 2195, 49710 OARNET-ASUS United States 14->53 55 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 14->55 47 C:\ProgramData\remcos\logs.dat, data 14->47 dropped 57 Detected Remcos RAT 14->57 59 Installs a global keyboard hook 14->59 61 Loading BitLocker PowerShell Module 19->61 29 WmiPrvSE.exe 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 27->37         started        file9 signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HSBC Payment Swift Copy.exe29%ReversingLabsWin32.Trojan.Generic
              HSBC Payment Swift Copy.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe29%ReversingLabsWin32.Trojan.Generic

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              teebro1800.dynamic-dns.net
              		140.228.29.6
              		truetrue
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown
                  00.dynamic-dns.nettrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://geoplugin.net/json.gpUHSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://geoplugin.net/json.gp/CHSBC Payment Swift Copy.exe, 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, yVSkoplfDgy.exe, 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, yVSkoplfDgy.exe, 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHSBC Payment Swift Copy.exe, 00000000.00000002.1354847338.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Swift Copy.exe, 00000000.00000002.1354847338.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, yVSkoplfDgy.exe, 0000000B.00000002.1392275406.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://geoplugin.net/json.gpSystem32HSBC Payment Swift Copy.exe, 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://tempuri.org/DataSet1.xsdHSBC Payment Swift Copy.exe, yVSkoplfDgy.exe.0.drfalse
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            140.228.29.6
                            		teebro1800.dynamic-dns.netUnited States
                            		600OARNET-ASUStrue
                            178.237.33.50
                            		geoplugin.netNetherlands
                            		8455ATOM86-ASATOM86NLfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1544526
                            Start date and time:2024-10-29 14:44:11 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 36s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:HSBC Payment Swift Copy.exe
                            Detection:MAL
                            Classification:mal100.rans.troj.spyw.evad.winEXE@19/17@2/2
                            EGA Information:
                            • Successful, ratio: 75%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 118
                            • Number of non-executed functions: 203
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target HSBC Payment Swift Copy.exe, PID 7992 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: HSBC Payment Swift Copy.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:45:13API Interceptor6790503x Sleep call for process: HSBC Payment Swift Copy.exe modified
                            09:45:16API Interceptor28x Sleep call for process: powershell.exe modified
                            09:45:18API Interceptor2x Sleep call for process: yVSkoplfDgy.exe modified
                            14:45:17Task SchedulerRun new task: yVSkoplfDgy path: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            178.237.33.50ingswhic.docGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            swithnew.docGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            1730205125e17c77fd100fac247e845e0d35eb80fd3ed2b798c588796b720ffad142a2b233827.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                            • geoplugin.net/json.gp
                            odthings.docGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                            • geoplugin.net/json.gp
                            withbest.docGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            geoplugin.netingswhic.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            swithnew.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            1730205125e17c77fd100fac247e845e0d35eb80fd3ed2b798c588796b720ffad142a2b233827.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                            • 178.237.33.50
                            odthings.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                            • 178.237.33.50
                            withbest.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            OARNET-ASUSarm5.elfGet hashmaliciousUnknownBrowse
                            • 138.31.133.204
                            la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                            • 138.30.137.163
                            nabspc.elfGet hashmaliciousUnknownBrowse
                            • 163.11.242.222
                            jklarm5.elfGet hashmaliciousUnknownBrowse
                            • 205.133.201.9
                            mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                            • 157.134.238.62
                            splmpsl.elfGet hashmaliciousUnknownBrowse
                            • 136.227.230.51
                            arm7.elfGet hashmaliciousMiraiBrowse
                            • 157.135.242.119
                            kkkarm.elfGet hashmaliciousUnknownBrowse
                            • 163.11.124.20
                            kkkx86.elfGet hashmaliciousUnknownBrowse
                            • 192.153.62.184
                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                            • 138.28.129.71
                            ATOM86-ASATOM86NLingswhic.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            swithnew.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            1730205125e17c77fd100fac247e845e0d35eb80fd3ed2b798c588796b720ffad142a2b233827.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.16672.23413.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                            • 178.237.33.50
                            odthings.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                            • 178.237.33.50
                            withbest.docGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            1730032807b4b05f98bfde8f6276448daba1a23755e9c274c194747a0e2092fa87b9491fd0424.dat-decoded.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\remcos\logs.dat

                            Download File
                            Process:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):144
                            Entropy (8bit):3.38816599775145
                            Encrypted:false
                            SSDEEP:3:rhlKlM+XlcPlcOKTNql55JWRal2Jl+7R0DAlBG45klovDl6v:6ljkcbql55YcIeeDAlOWAv
                            MD5:77DB26759D81067A23B5569C4B55EC47
                            SHA1:852576B28BDB63BCE0060CF031C770C504217D95
                            SHA-256:C24C2DBE8F2BE1723D56F82BBAB968A8726248D650E251A344A49B2C16135B6C
                            SHA-512:5217F5B96E6E2BEA2C6D9DD6A5575C59CBC4B7C164EC2BB3010A02912338EBF57E057EEC1B970719E456EF726828B90DC6554610C5D2FC53EA65306DBB8DB041
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                            Reputation:low
                            Preview:....[.2.0.2.4./.1.0./.2.9. .0.9.:.4.5.:.1.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Payment Swift Copy.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yVSkoplfDgy.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                            Download File
                            Process:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):957
                            Entropy (8bit):5.006273389567236
                            Encrypted:false
                            SSDEEP:24:qIdbauKyGX85jHf3SvXhNlT3/7YvfbYro:100GX85mvhjTkvfEro
                            MD5:805052D675F0EFB012C32D7E2584D86E
                            SHA1:49811A8882FF254FBDC90F74CCDF05ED0EF4EC10
                            SHA-256:9A39D417552C1ACBB2A5E48C55890D5519937C793674C9622C5069003E934111
                            SHA-512:DA90E16A774927B04CE33CDDCC32FE7A9925B6E05E3450B7AD0F2D96D3AD2A19206738A81598E14BEB88CA5C3DEF91280DE15D647CDCD6C7D733FA851EE8FEE2
                            Malicious:false
                            Preview:{. "geoplugin_request":"173.254.250.72",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2232
                            Entropy (8bit):5.379552885213346
                            Encrypted:false
                            SSDEEP:48:fWSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMuge//ZM0Uyut:fLHxvCsIcnSKRHmOugr1t
                            MD5:8094D8624FEBA18AC74B23D27AC1399F
                            SHA1:2F2CD479E6ED5B23102FEC5340F1C31119959687
                            SHA-256:513E26B826E32CB65C89674138B63E13B5157398D3F1F27AF136E92DC5E80B06
                            SHA-512:D62C12DC90B63BD3C6B3336ADE2BF92982CD0DA663DFA447B692D44B61A7CDA214124FD01894936755562EBF12687B8687D6B8775A1411ECB05AE2CA9E24FFBA
                            Malicious:false
                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1iqfbv33.vj1.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmo4my3f.k3q.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euurwlsf.ayb.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fikker0z.y5o.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jn2utas4.vwj.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1onkxo5.44l.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rg23blu5.icz.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqtzommu.wu3.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\tmp5D45.tmp

                            Download File
                            Process:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1605
                            Entropy (8bit):5.121978680439302
                            Encrypted:false
                            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt3xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTBv
                            MD5:74D8751134AA5CBFB927E5F3A40EAC21
                            SHA1:1F28CC4795646619F99DDB3927FE5BD41DA4CD29
                            SHA-256:2EA5D06B21929F65E57CDCC72D40FCFF9E78E374822A3CD22FA603B6180F72B4
                            SHA-512:DCF664A44351DFAA69B9BA27E7DA35129EFADD09856265314EEBC94BB1850D1DD80587BDC77D467C679C6D90759F02C632407202218524959E81D46F301AD691
                            Malicious:true
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                            C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp

                            Download File
                            Process:C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1605
                            Entropy (8bit):5.121978680439302
                            Encrypted:false
                            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt3xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTBv
                            MD5:74D8751134AA5CBFB927E5F3A40EAC21
                            SHA1:1F28CC4795646619F99DDB3927FE5BD41DA4CD29
                            SHA-256:2EA5D06B21929F65E57CDCC72D40FCFF9E78E374822A3CD22FA603B6180F72B4
                            SHA-512:DCF664A44351DFAA69B9BA27E7DA35129EFADD09856265314EEBC94BB1850D1DD80587BDC77D467C679C6D90759F02C632407202218524959E81D46F301AD691
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                            C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe

                            Download File
                            Process:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):999424
                            Entropy (8bit):7.795675962708916
                            Encrypted:false
                            SSDEEP:24576:KVLOy/gpKgVD/MXQPlv2aOxwyi85CDRmueO0kF:K9ObpKkMgPlv2aOyyP5CxX
                            MD5:FA638E5DCB26F16F0C960ED10F387782
                            SHA1:85FEFDF55321E998F93EBB52C63C275863E14E21
                            SHA-256:4AA7D5055D37293EFEA2B6D715E655F07F3B153F31651278C7576575E7247769
                            SHA-512:F1CCBD0AF2A2BB0935DF69F4471260C1056C5CCA587294154DC0794F4642B381BBF87DE5A757AFA711434D17787CFA94E652C60F5A55AC51522626581F790BAE
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 29%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:................0..6..........>T... ...`....@.. ....................................@..................................S..O....`...............................1..p............................................ ............... ..H............text...D4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B................ T......H........u...i......^...<....Q...........................................0...........(........(....}.......&....*....................0............{.....+..*.0..%..........{.....o....(.......&.r...ps....z.*....................0..)...........(......,...(....}......{.......&....*..........."#.......0..E..........{......o .......{....(......,...(....}.....{........{.......&....*...........>?.......0...........s!......b...%..,...(....rO..p~....("...s#....+|..o$......o%.......(...+

                            C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.795675962708916
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:HSBC Payment Swift Copy.exe
                            File size:999'424 bytes
                            MD5:fa638e5dcb26f16f0c960ed10f387782
                            SHA1:85fefdf55321e998f93ebb52c63c275863e14e21
                            SHA256:4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769
                            SHA512:f1ccbd0af2a2bb0935df69f4471260c1056c5cca587294154dc0794f4642b381bbf87de5a757afa711434d17787cfa94e652c60f5a55ac51522626581f790bae
                            SSDEEP:24576:KVLOy/gpKgVD/MXQPlv2aOxwyi85CDRmueO0kF:K9ObpKkMgPlv2aOyyP5CxX
                            TLSH:2E25E0D03B36B719EE69AA748119DDB583F12969B014FAF25ADC3B83319D211DE1CF02
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:................0..6..........>T... ...`....@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4f543e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xDDC53ABB [Wed Nov 26 13:06:03 2087 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf53ec0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x5a4.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf80000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xf31140x70.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xf34440xf3600d1d204810c1af63a13e5c70db8f08788False0.8998479230868002data7.800028536529113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xf60000x5a40x600a746a0c91c56b7466d46cff4b74403e6False0.419921875data4.071560426062592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xf80000xc0x20044b14d9a8150ecd015c77ca7666f6c47False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xf60900x314data0.434010152284264
                            RT_MANIFEST0xf63b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-29T14:45:18.505707+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749710140.228.29.62195TCP
                            2024-10-29T14:45:20.347427+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749722178.237.33.5080TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 29, 2024 14:45:17.894695044 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:17.900491953 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:17.900628090 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:17.906666994 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:17.912072897 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.495860100 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.505570889 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.505707026 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:18.506582975 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.516006947 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.517736912 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:18.518817902 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.533183098 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:18.538584948 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.538665056 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:18.544050932 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.547878981 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:18.553284883 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.797597885 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.800075054 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:18.805529118 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.806401968 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:18.846090078 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:19.486181974 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:45:19.491668940 CET8049722178.237.33.50192.168.2.7
                            Oct 29, 2024 14:45:19.491805077 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:45:19.492021084 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:45:19.497315884 CET8049722178.237.33.50192.168.2.7
                            Oct 29, 2024 14:45:20.346848965 CET8049722178.237.33.50192.168.2.7
                            Oct 29, 2024 14:45:20.347426891 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:45:20.359416008 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:20.407593012 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:21.469782114 CET8049722178.237.33.50192.168.2.7
                            Oct 29, 2024 14:45:21.469831944 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:45:49.027574062 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:45:49.028903008 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:45:49.034347057 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:46:19.304290056 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:46:19.305583954 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:46:19.311072111 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:46:49.503299952 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:46:49.504590034 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:46:49.509989977 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:47:09.456020117 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:09.783999920 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:10.580930948 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:11.879900932 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:14.284895897 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:19.284043074 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:19.947185040 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:47:19.948286057 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:47:19.955123901 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:47:28.971709967 CET4972280192.168.2.7178.237.33.50
                            Oct 29, 2024 14:47:50.063083887 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:47:50.074076891 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:47:50.086522102 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:48:20.352320910 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:48:20.353822947 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:48:20.369756937 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:48:50.586702108 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:48:50.588447094 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:48:50.598083973 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:49:20.857175112 CET219549710140.228.29.6192.168.2.7
                            Oct 29, 2024 14:49:20.857954025 CET497102195192.168.2.7140.228.29.6
                            Oct 29, 2024 14:49:20.863276005 CET219549710140.228.29.6192.168.2.7

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 29, 2024 14:45:17.704330921 CET6040353192.168.2.71.1.1.1
                            Oct 29, 2024 14:45:17.809168100 CET53604031.1.1.1192.168.2.7
                            Oct 29, 2024 14:45:19.466636896 CET5358353192.168.2.71.1.1.1
                            Oct 29, 2024 14:45:19.475636959 CET53535831.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 29, 2024 14:45:17.704330921 CET192.168.2.71.1.1.10x43fbStandard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Oct 29, 2024 14:45:19.466636896 CET192.168.2.71.1.1.10x8efbStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 29, 2024 14:45:17.809168100 CET1.1.1.1192.168.2.70x43fbNo error (0)teebro1800.dynamic-dns.net140.228.29.6A (IP address)IN (0x0001)false
                            Oct 29, 2024 14:45:19.475636959 CET1.1.1.1192.168.2.70x8efbNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • geoplugin.net

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749722178.237.33.50807992C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            TimestampBytes transferredDirectionData
                            Oct 29, 2024 14:45:19.492021084 CET71OUTGET /json.gp HTTP/1.1
                            Host: geoplugin.net
                            Cache-Control: no-cache
                            Oct 29, 2024 14:45:20.346848965 CET1165INHTTP/1.1 200 OK
                            date: Tue, 29 Oct 2024 13:45:20 GMT
                            server: Apache
                            content-length: 957
                            content-type: application/json; charset=utf-8
                            cache-control: public, max-age=300
                            access-control-allow-origin: *
                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                            Data Ascii: { "geoplugin_request":"173.254.250.72", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:45:12
                            Start date:29/10/2024
                            Path:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
                            Imagebase:0x800000
                            File size:999'424 bytes
                            MD5 hash:FA638E5DCB26F16F0C960ED10F387782
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1355702722.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:09:45:15
                            Start date:29/10/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
                            Imagebase:0xca0000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:09:45:15
                            Start date:29/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:09:45:15
                            Start date:29/10/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"
                            Imagebase:0xca0000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:09:45:15
                            Start date:29/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:09:45:15
                            Start date:29/10/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp5D45.tmp"
                            Imagebase:0xdd0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:09:45:15
                            Start date:29/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:09:45:16
                            Start date:29/10/2024
                            Path:C:\Users\user\Desktop\HSBC Payment Swift Copy.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\HSBC Payment Swift Copy.exe"
                            Imagebase:0xf80000
                            File size:999'424 bytes
                            MD5 hash:FA638E5DCB26F16F0C960ED10F387782
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3757629945.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3762660229.000000000328F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3757629945.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3757629945.000000000157A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:11
                            Start time:09:45:17
                            Start date:29/10/2024
                            Path:C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
                            Imagebase:0x700000
                            File size:999'424 bytes
                            MD5 hash:FA638E5DCB26F16F0C960ED10F387782
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.1394489921.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 29%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:13
                            Start time:09:45:17
                            Start date:29/10/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff7fb730000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:09:45:19
                            Start date:29/10/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVSkoplfDgy" /XML "C:\Users\user\AppData\Local\Temp\tmp6CC6.tmp"
                            Imagebase:0xb50000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:09:45:19
                            Start date:29/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:16
                            Start time:09:45:19
                            Start date:29/10/2024
                            Path:C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe"
                            Imagebase:0xeb0000
                            File size:999'424 bytes
                            MD5 hash:FA638E5DCB26F16F0C960ED10F387782
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1371326406.0000000001537000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:12.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:2%
                              Total number of Nodes:293
                              Total number of Limit Nodes:15
                              execution_graph 35707 75ce9fc 35708 75cea09 35707->35708 35709 75ce98d 35708->35709 35714 8f81550 35708->35714 35730 8f815fe 35708->35730 35747 8f814c9 35708->35747 35763 8f81540 35708->35763 35715 8f81551 35714->35715 35720 8f81572 35715->35720 35779 8f81ff9 35715->35779 35789 8f82267 35715->35789 35794 8f81b46 35715->35794 35799 8f81de6 35715->35799 35806 8f81ee5 35715->35806 35811 8f81a05 35715->35811 35821 8f81b03 35715->35821 35825 8f81d83 35715->35825 35829 8f819a8 35715->35829 35839 8f81a77 35715->35839 35849 8f819be 35715->35849 35859 8f81f9c 35715->35859 35866 8f81b59 35715->35866 35720->35708 35731 8f8158c 35730->35731 35732 8f81601 35730->35732 35733 8f81ff9 6 API calls 35731->35733 35734 8f81b59 2 API calls 35731->35734 35735 8f81f9c 4 API calls 35731->35735 35736 8f819be 6 API calls 35731->35736 35737 8f81572 35731->35737 35738 8f81a77 6 API calls 35731->35738 35739 8f819a8 6 API calls 35731->35739 35740 8f81d83 2 API calls 35731->35740 35741 8f81b03 2 API calls 35731->35741 35742 8f81a05 6 API calls 35731->35742 35743 8f81ee5 2 API calls 35731->35743 35744 8f81de6 4 API calls 35731->35744 35745 8f81b46 2 API calls 35731->35745 35746 8f82267 2 API calls 35731->35746 35732->35708 35733->35737 35734->35737 35735->35737 35736->35737 35737->35708 35738->35737 35739->35737 35740->35737 35741->35737 35742->35737 35743->35737 35744->35737 35745->35737 35746->35737 35748 8f814cc 35747->35748 35749 8f814e7 35748->35749 35750 8f81ff9 6 API calls 35748->35750 35751 8f81b59 2 API calls 35748->35751 35752 8f81f9c 4 API calls 35748->35752 35753 8f819be 6 API calls 35748->35753 35754 8f81a77 6 API calls 35748->35754 35755 8f819a8 6 API calls 35748->35755 35756 8f81d83 2 API calls 35748->35756 35757 8f81b03 2 API calls 35748->35757 35758 8f81a05 6 API calls 35748->35758 35759 8f81ee5 2 API calls 35748->35759 35760 8f81de6 4 API calls 35748->35760 35761 8f81b46 2 API calls 35748->35761 35762 8f82267 2 API calls 35748->35762 35749->35708 35750->35749 35751->35749 35752->35749 35753->35749 35754->35749 35755->35749 35756->35749 35757->35749 35758->35749 35759->35749 35760->35749 35761->35749 35762->35749 35764 8f81544 35763->35764 35765 8f81572 35764->35765 35766 8f81ff9 6 API calls 35764->35766 35767 8f81b59 2 API calls 35764->35767 35768 8f81f9c 4 API calls 35764->35768 35769 8f819be 6 API calls 35764->35769 35770 8f81a77 6 API calls 35764->35770 35771 8f819a8 6 API calls 35764->35771 35772 8f81d83 2 API calls 35764->35772 35773 8f81b03 2 API calls 35764->35773 35774 8f81a05 6 API calls 35764->35774 35775 8f81ee5 2 API calls 35764->35775 35776 8f81de6 4 API calls 35764->35776 35777 8f81b46 2 API calls 35764->35777 35778 8f82267 2 API calls 35764->35778 35765->35708 35766->35765 35767->35765 35768->35765 35769->35765 35770->35765 35771->35765 35772->35765 35773->35765 35774->35765 35775->35765 35776->35765 35777->35765 35778->35765 35780 8f81fff 35779->35780 35782 8f81ded 35780->35782 35879 75cdbf0 35780->35879 35883 75cdbe8 35780->35883 35781 8f81e9c 35781->35720 35782->35781 35871 75cd628 35782->35871 35875 75cd630 35782->35875 35887 75cd6e0 35782->35887 35891 75cd6d8 35782->35891 35790 8f82282 35789->35790 35895 75ce0e8 35790->35895 35899 75ce0e1 35790->35899 35791 8f822a3 35796 8f81b53 35794->35796 35795 8f822a3 35797 75ce0e8 WriteProcessMemory 35796->35797 35798 75ce0e1 WriteProcessMemory 35796->35798 35797->35795 35798->35795 35801 8f81dec 35799->35801 35800 8f81e9c 35800->35720 35801->35800 35802 75cd628 ResumeThread 35801->35802 35803 75cd630 ResumeThread 35801->35803 35804 75cd6d8 Wow64SetThreadContext 35801->35804 35805 75cd6e0 Wow64SetThreadContext 35801->35805 35802->35801 35803->35801 35804->35801 35805->35801 35807 8f82205 35806->35807 35809 75cd6d8 Wow64SetThreadContext 35807->35809 35810 75cd6e0 Wow64SetThreadContext 35807->35810 35808 8f82220 35809->35808 35810->35808 35812 8f81a10 35811->35812 35903 75ce364 35812->35903 35907 75ce370 35812->35907 35823 75ce0e8 WriteProcessMemory 35821->35823 35824 75ce0e1 WriteProcessMemory 35821->35824 35822 8f81b27 35822->35720 35823->35822 35824->35822 35911 75ce1d8 35825->35911 35915 75ce1d0 35825->35915 35826 8f81da5 35830 8f819ac 35829->35830 35837 75ce364 CreateProcessA 35830->35837 35838 75ce370 CreateProcessA 35830->35838 35831 8f81afd 35831->35720 35832 8f81ac0 35832->35831 35833 75cd628 ResumeThread 35832->35833 35834 75cd630 ResumeThread 35832->35834 35835 75cd6d8 Wow64SetThreadContext 35832->35835 35836 75cd6e0 Wow64SetThreadContext 35832->35836 35833->35832 35834->35832 35835->35832 35836->35832 35837->35832 35838->35832 35840 8f81a7d 35839->35840 35842 8f81ac0 35840->35842 35847 75ce364 CreateProcessA 35840->35847 35848 75ce370 CreateProcessA 35840->35848 35841 8f81afd 35841->35720 35842->35841 35843 75cd628 ResumeThread 35842->35843 35844 75cd630 ResumeThread 35842->35844 35845 75cd6d8 Wow64SetThreadContext 35842->35845 35846 75cd6e0 Wow64SetThreadContext 35842->35846 35843->35842 35844->35842 35845->35842 35846->35842 35847->35842 35848->35842 35850 8f819ac 35849->35850 35855 75ce364 CreateProcessA 35850->35855 35856 75ce370 CreateProcessA 35850->35856 35851 8f81ac0 35852 8f81afd 35851->35852 35853 75cd6d8 Wow64SetThreadContext 35851->35853 35854 75cd6e0 Wow64SetThreadContext 35851->35854 35857 75cd628 ResumeThread 35851->35857 35858 75cd630 ResumeThread 35851->35858 35852->35720 35853->35851 35854->35851 35855->35851 35856->35851 35857->35851 35858->35851 35861 8f81ded 35859->35861 35860 8f81e9c 35860->35720 35861->35860 35862 75cd6d8 Wow64SetThreadContext 35861->35862 35863 75cd6e0 Wow64SetThreadContext 35861->35863 35864 75cd628 ResumeThread 35861->35864 35865 75cd630 ResumeThread 35861->35865 35862->35861 35863->35861 35864->35861 35865->35861 35867 8f81b7c 35866->35867 35868 8f81d58 35867->35868 35869 75ce0e8 WriteProcessMemory 35867->35869 35870 75ce0e1 WriteProcessMemory 35867->35870 35868->35720 35869->35867 35870->35867 35872 75cd62c ResumeThread 35871->35872 35874 75cd6a1 35872->35874 35874->35782 35876 75cd634 ResumeThread 35875->35876 35878 75cd6a1 35876->35878 35878->35782 35880 75cdc30 VirtualAllocEx 35879->35880 35882 75cdc6d 35880->35882 35882->35782 35884 75cdbf0 VirtualAllocEx 35883->35884 35886 75cdc6d 35884->35886 35886->35782 35888 75cd6e4 Wow64SetThreadContext 35887->35888 35890 75cd76d 35888->35890 35890->35782 35892 75cd6dc Wow64SetThreadContext 35891->35892 35894 75cd76d 35892->35894 35894->35782 35896 75ce130 WriteProcessMemory 35895->35896 35898 75ce187 35896->35898 35898->35791 35900 75ce0e8 WriteProcessMemory 35899->35900 35902 75ce187 35900->35902 35902->35791 35904 75ce36c CreateProcessA 35903->35904 35906 75ce5bb 35904->35906 35906->35906 35908 75ce374 CreateProcessA 35907->35908 35910 75ce5bb 35908->35910 35912 75ce223 ReadProcessMemory 35911->35912 35914 75ce267 35912->35914 35914->35826 35916 75ce1d8 ReadProcessMemory 35915->35916 35918 75ce267 35916->35918 35918->35826 35668 75aadc8 35670 75aae16 DrawTextExW 35668->35670 35671 75aae6e 35670->35671 35937 75aeee8 35939 75aeef4 35937->35939 35938 75aef05 35942 75c1dc8 35939->35942 35947 75c1db8 35939->35947 35943 75c1de4 35942->35943 35952 75c2d00 35943->35952 35957 75c2cf0 35943->35957 35944 75c1e8e 35944->35938 35948 75c1de4 35947->35948 35950 75c2d00 2 API calls 35948->35950 35951 75c2cf0 2 API calls 35948->35951 35949 75c1e8e 35949->35938 35950->35949 35951->35949 35953 75c2d12 35952->35953 35962 75c2d40 35953->35962 35967 75c2d31 35953->35967 35954 75c2d26 35954->35944 35958 75c2d12 35957->35958 35960 75c2d40 2 API calls 35958->35960 35961 75c2d31 2 API calls 35958->35961 35959 75c2d26 35959->35944 35960->35959 35961->35959 35963 75c2d5a 35962->35963 35972 75c2e10 35963->35972 35977 75c2e00 35963->35977 35964 75c2d7d 35964->35954 35968 75c2d5a 35967->35968 35970 75c2e10 2 API calls 35968->35970 35971 75c2e00 2 API calls 35968->35971 35969 75c2d7d 35969->35954 35970->35969 35971->35969 35973 75c2e34 35972->35973 35982 75c2f68 35973->35982 35985 75c2f70 35973->35985 35974 75c2ebb 35974->35964 35978 75c2e34 35977->35978 35980 75c2f68 NtQueryInformationProcess 35978->35980 35981 75c2f70 NtQueryInformationProcess 35978->35981 35979 75c2ebb 35979->35964 35980->35979 35981->35979 35983 75c2fbb NtQueryInformationProcess 35982->35983 35984 75c2ffe 35983->35984 35984->35974 35986 75c2fbb NtQueryInformationProcess 35985->35986 35987 75c2ffe 35986->35987 35987->35974 35919 29ee6b8 35920 29ee6fe 35919->35920 35923 29ee898 35920->35923 35926 29eca10 35923->35926 35927 29ee900 DuplicateHandle 35926->35927 35928 29ee7eb 35927->35928 35988 29e4668 35989 29e4682 35988->35989 35992 29e3e30 35989->35992 35991 29e46d1 35993 29e3e3b 35992->35993 35996 29e6784 35993->35996 35995 29e7e31 35995->35991 35997 29e678f 35996->35997 36000 29e6814 35997->36000 35999 29e8295 35999->35995 36001 29e681f 36000->36001 36004 29e6844 36001->36004 36003 29e837a 36003->35999 36005 29e684f 36004->36005 36008 29e6874 36005->36008 36007 29e846d 36007->36003 36009 29e687f 36008->36009 36011 29e987b 36009->36011 36014 29ebf18 36009->36014 36010 29e98b9 36010->36007 36011->36010 36018 29edff0 36011->36018 36022 29ebf50 36014->36022 36025 29ebf40 36014->36025 36015 29ebf2e 36015->36011 36019 29ee011 36018->36019 36020 29ee035 36019->36020 36033 29ee1a0 36019->36033 36020->36010 36028 29ec038 36022->36028 36023 29ebf5f 36023->36015 36026 29ebf5f 36025->36026 36027 29ec038 GetModuleHandleW 36025->36027 36026->36015 36027->36026 36029 29ec07c 36028->36029 36030 29ec059 36028->36030 36029->36023 36030->36029 36031 29ec280 GetModuleHandleW 36030->36031 36032 29ec2ad 36031->36032 36032->36023 36034 29ee1ad 36033->36034 36036 29ee1e7 36034->36036 36037 29eca00 36034->36037 36036->36020 36038 29eca0b 36037->36038 36039 29eeef8 36038->36039 36041 29ee304 36038->36041 36042 29ee30f 36041->36042 36043 29e6874 GetModuleHandleW 36042->36043 36044 29eef67 36043->36044 36044->36039 35672 8f828a0 35675 8f828a4 35672->35675 35673 8f82a2b 35675->35673 35676 8f80ca0 35675->35676 35677 8f82b20 PostMessageW 35676->35677 35678 8f82b8c 35677->35678 35678->35675 35679 75c3900 35680 75c3924 35679->35680 35682 75c3ef7 OutputDebugStringW 35680->35682 35686 75c3f78 35680->35686 35690 75c3f80 35680->35690 35694 75c402a 35680->35694 35697 75c4030 35680->35697 35682->35680 35687 75c3f80 OutputDebugStringW 35686->35687 35689 75c3fff 35687->35689 35689->35680 35691 75c3fc6 OutputDebugStringW 35690->35691 35693 75c3fff 35691->35693 35693->35680 35695 75c4071 CloseHandle 35694->35695 35696 75c409e 35695->35696 35696->35680 35698 75c4071 CloseHandle 35697->35698 35699 75c409e 35698->35699 35699->35680 35700 75c3a82 35701 75c39bc 35700->35701 35702 75c402a CloseHandle 35701->35702 35703 75c4030 CloseHandle 35701->35703 35704 75c3ef7 OutputDebugStringW 35701->35704 35705 75c3f78 OutputDebugStringW 35701->35705 35706 75c3f80 OutputDebugStringW 35701->35706 35702->35701 35703->35701 35704->35701 35705->35701 35706->35701 35929 29e55f0 35931 29e5617 35929->35931 35930 29e56f4 35931->35930 35933 29e4598 35931->35933 35934 29e6a80 CreateActCtxA 35933->35934 35936 29e6b43 35934->35936

                              Executed Functions

                              Function 075C2F68 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 075C2FEF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: f3d7e42d1c2785c609ccdd7f5e494df79242f9d67392b104a2577500a91e5fcc
                              • Instruction ID: 71ba71a58072874980f0243c74cdc5a1b99fdc8259603f988f59d08be47ab6c5
                              • Opcode Fuzzy Hash: f3d7e42d1c2785c609ccdd7f5e494df79242f9d67392b104a2577500a91e5fcc
                              • Instruction Fuzzy Hash: FD21EAB59012899FCB20CF9AD885BDEBBF5BB48310F10852AE918A7250C335A900CFA1
                              Function 075C2F70 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 075C2FEF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 8980321898b8efd5263419370dd8bc50b9a3dfcae39bc2616f09b2ddf0d1c135
                              • Instruction ID: af304e3d00be3057c8986959160f1d92ce1cd706f2caa036e09d88ccb077cfca
                              • Opcode Fuzzy Hash: 8980321898b8efd5263419370dd8bc50b9a3dfcae39bc2616f09b2ddf0d1c135
                              • Instruction Fuzzy Hash: C021EFB5D003499FCB20CF9AD885ACEBBF4FB48310F10842AE918A7250D375A940CFA5
                              Function 075A3390 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362329616.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75a0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hq
                              • API String ID: 0-1594803414
                              • Opcode ID: 1fea9dacab3c3632ecc80dc6e25fda85cee24793122d15705372cfdf5a1bb147
                              • Instruction ID: 2f8a02543582e99833d292ce414a4bc95488e48fc588941c8e0bbbe77852748f
                              • Opcode Fuzzy Hash: 1fea9dacab3c3632ecc80dc6e25fda85cee24793122d15705372cfdf5a1bb147
                              • Instruction Fuzzy Hash: 13A14070E04309AFDB54EFB8D8547AE7BB6BF88300F508429E445EB394CA38AD42DB55
                              Function 08F830A0 Relevance: .6, Instructions: 586COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1364245254.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8f80000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e03914cc01a255faac2439c5a0d64a109cabcced4fa13a725a9d045dfeaae4ba
                              • Instruction ID: e9cae40dada47286a31eba470ec97262da5a20712f63258cfcfa95b4b4517080
                              • Opcode Fuzzy Hash: e03914cc01a255faac2439c5a0d64a109cabcced4fa13a725a9d045dfeaae4ba
                              • Instruction Fuzzy Hash: 6F229CB1B01204CFDB1AEB79D560BAEB7F6AF89B01F14446DE5069B3A1DB34E801CB51
                              Function 075C0308 Relevance: .5, Instructions: 506COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fdd2aacf56e320fcb415193bc73aed0043299d22589f3ca8376220c7589b1d66
                              • Instruction ID: e3262a38ea9305279117b3a8c6a234b5662ffc08b0805a67db32ee981cce5589
                              • Opcode Fuzzy Hash: fdd2aacf56e320fcb415193bc73aed0043299d22589f3ca8376220c7589b1d66
                              • Instruction Fuzzy Hash: 80428074E11219CFDB14CFA9C984B9DBBB6BF48300F1491A9E809A7395DB30AE81CF50
                              Function 075AEF18 Relevance: .5, Instructions: 482COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362329616.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75a0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1cefa4dd5dbd2cddd70fcc0b52fa6e981916eefc4e55b7362c3450e7916d719
                              • Instruction ID: 83cebce0f8dd5bd67d622c44339d3254565318d1ae7f563b664eb87923846ad7
                              • Opcode Fuzzy Hash: a1cefa4dd5dbd2cddd70fcc0b52fa6e981916eefc4e55b7362c3450e7916d719
                              • Instruction Fuzzy Hash: CE32B0B4900219DFEB50DF69C680A8EFBB6BF49315F55C1AAC448AB251CB30DD85CFA4
                              Function 075C02F9 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd5764ba46b37f456b42729b835f2b3a203407a721e35c795e510a51a4b15f38
                              • Instruction ID: 2f57b394bb4c1a859131c3d8ee3e142f9c7a49e373f6aabefac12141ff1731b5
                              • Opcode Fuzzy Hash: bd5764ba46b37f456b42729b835f2b3a203407a721e35c795e510a51a4b15f38
                              • Instruction Fuzzy Hash: D861A675E05218DFEB14CFA6D984BDDBBB6FF88300F1491A9E409A7294DB319941CF60
                              Function 075C4CC0 Relevance: .1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8295086ce98b28f93d539897fb74027c6317ece91f1e5988a2956f09c8320546
                              • Instruction ID: 0843265ab471492453426f934cf816e0ee97198f2e513a48a1e9d18cfa839178
                              • Opcode Fuzzy Hash: 8295086ce98b28f93d539897fb74027c6317ece91f1e5988a2956f09c8320546
                              • Instruction Fuzzy Hash: C85180B5E006199FDB04DFEAC944AEEBBB2FF89300F14902AD419AB254DB745946CF50
                              Function 075AEF09 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362329616.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75a0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8bdded21c75a19750b47f36dfaaa40fbda849430492a3cca7f494478dfc8a7c
                              • Instruction ID: 7bab4822599c80e139d3d3755366b82dff0f85c1af48e31f2e37d6d90fa93192
                              • Opcode Fuzzy Hash: c8bdded21c75a19750b47f36dfaaa40fbda849430492a3cca7f494478dfc8a7c
                              • Instruction Fuzzy Hash: F541C7B1E006199FEB58DF6A88417DEBBB3BFC9200F14C0BAD459A7255DA304A86CF51
                              Function 075C4CB2 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fae5f593ec3e65559c49e0a5203a14c4d1289a1ed0f0b10e8e8d57644de31015
                              • Instruction ID: 4e89dd1266b1ca1e95bdbb74ca0e632bf83db636f41bd9b67954a02bc65f2b8a
                              • Opcode Fuzzy Hash: fae5f593ec3e65559c49e0a5203a14c4d1289a1ed0f0b10e8e8d57644de31015
                              • Instruction Fuzzy Hash: 4941BFB5E006189FDB08CFEAC8846EEBBF2BF88310F14C12AD419AB254DB305946CF40
                              Function 08F820F4 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1364245254.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8f80000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6119f0439a125d507459e156a9ebaa1660ee47134c015edd2b27eaf11fd67e3a
                              • Instruction ID: 829078651292f023c3ba9e1ca9851fd92ef5bee4295ae4646edf29c53605335d
                              • Opcode Fuzzy Hash: 6119f0439a125d507459e156a9ebaa1660ee47134c015edd2b27eaf11fd67e3a
                              • Instruction Fuzzy Hash: 36A00253D8E405C4C2017DB4C0455F5F13E264F012E603105C40A774530494D192006D
                              Function 075CE364 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 550 75ce364-75ce36a 551 75ce36c-75ce373 550->551 552 75ce374-75ce405 550->552 551->552 554 75ce43e-75ce45e 552->554 555 75ce407-75ce411 552->555 560 75ce497-75ce4c6 554->560 561 75ce460-75ce46a 554->561 555->554 556 75ce413-75ce415 555->556 558 75ce438-75ce43b 556->558 559 75ce417-75ce421 556->559 558->554 562 75ce425-75ce434 559->562 563 75ce423 559->563 571 75ce4ff-75ce5b9 CreateProcessA 560->571 572 75ce4c8-75ce4d2 560->572 561->560 564 75ce46c-75ce46e 561->564 562->562 565 75ce436 562->565 563->562 566 75ce470-75ce47a 564->566 567 75ce491-75ce494 564->567 565->558 569 75ce47c 566->569 570 75ce47e-75ce48d 566->570 567->560 569->570 570->570 573 75ce48f 570->573 583 75ce5bb-75ce5c1 571->583 584 75ce5c2-75ce648 571->584 572->571 574 75ce4d4-75ce4d6 572->574 573->567 576 75ce4d8-75ce4e2 574->576 577 75ce4f9-75ce4fc 574->577 578 75ce4e4 576->578 579 75ce4e6-75ce4f5 576->579 577->571 578->579 579->579 580 75ce4f7 579->580 580->577 583->584 594 75ce658-75ce65c 584->594 595 75ce64a-75ce64e 584->595 596 75ce66c-75ce670 594->596 597 75ce65e-75ce662 594->597 595->594 598 75ce650 595->598 600 75ce680-75ce684 596->600 601 75ce672-75ce676 596->601 597->596 599 75ce664 597->599 598->594 599->596 603 75ce696-75ce69d 600->603 604 75ce686-75ce68c 600->604 601->600 602 75ce678 601->602 602->600 605 75ce69f-75ce6ae 603->605 606 75ce6b4 603->606 604->603 605->606 607 75ce6b5 606->607 607->607
                              APIs
                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 075CE5A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 72992ca4401fb87d82745fb06a1e5e9048b3b9d9b1de8a300ae80b53388d5e96
                              • Instruction ID: b4e8ecb7224034bf479b372a5bc72518cc2b01938331fb6867c80058de01c683
                              • Opcode Fuzzy Hash: 72992ca4401fb87d82745fb06a1e5e9048b3b9d9b1de8a300ae80b53388d5e96
                              • Instruction Fuzzy Hash: 66A15FB1D10759CFEB24CFA8C882BEDBBB2BF44310F14856AD845A7280DB759985CF91
                              Function 075CE370 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 609 75ce370-75ce405 612 75ce43e-75ce45e 609->612 613 75ce407-75ce411 609->613 618 75ce497-75ce4c6 612->618 619 75ce460-75ce46a 612->619 613->612 614 75ce413-75ce415 613->614 616 75ce438-75ce43b 614->616 617 75ce417-75ce421 614->617 616->612 620 75ce425-75ce434 617->620 621 75ce423 617->621 629 75ce4ff-75ce5b9 CreateProcessA 618->629 630 75ce4c8-75ce4d2 618->630 619->618 622 75ce46c-75ce46e 619->622 620->620 623 75ce436 620->623 621->620 624 75ce470-75ce47a 622->624 625 75ce491-75ce494 622->625 623->616 627 75ce47c 624->627 628 75ce47e-75ce48d 624->628 625->618 627->628 628->628 631 75ce48f 628->631 641 75ce5bb-75ce5c1 629->641 642 75ce5c2-75ce648 629->642 630->629 632 75ce4d4-75ce4d6 630->632 631->625 634 75ce4d8-75ce4e2 632->634 635 75ce4f9-75ce4fc 632->635 636 75ce4e4 634->636 637 75ce4e6-75ce4f5 634->637 635->629 636->637 637->637 638 75ce4f7 637->638 638->635 641->642 652 75ce658-75ce65c 642->652 653 75ce64a-75ce64e 642->653 654 75ce66c-75ce670 652->654 655 75ce65e-75ce662 652->655 653->652 656 75ce650 653->656 658 75ce680-75ce684 654->658 659 75ce672-75ce676 654->659 655->654 657 75ce664 655->657 656->652 657->654 661 75ce696-75ce69d 658->661 662 75ce686-75ce68c 658->662 659->658 660 75ce678 659->660 660->658 663 75ce69f-75ce6ae 661->663 664 75ce6b4 661->664 662->661 663->664 665 75ce6b5 664->665 665->665
                              APIs
                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 075CE5A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: a89dea6d7bf82a547a14f08e70f0b91504c60941c4852f6278c9dec336f06621
                              • Instruction ID: 02196fb1192e988bd091d9004e470dac98e71b0669b22c1289052a24e7d75aa5
                              • Opcode Fuzzy Hash: a89dea6d7bf82a547a14f08e70f0b91504c60941c4852f6278c9dec336f06621
                              • Instruction Fuzzy Hash: EE915FB1D01759CFEB24CFA8C881BEDBBB2BF44310F14856AD849A7280DB759985CF91
                              Function 029EC038 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 667 29ec038-29ec057 668 29ec059-29ec066 call 29ea674 667->668 669 29ec083-29ec087 667->669 676 29ec07c 668->676 677 29ec068 668->677 671 29ec09b-29ec0dc 669->671 672 29ec089-29ec093 669->672 678 29ec0de-29ec0e6 671->678 679 29ec0e9-29ec0f7 671->679 672->671 676->669 722 29ec06e call 29ec2d0 677->722 723 29ec06e call 29ec2e0 677->723 678->679 680 29ec11b-29ec11d 679->680 681 29ec0f9-29ec0fe 679->681 686 29ec120-29ec127 680->686 683 29ec109 681->683 684 29ec100-29ec107 call 29eb3b0 681->684 682 29ec074-29ec076 682->676 685 29ec1b8-29ec278 682->685 688 29ec10b-29ec119 683->688 684->688 717 29ec27a-29ec27d 685->717 718 29ec280-29ec2ab GetModuleHandleW 685->718 689 29ec129-29ec131 686->689 690 29ec134-29ec13b 686->690 688->686 689->690 691 29ec13d-29ec145 690->691 692 29ec148-29ec151 call 29eb3c0 690->692 691->692 698 29ec15e-29ec163 692->698 699 29ec153-29ec15b 692->699 700 29ec165-29ec16c 698->700 701 29ec181-29ec18e 698->701 699->698 700->701 703 29ec16e-29ec17e call 29eb3d0 call 29eb3e0 700->703 707 29ec190-29ec1ae 701->707 708 29ec1b1-29ec1b7 701->708 703->701 707->708 717->718 719 29ec2ad-29ec2b3 718->719 720 29ec2b4-29ec2c8 718->720 719->720 722->682 723->682
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000), ref: 029EC29E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 57e3b18c10f17ab659af849248f22f0c357a85be9971ddaa190440ddbaa5718d
                              • Instruction ID: 879cd2a4cb3ee9695629ce7373072e2a3113b055ddac5a2f5a39f273cc49f845
                              • Opcode Fuzzy Hash: 57e3b18c10f17ab659af849248f22f0c357a85be9971ddaa190440ddbaa5718d
                              • Instruction Fuzzy Hash: FE814370A00B059FDB25DF69D55579ABBF5BF88304F008A2EE48ADBA40DB35E905CF90
                              Function 029E6A75 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 724 29e6a75-29e6b41 CreateActCtxA 726 29e6b4a-29e6ba4 724->726 727 29e6b43-29e6b49 724->727 734 29e6ba6-29e6ba9 726->734 735 29e6bb3-29e6bb7 726->735 727->726 734->735 736 29e6bc8 735->736 737 29e6bb9-29e6bc5 735->737 739 29e6bc9 736->739 737->736 739->739
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 029E6B31
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 3eaa4c92cec690af6ceb086feb12caa014dc5626145951f6f9dba8fb1ffaae90
                              • Instruction ID: 5ced440f2662b04721a8deab927c9cbb4dfde53737aac58399104546b2b00583
                              • Opcode Fuzzy Hash: 3eaa4c92cec690af6ceb086feb12caa014dc5626145951f6f9dba8fb1ffaae90
                              • Instruction Fuzzy Hash: 7C41F0B1C00719CFEB24DFA9C944B9EBBF5BF48304F24816AD409AB251DB756946CF90
                              Function 029E4598 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 740 29e4598-29e6b41 CreateActCtxA 743 29e6b4a-29e6ba4 740->743 744 29e6b43-29e6b49 740->744 751 29e6ba6-29e6ba9 743->751 752 29e6bb3-29e6bb7 743->752 744->743 751->752 753 29e6bc8 752->753 754 29e6bb9-29e6bc5 752->754 756 29e6bc9 753->756 754->753 756->756
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 029E6B31
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 5ee86d47c6df3a2e9a891707905843718e80cdab8f9187c449e91278611e5c89
                              • Instruction ID: 6f1cd54a3974edead893ff818c0d8c571bf3e5fa6876dad1b6e93a82a0178d8a
                              • Opcode Fuzzy Hash: 5ee86d47c6df3a2e9a891707905843718e80cdab8f9187c449e91278611e5c89
                              • Instruction Fuzzy Hash: 1141FEB1C0071DCBEB24DFA9C844B9EBBF9BF48304F20816AD509AB251DB756946CF90
                              Function 075C3EF7 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 757 75c3ef7-75c3f00 758 75c3f6f-75c3fca 757->758 759 75c3f02-75c3f18 757->759 765 75c3fcc-75c3fcf 758->765 766 75c3fd2-75c3ffd OutputDebugStringW 758->766 760 75c3f1f-75c3f22 759->760 761 75c3f1a 759->761 763 75c3f29-75c3f32 760->763 761->760 765->766 767 75c3fff-75c4005 766->767 768 75c4006-75c401a 766->768 767->768
                              APIs
                              • OutputDebugStringW.KERNEL32(00000000), ref: 075C3FF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: DebugOutputString
                              • String ID:
                              • API String ID: 1166629820-0
                              • Opcode ID: a7db3555717b1e5d2042074783251ed27806734bbd84cec692b0347eb5d83c49
                              • Instruction ID: df3ab910fbde290da61236aee84a1f914a18ee0090d297179320417c9609e347
                              • Opcode Fuzzy Hash: a7db3555717b1e5d2042074783251ed27806734bbd84cec692b0347eb5d83c49
                              • Instruction Fuzzy Hash: 503156B5C093899FCB11DFA9D8417DDFBB4BB09210F1081AAD808A7251D7395945CFA2
                              Function 075CE0E1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 779 75ce0e1-75ce136 782 75ce138-75ce144 779->782 783 75ce146-75ce185 WriteProcessMemory 779->783 782->783 785 75ce18e-75ce1be 783->785 786 75ce187-75ce18d 783->786 786->785
                              APIs
                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 075CE178
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 2fc57b80d7afe8b42418d586b8fc98046361a04ae2322da4c14bcf5cf02fd349
                              • Instruction ID: 0e71ecb5830d26acd65bc4640c2a49dc1ceb6c756033f427eadb961e8e58b151
                              • Opcode Fuzzy Hash: 2fc57b80d7afe8b42418d586b8fc98046361a04ae2322da4c14bcf5cf02fd349
                              • Instruction Fuzzy Hash: 9B2157B5D003499FDB10CFA9C881BDEBBF5FF48310F10842AE918A7240C7799951CBA5
                              Function 075AADC0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 770 75aadc0-75aae14 771 75aae1f-75aae2e 770->771 772 75aae16-75aae1c 770->772 773 75aae33-75aae6c DrawTextExW 771->773 774 75aae30 771->774 772->771 775 75aae6e-75aae74 773->775 776 75aae75-75aae92 773->776 774->773 775->776
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 075AAE5F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362329616.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75a0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: ad9a33fa9552e45ba552e1be9045b206fca62bd9aeb65db8eff989f4a0142bcd
                              • Instruction ID: abf5cdd073662a6880a0854df8a3e1376bf6db24e154f759fdb1567922b55ead
                              • Opcode Fuzzy Hash: ad9a33fa9552e45ba552e1be9045b206fca62bd9aeb65db8eff989f4a0142bcd
                              • Instruction Fuzzy Hash: 693102B5D00349AFDB10CF9AD880ADEBBF5FB58320F14842EE918A7210D775A940CFA0
                              Function 075CE0E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 075CE178
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 7d4f91a74e2da37631c85c3364ffe4e28802402ffbb94e432a44004c2274e6c9
                              • Instruction ID: f20bc51978712654284e9e5841d5ae0d3f784d3b8075ada9a24e6ff227bf8687
                              • Opcode Fuzzy Hash: 7d4f91a74e2da37631c85c3364ffe4e28802402ffbb94e432a44004c2274e6c9
                              • Instruction Fuzzy Hash: F22123B1D003499FDB10DFAAC881BEEBBF5FF48310F50842AE918A7240C7799951CBA4
                              Function 075AADC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 075AAE5F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362329616.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75a0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: 43261b9fd98de538f12b27ec8150425983735bb6e7032adcfa4776a86f010762
                              • Instruction ID: fbac9ee6852a74aca4725ca4b756b2dba9b9fdd61a6dfc219e396f7520c9e951
                              • Opcode Fuzzy Hash: 43261b9fd98de538f12b27ec8150425983735bb6e7032adcfa4776a86f010762
                              • Instruction Fuzzy Hash: E621E2B5D00309AFDB10CF9AD880ADEBBF5BB58310F14842EE919A7210D775A940CFA0
                              Function 075CD6D8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075CD75E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 7ef248b2b16b1d8c26f29e1422debe1e2cc0bd5c93837d2d8c31de7f123eb4b7
                              • Instruction ID: caf3283bf2b3a17bbbd61f08686063404c37cd169b5c040395271285337ab43d
                              • Opcode Fuzzy Hash: 7ef248b2b16b1d8c26f29e1422debe1e2cc0bd5c93837d2d8c31de7f123eb4b7
                              • Instruction Fuzzy Hash: 2B2148B5D003098FDB10DFAAC4857EEBBF4FB48214F50842ED519A7240CB799945CBA4
                              Function 075CE1D0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 075CE258
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 3857aed484fee330f4e2c2031e787ed57e9acdfbdc451342fffd3171884624e7
                              • Instruction ID: 68d6d726e8fade679b626ac6707ac0f6a1ca85b983c3abe7877af91d5f023796
                              • Opcode Fuzzy Hash: 3857aed484fee330f4e2c2031e787ed57e9acdfbdc451342fffd3171884624e7
                              • Instruction Fuzzy Hash: D621F4B5C013499FDB10DFAAC945BEEBBF5FF48310F50842AE958A7240C7399941DBA4
                              Function 029ECA10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029EE8C6,?,?,?,?,?), ref: 029EE987
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 13d3a3cc277d64017ecc6b10ce2b12d902d3cd1c2d1df0b0a52bc3afd2006d10
                              • Instruction ID: 74608cec4c9e442475249979973949586dfa6ec9fa72b1730759e4a207073b68
                              • Opcode Fuzzy Hash: 13d3a3cc277d64017ecc6b10ce2b12d902d3cd1c2d1df0b0a52bc3afd2006d10
                              • Instruction Fuzzy Hash: 772103B5D00348EFDB10CF9AD985ADEBBF9EB48320F10841AE958A3350C375A940CFA4
                              Function 075CD6E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075CD75E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: aa20309f4cbb37334f9521d50daf53f962a358fbc2c5525f3ce657dcd7c5ae5e
                              • Instruction ID: 4525c921fd42271da564ee4f7c53510a20eb7ed8f89df0a15e43f902a910d206
                              • Opcode Fuzzy Hash: aa20309f4cbb37334f9521d50daf53f962a358fbc2c5525f3ce657dcd7c5ae5e
                              • Instruction Fuzzy Hash: AA2154B1D003098FDB10DFAAC485BEEBBF4FB48220F50842ED819A7240CB799945CFA4
                              Function 075CE1D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 075CE258
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: a233e04945d27520c76a01ed614813eba2ee5241f63ebdf7232b24bcb9a4eaed
                              • Instruction ID: 8e1dd29d0a8674c8354b7844af46af3b857bdfec6bc8a0e3fa34701d97a651d7
                              • Opcode Fuzzy Hash: a233e04945d27520c76a01ed614813eba2ee5241f63ebdf7232b24bcb9a4eaed
                              • Instruction Fuzzy Hash: C021F2B1C003499FDB10DFAAC881BEEBBF5FB48310F50842AE918A7240C7399901CBA4
                              Function 075CDBE8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 075CDC5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: e07abc7bb0a79e822110a9c6b9634a8d923bc9e3c30008bcbbdf532dac22a712
                              • Instruction ID: 2edf5328d4ce07d2824ce42d0ea6e965c146cc9341a6912ddc2618d2057248ba
                              • Opcode Fuzzy Hash: e07abc7bb0a79e822110a9c6b9634a8d923bc9e3c30008bcbbdf532dac22a712
                              • Instruction Fuzzy Hash: 451147719003499FDB20DFAAC845BDEBBF5FB48320F108419E519A7250CB769941CBA4
                              Function 075C3F78 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • OutputDebugStringW.KERNEL32(00000000), ref: 075C3FF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: DebugOutputString
                              • String ID:
                              • API String ID: 1166629820-0
                              • Opcode ID: b60ca3f00efe59dabb4f03242cf585b3a04fb3730034c980b919189a00e01b56
                              • Instruction ID: bedc16cbe11c2e07ab1cd7b027a3c6e0cf5cd96e17c307436a6e672d8bb7fd42
                              • Opcode Fuzzy Hash: b60ca3f00efe59dabb4f03242cf585b3a04fb3730034c980b919189a00e01b56
                              • Instruction Fuzzy Hash: BE1126B5C0065A9FCB14CF9AD545BDEFBF8FB48320F10851AD818A7240D739A541CFA5
                              Function 075CDBF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 075CDC5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 31997766032432570a83b5e62b78029031a21981cd0d2f348d4e0fc70e78f8af
                              • Instruction ID: 72a0796b44a1d47db5e3f022b5fb4efdef27b8a3cf3b259f23003a2e0fad485d
                              • Opcode Fuzzy Hash: 31997766032432570a83b5e62b78029031a21981cd0d2f348d4e0fc70e78f8af
                              • Instruction Fuzzy Hash: 581126B1D003499FDB20DFAAC845BDEBBF5FB48320F148419E515A7250CB769941CFA4
                              Function 075CD628 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 26b08865fb0600f3a14c1231331074556d5e4063dfc5a153155ba04fd297e551
                              • Instruction ID: 08d8ab3c3af48483dea29396c44ed76689862403da5686fd59c452e4f2c867be
                              • Opcode Fuzzy Hash: 26b08865fb0600f3a14c1231331074556d5e4063dfc5a153155ba04fd297e551
                              • Instruction Fuzzy Hash: 911149B1D007498FDB20DFAAC4457EEFBF5AB88310F24842DD559A7240C6799941CB94
                              Function 075C3F80 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • OutputDebugStringW.KERNEL32(00000000), ref: 075C3FF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: DebugOutputString
                              • String ID:
                              • API String ID: 1166629820-0
                              • Opcode ID: 516b8baa092581269c9df4d2889a4791c4151dbecfff3809737199df45609183
                              • Instruction ID: 526f1c7b8bad7629747872b8ce44bad8a00f11671f8f80a508c579ca79f58498
                              • Opcode Fuzzy Hash: 516b8baa092581269c9df4d2889a4791c4151dbecfff3809737199df45609183
                              • Instruction Fuzzy Hash: 381134B5C0065A9FCB10CF9AD445BDEFBF8FB48320F10851AD818A3240C739A901CFA5
                              Function 075CD630 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 887f3fcd603b3c0ecb78820f1791d0c5932991773bdc488d62532818b30281a5
                              • Instruction ID: 1c8dd8c732af2422067f23f9f61e4015fabe17ce6c5f8842eadf51aa4eb09474
                              • Opcode Fuzzy Hash: 887f3fcd603b3c0ecb78820f1791d0c5932991773bdc488d62532818b30281a5
                              • Instruction Fuzzy Hash: F01128B1D003498FDB20DFAAC4457DEFBF5AB48220F24842DD559A7240CB79A941CB94
                              Function 08F80CA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 08F82B7D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1364245254.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8f80000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 65d57000ab03793b5b56caa49ec6d777e4b8915ba89fd28f16ecf1dd002163dd
                              • Instruction ID: a3b775b8fad70823dab35862114ab0680fd577eeed6d782ac722e46db74855d3
                              • Opcode Fuzzy Hash: 65d57000ab03793b5b56caa49ec6d777e4b8915ba89fd28f16ecf1dd002163dd
                              • Instruction Fuzzy Hash: B71103B5800349DFDB20DF9AD885BDEBBF8EB48320F108419E918A7650C375A944CFA5
                              Function 08F82B18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 08F82B7D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1364245254.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8f80000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: af9dd8431997880de7f3d55b97c6ac85788243821ff9dd7f632dfb92d98fcdeb
                              • Instruction ID: 8e35e4d51b3068733202fc61fe74fbe20cfcec4bd54bce6d8082892d4ff2e7b5
                              • Opcode Fuzzy Hash: af9dd8431997880de7f3d55b97c6ac85788243821ff9dd7f632dfb92d98fcdeb
                              • Instruction Fuzzy Hash: FF11C2B5800349DFDB20DF9AD985BDEFBF8EB48320F10841AE958A7650C375A944CFA5
                              Function 029EC238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000), ref: 029EC29E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 756a5cfaf57c1db659f55868fafdb7831a05207c5db3f820968e5ad85e5e9f42
                              • Instruction ID: 4be626ca205a68078e6ee5204a3292edc442ba608ef43e4af7f637dfb39b19f4
                              • Opcode Fuzzy Hash: 756a5cfaf57c1db659f55868fafdb7831a05207c5db3f820968e5ad85e5e9f42
                              • Instruction Fuzzy Hash: D61102B6C003498FCB10CF9AC444B9EFBF8AB88314F10841AD869A7200C375A545CFA5
                              Function 075C402A Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 83636906821c5595d14bcf0683587ec73b5295dbda5358d3d1f69b8dd2cc127a
                              • Instruction ID: 64479b30c5ff4788077756411138e2546ce2b711be7d8d027528dda3e1d687e9
                              • Opcode Fuzzy Hash: 83636906821c5595d14bcf0683587ec73b5295dbda5358d3d1f69b8dd2cc127a
                              • Instruction Fuzzy Hash: 7A1119B19012498FDB20DF9AC445BDEBBF4FB48324F20841AD554A7240C7359545CFA5
                              Function 075C4030 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 0b0f024941ce576018074c2cf8d29c3a93d5b84b364ae8703a928b751acb4147
                              • Instruction ID: 2e954af974e0ff2936f7f592c51bc641b08f80668b6ef2a6c5afd31907a59c85
                              • Opcode Fuzzy Hash: 0b0f024941ce576018074c2cf8d29c3a93d5b84b364ae8703a928b751acb4147
                              • Instruction Fuzzy Hash: AB1136B18003498FDB20DF9AC445BDEFBF8FB48320F10842AD558A7241D779A944CFA5
                              Function 010CD630 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354302743.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10cd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 221754f1b997a9884d76438d3c447c0ee122bd7ff7713b9ab622dba0937505e2
                              • Instruction ID: 3a4647b0e5122a356d51c7c4c97383a0d1dfb773c23328f393daf537f1dfb6a9
                              • Opcode Fuzzy Hash: 221754f1b997a9884d76438d3c447c0ee122bd7ff7713b9ab622dba0937505e2
                              • Instruction Fuzzy Hash: A82121B5604240DFDB15DF54D9C0B1ABFA5FB88724F2082BDE8890A246C336D446CBE2
                              Function 010DD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354374528.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10dd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ce4c80e203d0f99a1417fa8f5216ef7fa2c653f9d720360efaf0c93c3fe8bbd
                              • Instruction ID: 45eb5833b42a50b1d2feb6d2d57b6f58071423c3e072e22bb02f1183aef4f319
                              • Opcode Fuzzy Hash: 2ce4c80e203d0f99a1417fa8f5216ef7fa2c653f9d720360efaf0c93c3fe8bbd
                              • Instruction Fuzzy Hash: AD21D075604300DFDB25DF64D984B16BFA5EBC8314F24C5ADE98A4B286C336D847CB62
                              Function 010DD1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354374528.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10dd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4602255d36978e5d3df1b95ce1fa0ee5d1718d15bb755c5825237b843312d33b
                              • Instruction ID: 65d16aedfec2da3b396f80e8ce137c4a97898350444bf9c5ae9cc802dd5d4c20
                              • Opcode Fuzzy Hash: 4602255d36978e5d3df1b95ce1fa0ee5d1718d15bb755c5825237b843312d33b
                              • Instruction Fuzzy Hash: FD210475A04300EFDB15DF94D9C0B26BBA5FB94324F20C6ADE8894F292C336D846CB61
                              Function 010DD006 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354374528.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10dd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70e1c55ea2d12505c2f58f0750827d822034ccf1cea6a652c25d54b9a0222ea3
                              • Instruction ID: b126655bfce8713523873fbf075707c5008d4d69f2ee8d854660a5f9a0c9dc8b
                              • Opcode Fuzzy Hash: 70e1c55ea2d12505c2f58f0750827d822034ccf1cea6a652c25d54b9a0222ea3
                              • Instruction Fuzzy Hash: 0021C6755093808FCB17CF64D590715BFB1EB85314F28C5DAD8898B697C33AD40ACB62
                              Function 010CD62B Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354302743.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10cd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction ID: 8cf1f7253bed38ea10fa0d038fae0f67d82409afc4014bf146a5b2756cbf0efa
                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction Fuzzy Hash: 8411AF76504284CFCB16CF54D5C4B1ABFA2FB88724F2486ADD8490B657C336D456CFA1
                              Function 010DD1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354374528.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10dd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction ID: c643cc89fdd66afe4f7ad4481f826b908e24f0211fecf644e3e7fba04842429a
                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction Fuzzy Hash: F811BB75504280DFCB06CF54C5C0B25BBB2FB84324F24C6ADD8894B696C33AD40ACB61
                              Function 010CD745 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354302743.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10cd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9f0b9711e13fd7659a66d3753d5a29ba1413614e01be92efaf43dd22ad28571
                              • Instruction ID: 164fe514f45ac057fac66847e427efab309cfdcac45c52bcd16cbd23d211ce7c
                              • Opcode Fuzzy Hash: a9f0b9711e13fd7659a66d3753d5a29ba1413614e01be92efaf43dd22ad28571
                              • Instruction Fuzzy Hash: A201F7310043809AE7205B55CDC4B2EBFDCEF41A25F04C67EED980A282E2799841CFF6
                              Function 010CD744 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354302743.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_10cd000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aef98d274d10750aeac6c7225895a7b169a7fa183fcce162c0fecbd459fcf4dd
                              • Instruction ID: 4002ce87152bdc9f43e2517525df934289e31e09d70477eb157f28b83d465229
                              • Opcode Fuzzy Hash: aef98d274d10750aeac6c7225895a7b169a7fa183fcce162c0fecbd459fcf4dd
                              • Instruction Fuzzy Hash: F7F0C231004380AEE7108F19C988B6AFFDCEB81634F18C1AEED480A287D2799840CFB1

                              Non-executed Functions

                              Function 075C1F37 Relevance: .3, Instructions: 321COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c9e7e9b572eeb9244d7547527b08d833f9cc3d4e5923462521eb8dd5af88ff7
                              • Instruction ID: fc042adab1d13a7fdf5dcf6f0cc4c2c8002f43e708afd90930d724e946f57428
                              • Opcode Fuzzy Hash: 4c9e7e9b572eeb9244d7547527b08d833f9cc3d4e5923462521eb8dd5af88ff7
                              • Instruction Fuzzy Hash: ABE1FBB4E102198FDB14DFA9C580AAEFBB2FF89304F24816AD454AB355DB35AD41CF60
                              Function 029E4868 Relevance: .3, Instructions: 318COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea09a65764d85e0b54c6d01884cc6ce25728f6490740bd8eef7b85bb9cb0d71f
                              • Instruction ID: 65c7024f6df54fc312db1d2b7f84a0ac7dd88aebfa06bee2b49a35d739a5d524
                              • Opcode Fuzzy Hash: ea09a65764d85e0b54c6d01884cc6ce25728f6490740bd8eef7b85bb9cb0d71f
                              • Instruction Fuzzy Hash: 261294F0CC17458AD732CF69EA4C9893BB1BB45398FD04A09D2612F2E5DBB415AACF44
                              Function 075CB730 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69a7b00c482515ed325bf9018896a461bd47f3cb39ea732455c7a29c66c08d75
                              • Instruction ID: b6dffda457481afeba26d6366b404c8f3d3c2453fb6d1f2f4969bd659beb872e
                              • Opcode Fuzzy Hash: 69a7b00c482515ed325bf9018896a461bd47f3cb39ea732455c7a29c66c08d75
                              • Instruction Fuzzy Hash: 4AE1E6B4E002198FDB14DFA9C581AAEFBF2BF89304F248169D455AB355DB30AD41CFA1
                              Function 075CD7B8 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a79939775d19cfe58d363bb378bc55526dbaed4786659744560a295e5b28a504
                              • Instruction ID: 6aa8682d1c91815e4181751f0e5bbde35f6b6d00470e8229d3e39e87cfba3de9
                              • Opcode Fuzzy Hash: a79939775d19cfe58d363bb378bc55526dbaed4786659744560a295e5b28a504
                              • Instruction Fuzzy Hash: EDE1D6B4E002198FDB14DFA9C580AAEFBF2BF89304F248169D455AB355DB35AD41CFA0
                              Function 075C2380 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23c8d0eb62083fc364cc8d0dbce98ff243522cddd90cf86e8c6b9376403f3a38
                              • Instruction ID: 7a2004e3037176ca2ad094801e0dd91e662ad3c6fe92d5924ac95bd6a161178b
                              • Opcode Fuzzy Hash: 23c8d0eb62083fc364cc8d0dbce98ff243522cddd90cf86e8c6b9376403f3a38
                              • Instruction Fuzzy Hash: 11E1D9B4E102198FDB14DFA9C581AAEBBF2FF89304F24816AD415AB355DB30AD41CF60
                              Function 075C30F0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f597fffc2a6da834b010df39fcfb28c4a071ef1e20ebebc4bdcacf8fd1baf5c4
                              • Instruction ID: 521b5567a861bb0a316dcc1f968a4434bfbac8a98e921712dd4e602ac75ac66a
                              • Opcode Fuzzy Hash: f597fffc2a6da834b010df39fcfb28c4a071ef1e20ebebc4bdcacf8fd1baf5c4
                              • Instruction Fuzzy Hash: 2BE1D7B4E102198FDB14DFA9C580AAEBBB2FF89304F24C16AD414AB355DB35AD41CF61
                              Function 075CCE08 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc47358981319c4ae4e1f1438cb9ebef194b12e7cfbac5580b836f648cf557d7
                              • Instruction ID: 1656f22c385952165659b4fe6fb8d19d1b07ddaecd570dcb9c15cbe8a00b61ae
                              • Opcode Fuzzy Hash: dc47358981319c4ae4e1f1438cb9ebef194b12e7cfbac5580b836f648cf557d7
                              • Instruction Fuzzy Hash: 52E1FAB4E102198FDB14DFA9C580AAEFBF2BF89304F248169D515AB355D731AD42CFA0
                              Function 075CDCB0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fdc57aa310ade27a90c4c11e89d7b874904d4ee08d675ef432c404a4f581de74
                              • Instruction ID: ea0b088cbd9c1470b4ec0dfe26ebcb7d213b8d7dd2a1dbbba2f0492b88955b71
                              • Opcode Fuzzy Hash: fdc57aa310ade27a90c4c11e89d7b874904d4ee08d675ef432c404a4f581de74
                              • Instruction Fuzzy Hash: 88E1E9B4E102198FDB14DFA9C580AAEFBF2BF89304F248169D415AB355DB319D42CFA1
                              Function 075CBB68 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0175fde8e8e31fbbfcdcbebdaf2b8e744b3532bd0ec62330ba30476abb4ecf55
                              • Instruction ID: a5ae593f1e23f99c828f58164f550e395f4ae443e9131dc2d4ec63b38d5e99f4
                              • Opcode Fuzzy Hash: 0175fde8e8e31fbbfcdcbebdaf2b8e744b3532bd0ec62330ba30476abb4ecf55
                              • Instruction Fuzzy Hash: 17E109B4E102198FDB14DFA9C581AAEFBF2BF89304F248169D515AB359DB309D41CFA0
                              Function 075C2840 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b32f60960ff3198992b31e2305f0b7991ff556182400a7c8a7c7756d772f19c
                              • Instruction ID: f505e59ab10bdc17a06cf5478e8c8080805060d16190ff5859002e1c141dcf93
                              • Opcode Fuzzy Hash: 0b32f60960ff3198992b31e2305f0b7991ff556182400a7c8a7c7756d772f19c
                              • Instruction Fuzzy Hash: 5BE1E9B4E102198FDB14DFA9C580AAEFBB2FF89304F24816AD454AB355DB34AD41CF60
                              Function 029E4859 Relevance: .2, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1354649133.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_29e0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2447ae9e1114efe052ca2542d5fe97b5b59a1e1c6f227258886cf608b10c0c8d
                              • Instruction ID: cad606e2d63aac07975a6d8ecbd1d7e9adb158983ef7e4a11077dc9c158ce0a8
                              • Opcode Fuzzy Hash: 2447ae9e1114efe052ca2542d5fe97b5b59a1e1c6f227258886cf608b10c0c8d
                              • Instruction Fuzzy Hash: 13C12AB1CD17058BD722CF29EA486893BB1BF853A4F904B09D1612F2D5DBB4156ACF44
                              Function 075C4F30 Relevance: .2, Instructions: 169COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13e44bee30cf7a55fd42453dbb2541f3079f2469d91b109fc50ff0c518cd86d8
                              • Instruction ID: a6f1268bf61ad47a78b47b67a62148f8859aa76b60ceb8f020b1ecd950989b1e
                              • Opcode Fuzzy Hash: 13e44bee30cf7a55fd42453dbb2541f3079f2469d91b109fc50ff0c518cd86d8
                              • Instruction Fuzzy Hash: C57160B5E012199FDB04DFEAC584ADEFBF2BF89300F14C16AD419AB255DB34A942CB50
                              Function 075CB70F Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec3229e4d9b9caf5db6cb1759d6704d2b914f5146d5de285eedabc930a1d1cbb
                              • Instruction ID: edeaf338d5958d30ae5ceaf9baca0a01b38126464111dc502129ad82f75dbee7
                              • Opcode Fuzzy Hash: ec3229e4d9b9caf5db6cb1759d6704d2b914f5146d5de285eedabc930a1d1cbb
                              • Instruction Fuzzy Hash: 9A5109B4E002198FDB14DFA9C5816AEBBF2FF89304F24816AD419A7255D6309942CFA1
                              Function 075C4F20 Relevance: .1, Instructions: 137COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b440fec8153fd3c28bfefe57b809934c01411621caa28e81f2bf9c867740cdfd
                              • Instruction ID: f03748aad83dee7d3c24df0b80a006e494491507b2dc106852e66394a1423e6f
                              • Opcode Fuzzy Hash: b440fec8153fd3c28bfefe57b809934c01411621caa28e81f2bf9c867740cdfd
                              • Instruction Fuzzy Hash: 96519FB5E046588FDB09CFEAC9846DEFBF2BF89300F18C06AD418AB255DB345946CB50
                              Function 075CD7A7 Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a0084a4aaf40f36a98a449326a83c34f0176a8a0594e18596c7e66f87474356
                              • Instruction ID: ba54f04fe3d010eff73c846a05012423b3eb5f8816bfabcd2f907989e9692a28
                              • Opcode Fuzzy Hash: 6a0084a4aaf40f36a98a449326a83c34f0176a8a0594e18596c7e66f87474356
                              • Instruction Fuzzy Hash: 0E51F8B4E002198FDB14DFA9C5806AEFBF2BF89304F24816AD418AB355D7359D42CFA1
                              Function 075C4EDF Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1362722937.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_75c0000_HSBC Payment Swift Copy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc8edfedd85c4e685675fe4cc848b7a11689dda04210ade28ec68c530b4ab741
                              • Instruction ID: 7843ab5f9b725576b4267da80e72778037822016be3cf78eea91b33404f5dbee
                              • Opcode Fuzzy Hash: bc8edfedd85c4e685675fe4cc848b7a11689dda04210ade28ec68c530b4ab741
                              • Instruction Fuzzy Hash: 57516FB5E046599FDB08DFEAC98469EFBF2BF89300F14C16AD418AB254DB3499428F50

                              Execution Graph

                              Execution Coverage:10.3%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:323
                              Total number of Limit Nodes:14
                              execution_graph 48327 7413640 48328 7413664 48327->48328 48331 7413ef7 OutputDebugStringW 48328->48331 48334 7413f80 48328->48334 48338 7413f78 48328->48338 48342 7414030 48328->48342 48345 741402a 48328->48345 48331->48328 48335 7413fc6 OutputDebugStringW 48334->48335 48337 7413fff 48335->48337 48337->48328 48339 7413f80 OutputDebugStringW 48338->48339 48341 7413fff 48339->48341 48341->48328 48343 7414071 CloseHandle 48342->48343 48344 741409e 48343->48344 48344->48328 48346 7414071 CloseHandle 48345->48346 48347 741409e 48346->48347 48347->48328 48348 74137c2 48349 74136fc 48348->48349 48350 7413f80 OutputDebugStringW 48349->48350 48351 7413f78 OutputDebugStringW 48349->48351 48352 7414030 CloseHandle 48349->48352 48353 741402a CloseHandle 48349->48353 48354 7413ef7 OutputDebugStringW 48349->48354 48350->48349 48351->48349 48352->48349 48353->48349 48354->48349 48413 28d4668 48414 28d4682 48413->48414 48417 28d3e30 48414->48417 48416 28d46d1 48418 28d3e3b 48417->48418 48421 28d6784 48418->48421 48420 28d7e31 48420->48416 48422 28d678f 48421->48422 48425 28d6814 48422->48425 48424 28d8295 48424->48420 48426 28d681f 48425->48426 48428 28d837a 48426->48428 48429 28d6844 48426->48429 48428->48424 48430 28d6849 48429->48430 48433 28d6874 48430->48433 48432 28d846d 48432->48428 48434 28d687f 48433->48434 48436 28d987b 48434->48436 48439 28dbf18 48434->48439 48435 28d98b9 48435->48432 48436->48435 48443 28ddfe0 48436->48443 48448 28dbf40 48439->48448 48452 28dbf50 48439->48452 48440 28dbf2e 48440->48436 48444 28de011 48443->48444 48445 28de035 48444->48445 48460 28de18f 48444->48460 48464 28de1a0 48444->48464 48445->48435 48449 28dbf50 48448->48449 48455 28dc038 48449->48455 48450 28dbf5f 48450->48440 48454 28dc038 GetModuleHandleW 48452->48454 48453 28dbf5f 48453->48440 48454->48453 48456 28dc07c 48455->48456 48457 28dc059 48455->48457 48456->48450 48457->48456 48458 28dc280 GetModuleHandleW 48457->48458 48459 28dc2ad 48458->48459 48459->48450 48462 28de1a0 48460->48462 48461 28de1e7 48461->48445 48462->48461 48468 28dca00 48462->48468 48465 28de1ad 48464->48465 48466 28dca00 GetModuleHandleW 48465->48466 48467 28de1e7 48465->48467 48466->48467 48467->48445 48469 28dca0b 48468->48469 48471 28deef8 48469->48471 48472 28de304 48469->48472 48471->48471 48473 28de30f 48472->48473 48474 28d6874 GetModuleHandleW 48473->48474 48475 28def67 48474->48475 48475->48471 48476 28de6b8 48477 28de6fe 48476->48477 48481 28de88a 48477->48481 48484 28de898 48477->48484 48478 28de7eb 48487 28dca10 48481->48487 48485 28de8c6 48484->48485 48486 28dca10 DuplicateHandle 48484->48486 48485->48478 48486->48485 48488 28de900 DuplicateHandle 48487->48488 48489 28de8c6 48488->48489 48489->48478 48355 73feee8 48359 73feef4 48355->48359 48356 73fef05 48360 7411dc8 48359->48360 48365 7411db8 48359->48365 48361 7411de4 48360->48361 48370 7412d00 48361->48370 48375 7412cf0 48361->48375 48362 7411e8e 48362->48356 48366 7411de4 48365->48366 48368 7412d00 2 API calls 48366->48368 48369 7412cf0 2 API calls 48366->48369 48367 7411e8e 48367->48356 48368->48367 48369->48367 48371 7412d12 48370->48371 48380 7412d31 48371->48380 48385 7412d40 48371->48385 48372 7412d26 48372->48362 48376 7412d12 48375->48376 48378 7412d31 2 API calls 48376->48378 48379 7412d40 2 API calls 48376->48379 48377 7412d26 48377->48362 48378->48377 48379->48377 48381 7412d5a 48380->48381 48390 7412e10 48381->48390 48395 7412e00 48381->48395 48382 7412d7d 48382->48372 48386 7412d5a 48385->48386 48388 7412e00 2 API calls 48386->48388 48389 7412e10 2 API calls 48386->48389 48387 7412d7d 48387->48372 48388->48387 48389->48387 48391 7412e34 48390->48391 48400 7412f70 48391->48400 48403 7412f68 48391->48403 48392 7412ebb 48392->48382 48396 7412e34 48395->48396 48398 7412f70 NtQueryInformationProcess 48396->48398 48399 7412f68 NtQueryInformationProcess 48396->48399 48397 7412ebb 48397->48382 48398->48397 48399->48397 48401 7412fbb NtQueryInformationProcess 48400->48401 48402 7412ffe 48401->48402 48402->48392 48404 7412fbb NtQueryInformationProcess 48403->48404 48405 7412ffe 48404->48405 48405->48392 48490 73fadc8 48491 73fae16 DrawTextExW 48490->48491 48493 73fae6e 48491->48493 48406 a191d00 48407 a191e8b 48406->48407 48409 a191d26 48406->48409 48409->48407 48410 a19005c 48409->48410 48411 a191f80 PostMessageW 48410->48411 48412 a191fec 48411->48412 48412->48409 48494 741e9fc 48496 741ea09 48494->48496 48495 741e98d 48496->48495 48500 a190b8e 48496->48500 48519 a190ae0 48496->48519 48537 a190ad0 48496->48537 48501 a190b1c 48500->48501 48502 a190b91 48500->48502 48504 a190b02 48501->48504 48555 a191589 48501->48555 48564 a1910d6 48501->48564 48569 a191376 48501->48569 48575 a1917f7 48501->48575 48580 a191475 48501->48580 48585 a190f95 48501->48585 48595 a191093 48501->48595 48599 a191313 48501->48599 48603 a190f38 48501->48603 48613 a191007 48501->48613 48623 a1915e5 48501->48623 48629 a191525 48501->48629 48635 a190f4e 48501->48635 48645 a1911cf 48501->48645 48652 a1910e9 48501->48652 48502->48496 48504->48496 48520 a190afa 48519->48520 48521 a190b02 48520->48521 48522 a190f38 6 API calls 48520->48522 48523 a191313 2 API calls 48520->48523 48524 a191093 2 API calls 48520->48524 48525 a190f95 6 API calls 48520->48525 48526 a191475 2 API calls 48520->48526 48527 a1917f7 2 API calls 48520->48527 48528 a191376 4 API calls 48520->48528 48529 a1910d6 2 API calls 48520->48529 48530 a191589 6 API calls 48520->48530 48531 a1910e9 2 API calls 48520->48531 48532 a1911cf 4 API calls 48520->48532 48533 a190f4e 6 API calls 48520->48533 48534 a191525 4 API calls 48520->48534 48535 a1915e5 4 API calls 48520->48535 48536 a191007 6 API calls 48520->48536 48521->48496 48522->48521 48523->48521 48524->48521 48525->48521 48526->48521 48527->48521 48528->48521 48529->48521 48530->48521 48531->48521 48532->48521 48533->48521 48534->48521 48535->48521 48536->48521 48538 a190afa 48537->48538 48539 a190b02 48538->48539 48540 a190f38 6 API calls 48538->48540 48541 a191313 2 API calls 48538->48541 48542 a191093 2 API calls 48538->48542 48543 a190f95 6 API calls 48538->48543 48544 a191475 2 API calls 48538->48544 48545 a1917f7 2 API calls 48538->48545 48546 a191376 4 API calls 48538->48546 48547 a1910d6 2 API calls 48538->48547 48548 a191589 6 API calls 48538->48548 48549 a1910e9 2 API calls 48538->48549 48550 a1911cf 4 API calls 48538->48550 48551 a190f4e 6 API calls 48538->48551 48552 a191525 4 API calls 48538->48552 48553 a1915e5 4 API calls 48538->48553 48554 a191007 6 API calls 48538->48554 48539->48496 48540->48539 48541->48539 48542->48539 48543->48539 48544->48539 48545->48539 48546->48539 48547->48539 48548->48539 48549->48539 48550->48539 48551->48539 48552->48539 48553->48539 48554->48539 48556 a19158f 48555->48556 48557 a19137d 48556->48557 48665 741dbe8 48556->48665 48669 741dbf0 48556->48669 48657 741d630 48557->48657 48661 741d628 48557->48661 48673 741d6d8 48557->48673 48677 741d6e0 48557->48677 48565 a1910e3 48564->48565 48681 741e0e1 48565->48681 48685 741e0e8 48565->48685 48566 a191833 48570 a19137c 48569->48570 48571 741d630 ResumeThread 48570->48571 48572 741d628 ResumeThread 48570->48572 48573 741d6e0 Wow64SetThreadContext 48570->48573 48574 741d6d8 Wow64SetThreadContext 48570->48574 48571->48570 48572->48570 48573->48570 48574->48570 48576 a191812 48575->48576 48578 741e0e1 WriteProcessMemory 48576->48578 48579 741e0e8 WriteProcessMemory 48576->48579 48577 a191833 48578->48577 48579->48577 48581 a191795 48580->48581 48583 741d6e0 Wow64SetThreadContext 48581->48583 48584 741d6d8 Wow64SetThreadContext 48581->48584 48582 a1917b0 48583->48582 48584->48582 48586 a190fa0 48585->48586 48689 741e364 48586->48689 48693 741e370 48586->48693 48597 741e0e1 WriteProcessMemory 48595->48597 48598 741e0e8 WriteProcessMemory 48595->48598 48596 a1910b7 48596->48504 48597->48596 48598->48596 48697 741e1d0 48599->48697 48701 741e1d8 48599->48701 48600 a191335 48604 a190f3c 48603->48604 48609 741e370 CreateProcessA 48604->48609 48610 741e364 CreateProcessA 48604->48610 48605 a19108d 48605->48504 48606 a191050 48606->48605 48607 741d6e0 Wow64SetThreadContext 48606->48607 48608 741d6d8 Wow64SetThreadContext 48606->48608 48611 741d630 ResumeThread 48606->48611 48612 741d628 ResumeThread 48606->48612 48607->48606 48608->48606 48609->48606 48610->48606 48611->48606 48612->48606 48614 a19100d 48613->48614 48616 a191050 48614->48616 48619 741e370 CreateProcessA 48614->48619 48620 741e364 CreateProcessA 48614->48620 48615 a19108d 48615->48504 48616->48615 48617 741d6e0 Wow64SetThreadContext 48616->48617 48618 741d6d8 Wow64SetThreadContext 48616->48618 48621 741d630 ResumeThread 48616->48621 48622 741d628 ResumeThread 48616->48622 48617->48616 48618->48616 48619->48616 48620->48616 48621->48616 48622->48616 48624 a19137d 48623->48624 48625 741d6e0 Wow64SetThreadContext 48624->48625 48626 741d6d8 Wow64SetThreadContext 48624->48626 48627 741d630 ResumeThread 48624->48627 48628 741d628 ResumeThread 48624->48628 48625->48624 48626->48624 48627->48624 48628->48624 48630 a19137d 48629->48630 48631 741d630 ResumeThread 48630->48631 48632 741d628 ResumeThread 48630->48632 48633 741d6e0 Wow64SetThreadContext 48630->48633 48634 741d6d8 Wow64SetThreadContext 48630->48634 48631->48630 48632->48630 48633->48630 48634->48630 48636 a190f3c 48635->48636 48639 741e370 CreateProcessA 48636->48639 48640 741e364 CreateProcessA 48636->48640 48637 a191050 48638 a19108d 48637->48638 48641 741d630 ResumeThread 48637->48641 48642 741d628 ResumeThread 48637->48642 48643 741d6e0 Wow64SetThreadContext 48637->48643 48644 741d6d8 Wow64SetThreadContext 48637->48644 48638->48504 48639->48637 48640->48637 48641->48637 48642->48637 48643->48637 48644->48637 48647 a19107b 48645->48647 48646 a19108d 48646->48504 48647->48646 48648 741d630 ResumeThread 48647->48648 48649 741d628 ResumeThread 48647->48649 48650 741d6e0 Wow64SetThreadContext 48647->48650 48651 741d6d8 Wow64SetThreadContext 48647->48651 48648->48647 48649->48647 48650->48647 48651->48647 48653 a19110c 48652->48653 48654 a1912e8 48653->48654 48655 741e0e1 WriteProcessMemory 48653->48655 48656 741e0e8 WriteProcessMemory 48653->48656 48654->48504 48655->48653 48656->48653 48658 741d670 ResumeThread 48657->48658 48660 741d6a1 48658->48660 48660->48557 48662 741d630 ResumeThread 48661->48662 48664 741d6a1 48662->48664 48664->48557 48666 741dc30 VirtualAllocEx 48665->48666 48668 741dc6d 48666->48668 48668->48557 48670 741dc30 VirtualAllocEx 48669->48670 48672 741dc6d 48670->48672 48672->48557 48674 741d725 Wow64SetThreadContext 48673->48674 48676 741d76d 48674->48676 48676->48557 48678 741d725 Wow64SetThreadContext 48677->48678 48680 741d76d 48678->48680 48680->48557 48682 741e0e8 WriteProcessMemory 48681->48682 48684 741e187 48682->48684 48684->48566 48686 741e130 WriteProcessMemory 48685->48686 48688 741e187 48686->48688 48688->48566 48690 741e370 CreateProcessA 48689->48690 48692 741e5bb 48690->48692 48694 741e3f9 CreateProcessA 48693->48694 48696 741e5bb 48694->48696 48698 741e223 ReadProcessMemory 48697->48698 48700 741e267 48698->48700 48700->48600 48702 741e223 ReadProcessMemory 48701->48702 48704 741e267 48702->48704 48704->48600 48705 28d55f0 48707 28d5617 48705->48707 48706 28d56f4 48707->48706 48712 28d5820 48707->48712 48717 28d5830 48707->48717 48708 28d567a 48708->48706 48722 28d4598 48708->48722 48713 28d5844 48712->48713 48726 28d5869 48713->48726 48730 28d5878 48713->48730 48714 28d5862 48714->48708 48718 28d5844 48717->48718 48720 28d5869 GetModuleHandleW 48718->48720 48721 28d5878 GetModuleHandleW 48718->48721 48719 28d5862 48719->48708 48720->48719 48721->48719 48723 28d6a80 CreateActCtxA 48722->48723 48725 28d6b43 48723->48725 48734 28d68d1 48726->48734 48738 28d68e0 48726->48738 48727 28d5884 48727->48714 48731 28d5884 48730->48731 48732 28d68d1 GetModuleHandleW 48730->48732 48733 28d68e0 GetModuleHandleW 48730->48733 48731->48714 48732->48731 48733->48731 48737 28d6903 48734->48737 48735 28d6874 GetModuleHandleW 48736 28d846d 48735->48736 48736->48727 48737->48727 48737->48735 48739 28d6903 48738->48739 48739->48727 48740 28d6874 GetModuleHandleW 48739->48740 48741 28d846d 48740->48741 48741->48727

                              Executed Functions

                              Function 07412F68 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07412FEF
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 83f832a2ff1e2e49ffbf8849ed86b05f87a03c71d1d08b20295660619527bb25
                              • Instruction ID: 7d818934ae089c0b00e966f0c38c9c7b2e169edf0d6fa8be2da41b3aaa7dd14c
                              • Opcode Fuzzy Hash: 83f832a2ff1e2e49ffbf8849ed86b05f87a03c71d1d08b20295660619527bb25
                              • Instruction Fuzzy Hash: AC21EFB6901249DFCB20CF9AD884ADEBFF4BB48310F10852AE958A7210C335A540CFA1
                              Function 07412F70 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07412FEF
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 759b723b81f66811a6e472e07c5e31251cff1df198be33642a66224489742e4d
                              • Instruction ID: 11bb76f379641dc798408618d9aa8e69a78792ff9bc500f4d03fe6a1115a2707
                              • Opcode Fuzzy Hash: 759b723b81f66811a6e472e07c5e31251cff1df198be33642a66224489742e4d
                              • Instruction Fuzzy Hash: B421BDB5D01359DFCB20DF9AD884ADEBBF4FB48310F10852AE918A7250D375A944CFA5
                              Function 0741E364 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 550 741e364-741e405 553 741e407-741e411 550->553 554 741e43e-741e45e 550->554 553->554 555 741e413-741e415 553->555 559 741e460-741e46a 554->559 560 741e497-741e4c6 554->560 557 741e417-741e421 555->557 558 741e438-741e43b 555->558 561 741e423 557->561 562 741e425-741e434 557->562 558->554 559->560 564 741e46c-741e46e 559->564 568 741e4c8-741e4d2 560->568 569 741e4ff-741e5b9 CreateProcessA 560->569 561->562 562->562 563 741e436 562->563 563->558 565 741e491-741e494 564->565 566 741e470-741e47a 564->566 565->560 570 741e47c 566->570 571 741e47e-741e48d 566->571 568->569 572 741e4d4-741e4d6 568->572 582 741e5c2-741e648 569->582 583 741e5bb-741e5c1 569->583 570->571 571->571 573 741e48f 571->573 574 741e4f9-741e4fc 572->574 575 741e4d8-741e4e2 572->575 573->565 574->569 577 741e4e4 575->577 578 741e4e6-741e4f5 575->578 577->578 578->578 579 741e4f7 578->579 579->574 593 741e658-741e65c 582->593 594 741e64a-741e64e 582->594 583->582 596 741e66c-741e670 593->596 597 741e65e-741e662 593->597 594->593 595 741e650 594->595 595->593 599 741e680-741e684 596->599 600 741e672-741e676 596->600 597->596 598 741e664 597->598 598->596 601 741e696-741e69d 599->601 602 741e686-741e68c 599->602 600->599 603 741e678 600->603 604 741e6b4 601->604 605 741e69f-741e6ae 601->605 602->601 603->599 607 741e6b5 604->607 605->604 607->607
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0741E5A6
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: fb9992e4cd20ecfa0b5dedfeb6291a2b20fe4035327c49438bb0a453c529764a
                              • Instruction ID: a4d130f8b70bebddc0d8a2d88a099e4fd1d000e9f85b9b6f2d1a4865fd49a7f9
                              • Opcode Fuzzy Hash: fb9992e4cd20ecfa0b5dedfeb6291a2b20fe4035327c49438bb0a453c529764a
                              • Instruction Fuzzy Hash: 08A170B5D00729CFEB24DF68C8407DEBBB2BF48311F14856AE848A7240DB749985CF91
                              Function 0741E370 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 608 741e370-741e405 610 741e407-741e411 608->610 611 741e43e-741e45e 608->611 610->611 612 741e413-741e415 610->612 616 741e460-741e46a 611->616 617 741e497-741e4c6 611->617 614 741e417-741e421 612->614 615 741e438-741e43b 612->615 618 741e423 614->618 619 741e425-741e434 614->619 615->611 616->617 621 741e46c-741e46e 616->621 625 741e4c8-741e4d2 617->625 626 741e4ff-741e5b9 CreateProcessA 617->626 618->619 619->619 620 741e436 619->620 620->615 622 741e491-741e494 621->622 623 741e470-741e47a 621->623 622->617 627 741e47c 623->627 628 741e47e-741e48d 623->628 625->626 629 741e4d4-741e4d6 625->629 639 741e5c2-741e648 626->639 640 741e5bb-741e5c1 626->640 627->628 628->628 630 741e48f 628->630 631 741e4f9-741e4fc 629->631 632 741e4d8-741e4e2 629->632 630->622 631->626 634 741e4e4 632->634 635 741e4e6-741e4f5 632->635 634->635 635->635 636 741e4f7 635->636 636->631 650 741e658-741e65c 639->650 651 741e64a-741e64e 639->651 640->639 653 741e66c-741e670 650->653 654 741e65e-741e662 650->654 651->650 652 741e650 651->652 652->650 656 741e680-741e684 653->656 657 741e672-741e676 653->657 654->653 655 741e664 654->655 655->653 658 741e696-741e69d 656->658 659 741e686-741e68c 656->659 657->656 660 741e678 657->660 661 741e6b4 658->661 662 741e69f-741e6ae 658->662 659->658 660->656 664 741e6b5 661->664 662->661 664->664
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0741E5A6
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: d18628bb5709b7e0125360d45867802e95ecd7b761dff5e1b225f555db637faf
                              • Instruction ID: 19dbbb1d1f0e41b57f54856d35115899524f4e47af72159f605db36ca82695b1
                              • Opcode Fuzzy Hash: d18628bb5709b7e0125360d45867802e95ecd7b761dff5e1b225f555db637faf
                              • Instruction Fuzzy Hash: AE915EB5D00729CFEB24DF68C840BDEBBB2BF48311F14856AE848A7240DB749985CF91
                              Function 028DC038 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 665 28dc038-28dc057 666 28dc059-28dc066 call 28da674 665->666 667 28dc083-28dc087 665->667 673 28dc07c 666->673 674 28dc068 666->674 669 28dc089-28dc093 667->669 670 28dc09b-28dc0dc 667->670 669->670 676 28dc0de-28dc0e6 670->676 677 28dc0e9-28dc0f7 670->677 673->667 721 28dc06e call 28dc2d0 674->721 722 28dc06e call 28dc2e0 674->722 676->677 678 28dc0f9-28dc0fe 677->678 679 28dc11b-28dc11d 677->679 681 28dc109 678->681 682 28dc100-28dc107 call 28db3b0 678->682 684 28dc120-28dc127 679->684 680 28dc074-28dc076 680->673 683 28dc1b8-28dc278 680->683 686 28dc10b-28dc119 681->686 682->686 716 28dc27a-28dc27d 683->716 717 28dc280-28dc2ab GetModuleHandleW 683->717 687 28dc129-28dc131 684->687 688 28dc134-28dc13b 684->688 686->684 687->688 691 28dc13d-28dc145 688->691 692 28dc148-28dc151 call 28db3c0 688->692 691->692 696 28dc15e-28dc163 692->696 697 28dc153-28dc15b 692->697 698 28dc165-28dc16c 696->698 699 28dc181-28dc18e 696->699 697->696 698->699 701 28dc16e-28dc17e call 28db3d0 call 28db3e0 698->701 706 28dc1b1-28dc1b7 699->706 707 28dc190-28dc1ae 699->707 701->699 707->706 716->717 718 28dc2ad-28dc2b3 717->718 719 28dc2b4-28dc2c8 717->719 718->719 721->680 722->680
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 028DC29E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: c47150dfadc4a14cac346d07e2d3109a8997067ba54ce3309972757d1374b986
                              • Instruction ID: 895d065933f5160b9e600bef55742b588f238324c6891a372c6b37f6c8c1f5bb
                              • Opcode Fuzzy Hash: c47150dfadc4a14cac346d07e2d3109a8997067ba54ce3309972757d1374b986
                              • Instruction Fuzzy Hash: 04813778A007058FDB24DF6AD45479ABBF1FF88214F048A2ED48AC7A50D775E84ACB91
                              Function 028DCA7B Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 723 28dca7b-28dca7d 724 28dca7f-28dca87 723->724 725 28dca0a 723->725 728 28dca8d-28dca9a 724->728 729 28dcb18-28dcb1e 724->729 726 28dca0c-28dca17 725->726 727 28dc9f5-28dc9f8 725->727 730 28de900-28de994 DuplicateHandle 726->730 727->725 731 28dcb0c-28dcb15 728->731 732 28dca9c-28dcaa9 728->732 729->730 734 28de99d-28de9ba 730->734 735 28de996-28de99c 730->735 732->731 736 28dcaab 732->736 735->734 737 28dcac9-28dcad2 736->737 738 28dcaf7-28dcb00 736->738 739 28dcae0-28dcae9 736->739 740 28dcab2-28dcabb 736->740 737->729 741 28dcad4-28dcade 737->741 738->729 743 28dcb02-28dcb09 738->743 739->729 742 28dcaeb-28dcaf5 739->742 740->729 746 28dcabd-28dcac7 740->746 741->731 742->731 743->731 746->731
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028DE8C6,?,?,?,?,?), ref: 028DE987
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: c48131e9b2cd9f6c3253187a50865fd1bf61de0946a3a615eadb2c4791c5dba3
                              • Instruction ID: a58276c9e8425dd23922e525a526c53a5adbeea04739edca6b23258560387f75
                              • Opcode Fuzzy Hash: c48131e9b2cd9f6c3253187a50865fd1bf61de0946a3a615eadb2c4791c5dba3
                              • Instruction Fuzzy Hash: 0A516979900609CFCB10CF89C580EAABBF1FB89310F16899AE559AB251D334F959CF90
                              Function 028D6A75 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 747 28d6a75-28d6b41 CreateActCtxA 749 28d6b4a-28d6ba4 747->749 750 28d6b43-28d6b49 747->750 757 28d6ba6-28d6ba9 749->757 758 28d6bb3-28d6bb7 749->758 750->749 757->758 759 28d6bb9-28d6bc5 758->759 760 28d6bc8 758->760 759->760 762 28d6bc9 760->762 762->762
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 028D6B31
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 77684a1426c0aef2bca88257d0cf4d4f40ee60415d54bad6f139b5e29ae403f8
                              • Instruction ID: 855b4a8daf38abcf13c67b5305b2cf8f58ff66ae94ba2d77d2b8fdfb7e4d6ecd
                              • Opcode Fuzzy Hash: 77684a1426c0aef2bca88257d0cf4d4f40ee60415d54bad6f139b5e29ae403f8
                              • Instruction Fuzzy Hash: C141C175C0072DCBEB24DFAAC844B9DBBF5BF49314F20816AD408AB251DB75694ACF90
                              Function 028D4598 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 763 28d4598-28d6b41 CreateActCtxA 766 28d6b4a-28d6ba4 763->766 767 28d6b43-28d6b49 763->767 774 28d6ba6-28d6ba9 766->774 775 28d6bb3-28d6bb7 766->775 767->766 774->775 776 28d6bb9-28d6bc5 775->776 777 28d6bc8 775->777 776->777 779 28d6bc9 777->779 779->779
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 028D6B31
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: dec9f4c82e272c12efcdcee04d15069ddbd755a89ad66880277e6f1c512cb0d6
                              • Instruction ID: 91270b3e1413762723bfdefaf4b5bae0a6ffc144cad21d96af6ab4d4cc7067dc
                              • Opcode Fuzzy Hash: dec9f4c82e272c12efcdcee04d15069ddbd755a89ad66880277e6f1c512cb0d6
                              • Instruction Fuzzy Hash: 9041D575C0072DCBEB24DFAAC844B9DBBF5BF48304F20816AD408AB251DB75694ACF90
                              Function 07413EF7 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 780 7413ef7-7413f00 781 7413f02-7413f18 780->781 782 7413f6f-7413fca 780->782 783 7413f1a 781->783 784 7413f1f-7413f22 781->784 788 7413fd2-7413ffd OutputDebugStringW 782->788 789 7413fcc-7413fcf 782->789 783->784 787 7413f29-7413f32 784->787 790 7414006-741401a 788->790 791 7413fff-7414005 788->791 789->788 791->790
                              APIs
                              • OutputDebugStringW.KERNELBASE(00000000), ref: 07413FF0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DebugOutputString
                              • String ID:
                              • API String ID: 1166629820-0
                              • Opcode ID: 1c4b4107c74ee15e4e165d5558f0ca319b7ae0bca769be07da05571565ab497c
                              • Instruction ID: e98b59ae6d07d1fd2273786817071c02479104209406b1d76f6a6353a07b21c5
                              • Opcode Fuzzy Hash: 1c4b4107c74ee15e4e165d5558f0ca319b7ae0bca769be07da05571565ab497c
                              • Instruction Fuzzy Hash: 2C3158B5C083899FCB11DFA9D8456DEBFB4EB09310F10819AD858A7351C7345945CFA2
                              Function 073FADC0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 793 73fadc0-73fae14 794 73fae1f-73fae2e 793->794 795 73fae16-73fae1c 793->795 796 73fae33-73fae6c DrawTextExW 794->796 797 73fae30 794->797 795->794 798 73fae6e-73fae74 796->798 799 73fae75-73fae92 796->799 797->796 798->799
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 073FAE5F
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401382367.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_73f0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: c08ff089dd4894a435da61e3a9abdbf10d9770840035ba69acf3c14958dcdbdd
                              • Instruction ID: 10f073d638cd2ab6d548d5787e388352dd0b201a1baeb415d3c0f92b34b06fc3
                              • Opcode Fuzzy Hash: c08ff089dd4894a435da61e3a9abdbf10d9770840035ba69acf3c14958dcdbdd
                              • Instruction Fuzzy Hash: 4831FFB5D0030A9FDB10CF9AD884ADEBBF4FB58320F14842AE919A7210D775A941CFA0
                              Function 0741E0E1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 802 741e0e1-741e136 805 741e146-741e185 WriteProcessMemory 802->805 806 741e138-741e144 802->806 808 741e187-741e18d 805->808 809 741e18e-741e1be 805->809 806->805 808->809
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0741E178
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 1c8d91ea73b58ac027a94eaddc418f054a563b526d1e7ba3ab08d6614f34fada
                              • Instruction ID: 7e1d0603f29c131a6c63c9a534cb97d2362a603635d34e51bc96c9a302330be2
                              • Opcode Fuzzy Hash: 1c8d91ea73b58ac027a94eaddc418f054a563b526d1e7ba3ab08d6614f34fada
                              • Instruction Fuzzy Hash: 602148B5D003199FDB10DFAAC881BDEBBF5FF48310F10842AE958A7240C7789941CBA0
                              Function 073FADC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 073FAE5F
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401382367.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_73f0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: 87fb12b332b3f69651d62f94ad1bfbe1334283dfa58b5a351c2e1356a6b07116
                              • Instruction ID: c147914a86195f01a07908ce7d0048b8a63d85cabd9211f5addc2a09b94c9a99
                              • Opcode Fuzzy Hash: 87fb12b332b3f69651d62f94ad1bfbe1334283dfa58b5a351c2e1356a6b07116
                              • Instruction Fuzzy Hash: 6321CEB5D0030A9FDB10CF9AD884A9EFBF5FF58320F14842AE919A7210D775A945CFA0
                              Function 0741E0E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0741E178
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: ef47b9d38df0f4e9693a50f4e75aeddd3490c6061b8e18e1637bb8148775f729
                              • Instruction ID: f781a38baf00e81dc74d573fff226eb61a2c86862ca643f57854417d42831c84
                              • Opcode Fuzzy Hash: ef47b9d38df0f4e9693a50f4e75aeddd3490c6061b8e18e1637bb8148775f729
                              • Instruction Fuzzy Hash: F02144B5D003199FDB10DFAAC881BDEBBF5FF48310F10842AE918A7240C7789941CBA0
                              Function 028DE8F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028DE8C6,?,?,?,?,?), ref: 028DE987
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 3e3791e20837bce3db16c7324dea124b6c3f23be6717dcc762983c2834833d65
                              • Instruction ID: 5236bb8e377d94749b2f391124dd2cfae0b67fdafde7ed7956cd6f1390f1e36c
                              • Opcode Fuzzy Hash: 3e3791e20837bce3db16c7324dea124b6c3f23be6717dcc762983c2834833d65
                              • Instruction Fuzzy Hash: 8B21F6B5D00248AFDB10CF9AD984ADEBFF5EF48320F14801AE958A7350D375A945CFA1
                              Function 0741D6D8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0741D75E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 64971d17b9fbd2444df97732dc4d74c716e4329a76d5d448bb41a53a3adc1459
                              • Instruction ID: b4f91345406c6949b6df69961686989d68c595ab51b912294128273ce8ed2384
                              • Opcode Fuzzy Hash: 64971d17b9fbd2444df97732dc4d74c716e4329a76d5d448bb41a53a3adc1459
                              • Instruction Fuzzy Hash: 772168B1D003098FDB10DFAAC485BEEBBF1EF48310F54842AD469A7240CB789945CFA0
                              Function 0741E1D0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0741E258
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 65af31951745be38d58cc03dc202c4bc5338b5b3c9322d287fc1e050c527d9dd
                              • Instruction ID: 9198fb45730f6ab8c0f1b81da0cb990308449af9ab3754c402d5bc4e2f34bbb0
                              • Opcode Fuzzy Hash: 65af31951745be38d58cc03dc202c4bc5338b5b3c9322d287fc1e050c527d9dd
                              • Instruction Fuzzy Hash: 5D2139B5C003599FDB10DFAAC941BEEBBF1FF48310F50842AE958A7240C7349541CBA0
                              Function 028DCA10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028DE8C6,?,?,?,?,?), ref: 028DE987
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: e05d1a24b362654a899289e7debdcc2f2aa875f7732997c4eb0f4d1c85f93083
                              • Instruction ID: fd0bb199e4a09dc654cd351285ca94f240b19e86e6563682dfdaa514dd9b9ece
                              • Opcode Fuzzy Hash: e05d1a24b362654a899289e7debdcc2f2aa875f7732997c4eb0f4d1c85f93083
                              • Instruction Fuzzy Hash: 1F21F4B5D01308AFDB10CFAAD984ADEBBF4EB48310F10841AE958A7310D374A944CFA4
                              Function 0741D6E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0741D75E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: f6c956ad3b50f2ba2417e704722ccb72a508f8fccdab298167f391408347719a
                              • Instruction ID: b6c5d3aa1c49e6e2b32b401b6d7dc4ec5d5cdc08e57a294b6d608d5a584a0309
                              • Opcode Fuzzy Hash: f6c956ad3b50f2ba2417e704722ccb72a508f8fccdab298167f391408347719a
                              • Instruction Fuzzy Hash: 5F2135B1D003098FDB10DFAAC485BEEBBF4EF48324F54842AD469A7240DB789945CFA4
                              Function 0741E1D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0741E258
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 2af2241b66e83ed62882f6792f503cd48208c549004d566f55f9ccadca9f3a6f
                              • Instruction ID: 30fe5f92378ef42c272e9f9d3f7d4c7d589692370c0f7c51638e9244263da16d
                              • Opcode Fuzzy Hash: 2af2241b66e83ed62882f6792f503cd48208c549004d566f55f9ccadca9f3a6f
                              • Instruction Fuzzy Hash: 542116B1C003599FDB10DFAAC881BDEBBF5FF48310F50852AE959A7240C7399941CBA4
                              Function 07413F78 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • OutputDebugStringW.KERNELBASE(00000000), ref: 07413FF0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DebugOutputString
                              • String ID:
                              • API String ID: 1166629820-0
                              • Opcode ID: 3ef25013e2e8212f77375d4c118f7076ba00d7c10fd17f66c02ebece2a4220dc
                              • Instruction ID: acf6693f0968d61f088352ee10c92ebe89a2c9c79c42060af0797960b163d438
                              • Opcode Fuzzy Hash: 3ef25013e2e8212f77375d4c118f7076ba00d7c10fd17f66c02ebece2a4220dc
                              • Instruction Fuzzy Hash: 6D1112B5C0065A9BCB24DF9AD845BDEFBB4FB48320F10821AE819A3340C734A941CFA5
                              Function 0741DBE8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0741DC5E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: a2a6f1ce9fbe220001285c25e61524ba02a32aa2565bcd8e2d99cd72c53e8374
                              • Instruction ID: 7a4779b5e5deab9605f999c619ca9c49336833997bd157bb2a87599a44160c70
                              • Opcode Fuzzy Hash: a2a6f1ce9fbe220001285c25e61524ba02a32aa2565bcd8e2d99cd72c53e8374
                              • Instruction Fuzzy Hash: 2E1159B6D003499FDB20DFAAC844BDEBBF5EF48320F14881AE519A7250C7759941CFA0
                              Function 0741D628 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 4a399997bd1447fc479a4f72656257b0b0d685df35fe4898530baf03652f0f40
                              • Instruction ID: 77d70f23a73f19c0ab575253f546a97125cf183f3b28b6dd1493d0dbfb193dad
                              • Opcode Fuzzy Hash: 4a399997bd1447fc479a4f72656257b0b0d685df35fe4898530baf03652f0f40
                              • Instruction Fuzzy Hash: 9D1149B1D013498FDB20DFAAC4457DEBBF4AF88220F14841AD459A7240CA75A545CFA5
                              Function 0741DBF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0741DC5E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 47cb021a312c3ed17d3df8509bef3750dc2e58294ff500e48d7e0f8f6e56bbf7
                              • Instruction ID: e09a45c444d61a89b948929874964899dbcf82d0da4a31d88aa140b2cc01d443
                              • Opcode Fuzzy Hash: 47cb021a312c3ed17d3df8509bef3750dc2e58294ff500e48d7e0f8f6e56bbf7
                              • Instruction Fuzzy Hash: 231126B1D003499FDB20DFAAC845BDEBBF5EF48320F14881AE555A7250CB759941CFA0
                              Function 07413F80 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • OutputDebugStringW.KERNELBASE(00000000), ref: 07413FF0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: DebugOutputString
                              • String ID:
                              • API String ID: 1166629820-0
                              • Opcode ID: ce1e7b068a38261a2aff1e26e718fa6d33ef23b7ecbe69afba08b5cd54ceb845
                              • Instruction ID: c9d294122d515acaeff19fe461d9291961bda17f5f8f17de804445b15c1dcadd
                              • Opcode Fuzzy Hash: ce1e7b068a38261a2aff1e26e718fa6d33ef23b7ecbe69afba08b5cd54ceb845
                              • Instruction Fuzzy Hash: 0E1104B5C0065A9BCB14DF9AD845BDEFBF4FB48320F10821AE819A3340D774A944CFA5
                              Function 0741D630 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: f62f190d2cec527d0aa8e7b66dde884e3831d0c53de4a17c9f6a2c3ad3bf3869
                              • Instruction ID: 62096466bd8d16fbb9e57df449b71f97c216bd9aaea67403cb502f92c7b3b39c
                              • Opcode Fuzzy Hash: f62f190d2cec527d0aa8e7b66dde884e3831d0c53de4a17c9f6a2c3ad3bf3869
                              • Instruction Fuzzy Hash: EE1128B1D007498FDB24DFAAC4457DEFBF5AF48220F14841AD559A7240CB796941CF94
                              Function 0A191F79 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A191FDD
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1402260046.000000000A190000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_a190000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: d4c14dc7bfed00ddc1b1657bfea2504be7d78fd349f3c39ef77afd7d88d5a84c
                              • Instruction ID: 02bd3443ce29656ae74e9fb8fe88bedac627e2ede8185b8d0d63fa1f327199e3
                              • Opcode Fuzzy Hash: d4c14dc7bfed00ddc1b1657bfea2504be7d78fd349f3c39ef77afd7d88d5a84c
                              • Instruction Fuzzy Hash: 4811F5B58003499FDB10DF9AC485BDEFFF8EB48310F14855AE558A7640C775A984CFA1
                              Function 028DC238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 028DC29E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391877316.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_28d0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 909f02f69f3e0eae22e42c8bd609e37ad47e0bb82ab9cbea2e190ea9f544b714
                              • Instruction ID: db4af173a125280f47da60c1264100a619aa1a7237cd00dc946659c6e54f2abd
                              • Opcode Fuzzy Hash: 909f02f69f3e0eae22e42c8bd609e37ad47e0bb82ab9cbea2e190ea9f544b714
                              • Instruction Fuzzy Hash: 7811D2B9C007498FDB10DF9AC444B9EFBF5AF88724F10851AD459A7210D375A545CFA1
                              Function 0A19005C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A191FDD
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1402260046.000000000A190000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_a190000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 922fd80c6207e4e31182c0c81f5dbcf6eccd39384993ea82c389f584223b2add
                              • Instruction ID: a6380156335df19ecbb370ec565de3041df2ef6a9c774b3255094b4a0d075342
                              • Opcode Fuzzy Hash: 922fd80c6207e4e31182c0c81f5dbcf6eccd39384993ea82c389f584223b2add
                              • Instruction Fuzzy Hash: 3411E3B580434D9FDB20DF9AC845BDEBBF8EB48310F108559E555A7200C375A984CFA5
                              Function 056CDC90 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID: (q
                              • API String ID: 0-2414175341
                              • Opcode ID: 314f3504574d56c6954fb0c9d80af4246f565a52ad760ae5ca0722e80422495d
                              • Instruction ID: e0587da2e2acbaa92754a8834cebf21b1d6b3f7b25c633841ff9811e63208246
                              • Opcode Fuzzy Hash: 314f3504574d56c6954fb0c9d80af4246f565a52ad760ae5ca0722e80422495d
                              • Instruction Fuzzy Hash: B941C139E04645CFCB15EB68D8546AEBBF2FF85300B5485ADD006EB384CB35AC46CB92
                              Function 0741402A Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(?), ref: 0741408F
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 14460ba93388752536c3ae60664e5894f66d56b22c8de72fc2eeae5f78adfbf6
                              • Instruction ID: ebba8486f515eaad544dd015963856ba35bddc54ab22b58a4969a58cdbb415d6
                              • Opcode Fuzzy Hash: 14460ba93388752536c3ae60664e5894f66d56b22c8de72fc2eeae5f78adfbf6
                              • Instruction Fuzzy Hash: F01128B1900259CFDB20DF9AC4457EEBBF4EB48320F20842AD558A7250D739A945CFA5
                              Function 07414030 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(?), ref: 0741408F
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1401516622.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7410000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: da2f6b2562a89bec34bb7067d49cf2f2d620f907fc50131195d32a741172e192
                              • Instruction ID: a2ce33b21afdc211df61dbf294d647faf448755a33c78d1302cae054691e657f
                              • Opcode Fuzzy Hash: da2f6b2562a89bec34bb7067d49cf2f2d620f907fc50131195d32a741172e192
                              • Instruction Fuzzy Hash: E61106B1800359CFDB20DF9AC445BDEFBF4EB48320F20842AD558A3251D779A945CFA5
                              Function 056CCC70 Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 185d7bae306595bd96a02e05df5044e1bed7df3f93b13d78fd0f3a545aad9c8a
                              • Instruction ID: 3489d45a281f457f830d1d7b0a86e006a3aed8b3470d4924d64770388c835219
                              • Opcode Fuzzy Hash: 185d7bae306595bd96a02e05df5044e1bed7df3f93b13d78fd0f3a545aad9c8a
                              • Instruction Fuzzy Hash: 54910C35D00609CFDB14DFA8C854AEDFBB2FF49300F108599D949AB261EB30AA85CF90
                              Function 056CC0BF Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42d4e45491ac25676957e0e1466259ddb37187ab8d2a42a34232017322444882
                              • Instruction ID: 61d64199f47d8fa8c966bed3a12c826a9054c252c1634c7a8c643d9bd6afed71
                              • Opcode Fuzzy Hash: 42d4e45491ac25676957e0e1466259ddb37187ab8d2a42a34232017322444882
                              • Instruction Fuzzy Hash: 6D515C35E00249CFDB14DFA9D494AEDBBB2FF89310F1481A9D81AAB350DB34AC45CB51
                              Function 056CC0D0 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 133c34e05c6f2a63227fe921a414718db8b263d460e4c8712361191ef10bf13a
                              • Instruction ID: 22ca0b02a1076af367a0bc7fa63fad322eaeac043a7fa1e0abd2c33ba3f39257
                              • Opcode Fuzzy Hash: 133c34e05c6f2a63227fe921a414718db8b263d460e4c8712361191ef10bf13a
                              • Instruction Fuzzy Hash: 9C514C35E00209CFDB24DFA9D494AADBBB2FF89310F1481A9D81AAB350DB34AC41CB51
                              Function 056CE079 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db8073b27acd2f3a987e158ba36a30a6f57c99f68d6c6908055e5e7702970616
                              • Instruction ID: 4e0da1bbd4980c10a6c43f35abec546a83dd32d613134869676b7313edbace73
                              • Opcode Fuzzy Hash: db8073b27acd2f3a987e158ba36a30a6f57c99f68d6c6908055e5e7702970616
                              • Instruction Fuzzy Hash: AC418E31B002008FE725DB69D440A7EBBF6FF89610B14859DE416DFB64DA75EC82CB91
                              Function 056CCAE0 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8720821b905b09a745ab4c077338250954f90ef4fad5f445a911f9bb1f323b6a
                              • Instruction ID: 3d7e3826835e95646bb121369095da1688b3c67705abb5d0e002d1892b951029
                              • Opcode Fuzzy Hash: 8720821b905b09a745ab4c077338250954f90ef4fad5f445a911f9bb1f323b6a
                              • Instruction Fuzzy Hash: 59418C30B102058FE724DF69C484A7EBBF6FF89600B1084ADE406DBB64DA75EC42CB91
                              Function 056CFA10 Relevance: .1, Instructions: 119COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb4972452551598b8deddf1cb95cad0c9a9063c3afaee1270a0b2e931e2879fa
                              • Instruction ID: 3e064b6afb16c7677fe1e26dba5e9af04489e1a6526914e5a67c2819c4277fb4
                              • Opcode Fuzzy Hash: fb4972452551598b8deddf1cb95cad0c9a9063c3afaee1270a0b2e931e2879fa
                              • Instruction Fuzzy Hash: C8410C75A002098FCB14DF69D4849AABBF6FF88310B14C6A9D809DB355DB34E945CFA1
                              Function 056CF088 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2625440a651671ff6b2c2b6b5cd2a53c885be82f6af811b0d9ce516a50483c31
                              • Instruction ID: 16dcefcca7a9a5f3abb8383d8b95e59148e2bbc42064a553a7c99d8a933b8249
                              • Opcode Fuzzy Hash: 2625440a651671ff6b2c2b6b5cd2a53c885be82f6af811b0d9ce516a50483c31
                              • Instruction Fuzzy Hash: 7A414F31900219CFCB14DF68D8446E9FBB6FF89300F14829AD959AB751EB70AE45CF90
                              Function 056CDC81 Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 637248914c3e0b429935fd4144a0c9e644c1909ac8dbaf797cb725da8a8027fa
                              • Instruction ID: bebfe9f0cc41f510fcb8b172f9569768512ba388fcc4196c2b167087a3dd3ef3
                              • Opcode Fuzzy Hash: 637248914c3e0b429935fd4144a0c9e644c1909ac8dbaf797cb725da8a8027fa
                              • Instruction Fuzzy Hash: 4E418D78A00605DFD724DB68E584BAEBBB2FF44301F14896DD006AB744CB71BC49CB91
                              Function 056CE2D0 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c251839723977f07c190d68dbcce214dea5a5187897adaf3751f5ce7692a2b80
                              • Instruction ID: a9a1d74cf0b15ffd6854317eedf33523a849b4e2b0be198a7ad0f696659f31ee
                              • Opcode Fuzzy Hash: c251839723977f07c190d68dbcce214dea5a5187897adaf3751f5ce7692a2b80
                              • Instruction Fuzzy Hash: DA3127357006009FC729EB79E494A2ABBF6FF8961075445ADD00ECB7A1DB32EC02CB91
                              Function 056CE2C1 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 630a0350cdd0057410ffd8a97a84109a5a671899fd2415fe83c48f6b986c36f0
                              • Instruction ID: 2b1bfaedf20b54506720f6e4e916d2d63e4ee418ebbec763ddee7fbb248b7a25
                              • Opcode Fuzzy Hash: 630a0350cdd0057410ffd8a97a84109a5a671899fd2415fe83c48f6b986c36f0
                              • Instruction Fuzzy Hash: 022151357046009FC7199B79E494A6ABBF6FF8961075542EDD00ECB7A1DB32EC02CB91
                              Function 056CDC60 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36f713814bf5a5e29800cc7cb06abd7a6def46c78a78b0eccd6e40937ac629c9
                              • Instruction ID: 11f917c69d231814e8c2133194bcebe43fc79f29065c5de9e8dff3a8d37aaee9
                              • Opcode Fuzzy Hash: 36f713814bf5a5e29800cc7cb06abd7a6def46c78a78b0eccd6e40937ac629c9
                              • Instruction Fuzzy Hash: 46314738A00249DFCB11DF68D584AADBBB2FF45304F1485ADE009AB355CB71AC46CF91
                              Function 0288D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391687136.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_288d000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d1054af43e48ea2a7d464b43edde38e42254bdd41840703230376a423a944af
                              • Instruction ID: 0f3d422f654a7619a2af5f29d9d63bde7d76c4ee2839b2dce0ee6549adca95f8
                              • Opcode Fuzzy Hash: 7d1054af43e48ea2a7d464b43edde38e42254bdd41840703230376a423a944af
                              • Instruction Fuzzy Hash: A021F27D604304DFDB14EF24D9C4B16BB65EB84328F20C56DD84A8B386C33AD847CA62
                              Function 0288D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391687136.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_288d000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ff48bf4543c3d18e016efdafbac8a7b39bbe16a444c447a915d0abf7ef0dfd6
                              • Instruction ID: aa9dda466bc3dcd34e26ee0ded9fdb9ea2be2c8b49016730e6c466c69fcf9c25
                              • Opcode Fuzzy Hash: 2ff48bf4543c3d18e016efdafbac8a7b39bbe16a444c447a915d0abf7ef0dfd6
                              • Instruction Fuzzy Hash: AF21F57D604204DFDB15EF24D9C0B25BB65FB84318F20C66DD8498B292C336E846CA62
                              Function 056CFA00 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 064ac658a31c0ff6cbbfca8ec4ebfb9a36e487d2dc628ff13d302ff55ca501c4
                              • Instruction ID: 541d8d7c7c4cdecb7a04870a244e3b874a82520a51391513cf712133d9588d9e
                              • Opcode Fuzzy Hash: 064ac658a31c0ff6cbbfca8ec4ebfb9a36e487d2dc628ff13d302ff55ca501c4
                              • Instruction Fuzzy Hash: 3321C3719002459FCB10DF28D8448AAFFB5FF85320B14C69AD849DF256EB30E949CBE0
                              Function 056CE588 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9accbf0575f96ab3b60e85fe34f919bfbc81a8689050f7e024b347867b8cba37
                              • Instruction ID: 0a57dfe8438b5287c7ec627a3634f89f9ef3472f97c471eed861d47c86a8ef0b
                              • Opcode Fuzzy Hash: 9accbf0575f96ab3b60e85fe34f919bfbc81a8689050f7e024b347867b8cba37
                              • Instruction Fuzzy Hash: 0D11ED393005104BCF1AB77AA01862EB7EBEFC871471144BED60ACB390DE369D02CB99
                              Function 056CF3C1 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bc8829b0d6c716b2662a24c04f64d7861a7d2274c670472fe06fcf74cac4fca
                              • Instruction ID: e362a3862e027633ae09323976b0c6dd5cd54e3b398659a0639473bbf5b43264
                              • Opcode Fuzzy Hash: 6bc8829b0d6c716b2662a24c04f64d7861a7d2274c670472fe06fcf74cac4fca
                              • Instruction Fuzzy Hash: FE215EB9E002199FCB40DFA8D4116EEBBB5EF49310F10819AE949EB345D6349E14CBE2
                              Function 0288D007 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391687136.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_288d000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71983e0fc855712e27f204d27bea19294618ae30dfaadb0bf99f979b6ad84811
                              • Instruction ID: 5ef342072af799991ae6e513b1e67b22177243891ec3ab96bf07a39ede0c5ff7
                              • Opcode Fuzzy Hash: 71983e0fc855712e27f204d27bea19294618ae30dfaadb0bf99f979b6ad84811
                              • Instruction Fuzzy Hash: F32192795093C08FCB02DF24D590715BF71EB46214F28C5DAD8898F2A7C33A980ACB62
                              Function 056CE448 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 004d230f4f781f116f93977abb63a730b9f8e1dcfc38ca2183a2af62efc025d8
                              • Instruction ID: 650ff5c09b9e03bd48c43e895d89880c2335d0375498f6b02e042ce1a8863c11
                              • Opcode Fuzzy Hash: 004d230f4f781f116f93977abb63a730b9f8e1dcfc38ca2183a2af62efc025d8
                              • Instruction Fuzzy Hash: 6B119E347006048FDB26DB78D454ABE7BB6FB89200F2085EED045CB7A6DA35AC46CB81
                              Function 056CE579 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbecba8c5c1d3490a502d41660ee84943287740ab4c5375120fcc2949a6d29bc
                              • Instruction ID: d57e168836a69244f81f4a333c6debb92d912168fd22c6ce7bad4574096e37f5
                              • Opcode Fuzzy Hash: fbecba8c5c1d3490a502d41660ee84943287740ab4c5375120fcc2949a6d29bc
                              • Instruction Fuzzy Hash: 2A01F1353045604FCB06B739A45867EBBEAEFC961030544AED505CB390CE359D02CB55
                              Function 0288D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391687136.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_288d000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction ID: b5656ca5535e55675e9180556e1fe3c51bab19ee5a052a4d791874bd002f6b73
                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction Fuzzy Hash: 2C118E79504244DFCB15DF24D6C4B15BB62FB84314F24C6ADD8498B696C33AE44ACB52
                              Function 056CE458 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 436beeb1387f7812063e262fa46cdaef5531c9a55bd39b62ebde586824b5eb94
                              • Instruction ID: 3bc9913a758d076fcb0a434f7aa65da1020dd38a70b2f4256c94cc0edb0cb003
                              • Opcode Fuzzy Hash: 436beeb1387f7812063e262fa46cdaef5531c9a55bd39b62ebde586824b5eb94
                              • Instruction Fuzzy Hash: 83115B347006148FDB25EB69C444A7ABBFAFF85201F2085ADD006C7B65DB35EC46CB81
                              Function 056CDE19 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5369f22e2e26e90ad76be5732130044ee0d52b562a582f9aeb50147b80a3c24e
                              • Instruction ID: d83d5039dd147e3f2f01c5da36f2b374b89c7aeb8f919bcf8dba24fac0cf2ebb
                              • Opcode Fuzzy Hash: 5369f22e2e26e90ad76be5732130044ee0d52b562a582f9aeb50147b80a3c24e
                              • Instruction Fuzzy Hash: B20192357052108FC315DB28E4989BA7BF6EF8921171884AEE40ACB761CF31EC0ACB51
                              Function 056CDFF7 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1635efeffc499baa6e85a2e233b1b41612bbfb2ae3a07b245a78e640721424d7
                              • Instruction ID: 45f4056adcb2764038c5b31a90a8a373981cee8530ce257c0108a3d463761ca5
                              • Opcode Fuzzy Hash: 1635efeffc499baa6e85a2e233b1b41612bbfb2ae3a07b245a78e640721424d7
                              • Instruction Fuzzy Hash: 9001D4353006208FC7169738D01867D7BA5BF88610B0405EED80ACBB61DF65CD52C7D0
                              Function 056CEFFF Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66b9faafb250065ef931a64eafb211aaac5d36fa2029144029181a22e777d9da
                              • Instruction ID: 0a89183ee20f7629bd5c89c05d3766f165677d97ec237b24eba5a72a471a1407
                              • Opcode Fuzzy Hash: 66b9faafb250065ef931a64eafb211aaac5d36fa2029144029181a22e777d9da
                              • Instruction Fuzzy Hash: B011C975D00259AFCF01EFA8D9454EEBFF4EF49210F10869AE858E7211E7709B51CBA2
                              Function 0287D745 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391611224.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_287d000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2dfe454c2ab3a5f9a58d7fbb5c68d4b5296158ce8a378f5212580ce353397e8
                              • Instruction ID: bff491c82b0f7f6768e56e158a422030c3fcaddd13025d095bdcc9d504786bdc
                              • Opcode Fuzzy Hash: f2dfe454c2ab3a5f9a58d7fbb5c68d4b5296158ce8a378f5212580ce353397e8
                              • Instruction Fuzzy Hash: 50012B3D0043449EE7205E15CDC4B26BF98DF412B9F08C51AED488F282D739D841CAB2
                              Function 056CDE28 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f742f7c5b2e03eb0954453468451bbcbcb104f6f56536c16d8a93e0151fdc1de
                              • Instruction ID: 3da187b7b7a2144a9abd3ff460b43831f2e1c3225a5c338b7d47167fe67b2780
                              • Opcode Fuzzy Hash: f742f7c5b2e03eb0954453468451bbcbcb104f6f56536c16d8a93e0151fdc1de
                              • Instruction Fuzzy Hash: 85017C357012108FC718DB29D48896ABBE6FF89614B1488AEE40ACB761CF71EC06CB50
                              Function 056CE008 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98441878370fdfd33743ade04f543b4edfd23a1c7b233dfe4cb7c67298d7a50e
                              • Instruction ID: 192cc6fbe27a18c4d46972cfa70ad9c65bda350f775bf152ad78f3d5fa86f656
                              • Opcode Fuzzy Hash: 98441878370fdfd33743ade04f543b4edfd23a1c7b233dfe4cb7c67298d7a50e
                              • Instruction Fuzzy Hash: 35F08C303006209FC71AA739C008A3E7BA9FF88A50B0441ADE81ACB361DF62DD42C7D4
                              Function 056CF010 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bcf6b3f8dc57094b0ba9424e55a4c104a8b9e9506820041d3a35bfe3169d2bdf
                              • Instruction ID: b13840a94f05af3a41df7b4ee3080b04cd2d97c6417fe195d06f0e68e3062626
                              • Opcode Fuzzy Hash: bcf6b3f8dc57094b0ba9424e55a4c104a8b9e9506820041d3a35bfe3169d2bdf
                              • Instruction Fuzzy Hash: 5B019775D0061DAFCF41EFA8C5459EEBBF4FF48200F10855AE858A7310E7709A50CBA1
                              Function 0287D744 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1391611224.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_287d000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: daf64a2c4b47967907474bb7180f3965e165661c1507f6569a4a23417128f078
                              • Instruction ID: 57c2b63e844f4a0fb010a2fdcc53ebe1eb89cc3f3799df3fcaa8285566db226e
                              • Opcode Fuzzy Hash: daf64a2c4b47967907474bb7180f3965e165661c1507f6569a4a23417128f078
                              • Instruction Fuzzy Hash: ADF0F6360043409EE7108E16CC88B62FFD8EF81374F18C15AED4C4B286C3799840CBB1
                              Function 056CD408 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35e21b23ba3f55dcbf52b13bc4b4237b060acf690948d00c41b25428ebd487f9
                              • Instruction ID: 215377b0da11f12fca81a932b0c12447b29341ade3ebf013a13c642a7e247ae7
                              • Opcode Fuzzy Hash: 35e21b23ba3f55dcbf52b13bc4b4237b060acf690948d00c41b25428ebd487f9
                              • Instruction Fuzzy Hash: 7EE09279B007240B570CEB6FA44086AF7EBAFC8A1035CC1BED50DCB724ED30A8018A82
                              Function 056CD3F9 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 349932e75e7c9161ab6d083ad5cf62a35d9ef0eff7f5ff264ba744787e8e8a2f
                              • Instruction ID: 9165d47cd8b01d15c126089bb6757effc80ce575b26cb4a14ffa49c552a3ab30
                              • Opcode Fuzzy Hash: 349932e75e7c9161ab6d083ad5cf62a35d9ef0eff7f5ff264ba744787e8e8a2f
                              • Instruction Fuzzy Hash: A4E0D8756083604F9309962A6840466BBABEEC6610308C2FED409CF146E56059098BD1
                              Function 056CFF3C Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 364a51208c750dca60c143898af7f35c78ff97f183d9239a8aa518dc3730b5d1
                              • Instruction ID: 56114c81ceae6c461b65e6663c5f9bfa3b9cc86e7039237df14a5334a21c67fb
                              • Opcode Fuzzy Hash: 364a51208c750dca60c143898af7f35c78ff97f183d9239a8aa518dc3730b5d1
                              • Instruction Fuzzy Hash: C9D0223B0444081BCB808FD0EC488CABFAAEFA2280345C0DAF9188E330D3228029DA58

                              Non-executed Functions

                              Function 056CAE50 Relevance: 5.4, Strings: 4, Instructions: 413COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID: (q$(q$Hq$Teq
                              • API String ID: 0-4184104852
                              • Opcode ID: 90cc0c66871784c8ca2ea0f952f93c0ea6588f16e3fc8b5fbf1225729b88fad3
                              • Instruction ID: 34c1830e549bef3de77913bca9b2559866a188e4b6c6e8cf68b358e642f43d0d
                              • Opcode Fuzzy Hash: 90cc0c66871784c8ca2ea0f952f93c0ea6588f16e3fc8b5fbf1225729b88fad3
                              • Instruction Fuzzy Hash: 1BE18E75A002088FDB18DFA9D4547AEBBF6EF88310F24856DD10AEB3A1DF749846CB51
                              Function 056CD1F8 Relevance: 16.4, Strings: 13, Instructions: 138COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                              • API String ID: 0-2605170906
                              • Opcode ID: b414de6879967505b978391dff008ca14d3b6dab6d1348eb24a990c8a5f4f90b
                              • Instruction ID: 9a8a358935357711a9a391b683cab21e96f08a6baea5a0ec1ae2e17473f30adb
                              • Opcode Fuzzy Hash: b414de6879967505b978391dff008ca14d3b6dab6d1348eb24a990c8a5f4f90b
                              • Instruction Fuzzy Hash: 7E513474F0020A9FCB09EBE9F8516DE7BB2FF85300B5055A9D005AF259DB346D0ACB92
                              Function 056CD208 Relevance: 16.4, Strings: 13, Instructions: 118COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1400407052.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_56c0000_yVSkoplfDgy.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                              • API String ID: 0-2605170906
                              • Opcode ID: 0b623d5c28428be5bb554af50ad11de85e138d8fda8e5e9b8c75cead0383f09f
                              • Instruction ID: bcd95e64eb12c4b5ee4af536068c05a27b8af9bb48f31d38bd7fd4634b493748
                              • Opcode Fuzzy Hash: 0b623d5c28428be5bb554af50ad11de85e138d8fda8e5e9b8c75cead0383f09f
                              • Instruction Fuzzy Hash: 4F51AD74E0121B9FCB09EBA9F8519DE7BB2FF44300B505698D005AF259DB346D0ACF96

                              Execution Graph

                              Execution Coverage:1.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:3.6%
                              Total number of Nodes:643
                              Total number of Limit Nodes:13
                              execution_graph 45803 404e06 WaitForSingleObject 45804 404e20 SetEvent CloseHandle 45803->45804 45805 404e37 closesocket 45803->45805 45806 404eb8 45804->45806 45807 404e44 45805->45807 45808 404e5a 45807->45808 45816 4050c4 83 API calls 45807->45816 45809 404e6c WaitForSingleObject 45808->45809 45810 404eae SetEvent CloseHandle 45808->45810 45817 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45809->45817 45810->45806 45813 404e7b SetEvent WaitForSingleObject 45818 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45813->45818 45815 404e93 SetEvent CloseHandle CloseHandle 45815->45810 45816->45808 45817->45813 45818->45815 45819 40163e 45820 401646 45819->45820 45821 401649 45819->45821 45822 401688 45821->45822 45825 401676 45821->45825 45827 43229f 45822->45827 45824 40167c 45826 43229f new 22 API calls 45825->45826 45826->45824 45831 4322a4 45827->45831 45829 4322d0 45829->45824 45831->45829 45834 439adb 45831->45834 45841 440480 7 API calls 2 library calls 45831->45841 45842 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45831->45842 45843 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45831->45843 45839 443649 ___crtLCMapStringA 45834->45839 45835 443687 45845 43ad91 20 API calls __dosmaperr 45835->45845 45836 443672 RtlAllocateHeap 45838 443685 45836->45838 45836->45839 45838->45831 45839->45835 45839->45836 45844 440480 7 API calls 2 library calls 45839->45844 45841->45831 45844->45839 45845->45838 45846 43263c 45847 432648 CallCatchBlock 45846->45847 45872 43234b 45847->45872 45849 43264f 45851 432678 45849->45851 46136 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45849->46136 45858 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45851->45858 46137 441763 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 45851->46137 45853 432691 45855 432697 CallCatchBlock 45853->45855 46138 441707 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 45853->46138 45856 432717 45883 4328c9 45856->45883 45858->45856 46139 4408e7 35 API calls 6 library calls 45858->46139 45867 432743 45869 43274c 45867->45869 46140 4408c2 28 API calls _Atexit 45867->46140 46141 4324c2 13 API calls 2 library calls 45869->46141 45873 432354 45872->45873 46142 4329da IsProcessorFeaturePresent 45873->46142 45875 432360 46143 436cd1 10 API calls 4 library calls 45875->46143 45877 432365 45882 432369 45877->45882 46144 4415bf 45877->46144 45879 432380 45879->45849 45882->45849 46210 434c30 45883->46210 45886 43271d 45887 4416b4 45886->45887 46212 44c239 45887->46212 45889 4416bd 45890 432726 45889->45890 46216 443d25 35 API calls 45889->46216 45892 40d3f0 45890->45892 46218 41a8da LoadLibraryA GetProcAddress 45892->46218 45894 40d40c 46225 40dd83 45894->46225 45896 40d415 46240 4020d6 45896->46240 45899 4020d6 28 API calls 45900 40d433 45899->45900 46246 419d87 45900->46246 45904 40d445 46272 401e6d 45904->46272 45906 40d44e 45907 40d461 45906->45907 45908 40d4b8 45906->45908 46278 40e609 45907->46278 45909 401e45 22 API calls 45908->45909 45911 40d4c6 45909->45911 45915 401e45 22 API calls 45911->45915 45914 40d47f 46293 40f98d 45914->46293 45916 40d4e5 45915->45916 46309 4052fe 45916->46309 45919 40d4f4 46314 408209 45919->46314 45928 40d4a3 45930 401fb8 11 API calls 45928->45930 45932 40d4ac 45930->45932 46131 4407f6 GetModuleHandleW 45932->46131 45933 401fb8 11 API calls 45934 40d520 45933->45934 45935 401e45 22 API calls 45934->45935 45936 40d529 45935->45936 46331 401fa0 45936->46331 45938 40d534 45939 401e45 22 API calls 45938->45939 45940 40d54f 45939->45940 45941 401e45 22 API calls 45940->45941 45942 40d569 45941->45942 45943 40d5cf 45942->45943 46335 40822a 28 API calls 45942->46335 45945 401e45 22 API calls 45943->45945 45950 40d5dc 45945->45950 45946 40d594 45947 401fc2 28 API calls 45946->45947 45948 40d5a0 45947->45948 45951 401fb8 11 API calls 45948->45951 45949 40d650 45955 40d660 CreateMutexA GetLastError 45949->45955 45950->45949 45952 401e45 22 API calls 45950->45952 45953 40d5a9 45951->45953 45954 40d5f5 45952->45954 46336 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45953->46336 45958 40d5fc OpenMutexA 45954->45958 45956 40d987 45955->45956 45957 40d67f 45955->45957 45961 401fb8 11 API calls 45956->45961 45999 40d9ec 45956->45999 45959 40d688 45957->45959 45960 40d68a GetModuleFileNameW 45957->45960 45963 40d622 45958->45963 45964 40d60f WaitForSingleObject CloseHandle 45958->45964 45959->45960 46339 4192ae 33 API calls 45960->46339 45985 40d99a ___scrt_fastfail 45961->45985 46337 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45963->46337 45964->45963 45966 40d5c5 45966->45943 45968 40dd0f 45966->45968 45967 40d6a0 45969 40d6f5 45967->45969 45971 401e45 22 API calls 45967->45971 46369 41239a 30 API calls 45968->46369 45973 401e45 22 API calls 45969->45973 45979 40d6bf 45971->45979 45981 40d720 45973->45981 45974 40dd22 46370 410eda 65 API calls ___scrt_fastfail 45974->46370 45976 40d63b 45976->45949 46338 41239a 30 API calls 45976->46338 45977 40dcfa 46007 40dd6a 45977->46007 46371 402073 28 API calls 45977->46371 45979->45969 45986 40d6f7 45979->45986 45993 40d6db 45979->45993 45980 40d731 45984 401e45 22 API calls 45980->45984 45981->45980 46343 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45981->46343 45992 40d73a 45984->45992 46351 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45985->46351 46341 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45986->46341 45987 40dd3a 46372 4052dd 28 API calls 45987->46372 45998 401e45 22 API calls 45992->45998 45993->45969 46340 4067a0 36 API calls ___scrt_fastfail 45993->46340 45995 40d70d 45995->45969 46342 4066a6 58 API calls 45995->46342 46003 40d755 45998->46003 46004 401e45 22 API calls 45999->46004 46009 401e45 22 API calls 46003->46009 46006 40da10 46004->46006 46352 402073 28 API calls 46006->46352 46373 413980 161 API calls _strftime 46007->46373 46012 40d76f 46009->46012 46014 401e45 22 API calls 46012->46014 46013 40da22 46353 41215f 14 API calls 46013->46353 46016 40d789 46014->46016 46020 401e45 22 API calls 46016->46020 46017 40da38 46018 401e45 22 API calls 46017->46018 46019 40da44 46018->46019 46354 439867 39 API calls _strftime 46019->46354 46023 40d7a3 46020->46023 46022 40d810 46022->45985 46029 401e45 22 API calls 46022->46029 46062 40d89f ___scrt_fastfail 46022->46062 46023->46022 46025 401e45 22 API calls 46023->46025 46024 40da51 46026 40da7e 46024->46026 46355 41aa4f 81 API calls ___scrt_fastfail 46024->46355 46034 40d7b8 _wcslen 46025->46034 46356 402073 28 API calls 46026->46356 46032 40d831 46029->46032 46030 40da70 CreateThread 46030->46026 46611 41b212 10 API calls 46030->46611 46031 40da8d 46357 402073 28 API calls 46031->46357 46036 401e45 22 API calls 46032->46036 46034->46022 46040 401e45 22 API calls 46034->46040 46035 40da9c 46358 4194da 79 API calls 46035->46358 46038 40d843 46036->46038 46044 401e45 22 API calls 46038->46044 46039 40daa1 46041 401e45 22 API calls 46039->46041 46042 40d7d3 46040->46042 46043 40daad 46041->46043 46046 401e45 22 API calls 46042->46046 46048 401e45 22 API calls 46043->46048 46045 40d855 46044->46045 46050 401e45 22 API calls 46045->46050 46047 40d7e8 46046->46047 46344 40c5ed 31 API calls 46047->46344 46049 40dabf 46048->46049 46053 401e45 22 API calls 46049->46053 46052 40d87e 46050->46052 46058 401e45 22 API calls 46052->46058 46055 40dad5 46053->46055 46054 40d7fb 46345 401ef3 28 API calls 46054->46345 46061 401e45 22 API calls 46055->46061 46057 40d807 46346 401ee9 11 API calls 46057->46346 46060 40d88f 46058->46060 46347 40b871 46 API calls _wcslen 46060->46347 46063 40daf5 46061->46063 46348 412338 31 API calls 46062->46348 46359 439867 39 API calls _strftime 46063->46359 46066 40d942 ctype 46070 401e45 22 API calls 46066->46070 46068 40db02 46069 401e45 22 API calls 46068->46069 46071 40db0d 46069->46071 46072 40d959 46070->46072 46073 401e45 22 API calls 46071->46073 46072->45999 46075 401e45 22 API calls 46072->46075 46074 40db1e 46073->46074 46360 408f1f 166 API calls _wcslen 46074->46360 46076 40d976 46075->46076 46349 419bca 28 API calls 46076->46349 46079 40d982 46350 40de34 88 API calls 46079->46350 46080 40db33 46082 401e45 22 API calls 46080->46082 46084 40db3c 46082->46084 46083 40db83 46085 401e45 22 API calls 46083->46085 46084->46083 46086 43229f new 22 API calls 46084->46086 46091 40db91 46085->46091 46087 40db53 46086->46087 46088 401e45 22 API calls 46087->46088 46089 40db65 46088->46089 46094 40db6c CreateThread 46089->46094 46090 40dbd9 46093 401e45 22 API calls 46090->46093 46091->46090 46092 43229f new 22 API calls 46091->46092 46095 40dba5 46092->46095 46099 40dbe2 46093->46099 46094->46083 46609 417f6a 101 API calls 2 library calls 46094->46609 46096 401e45 22 API calls 46095->46096 46097 40dbb6 46096->46097 46102 40dbbd CreateThread 46097->46102 46098 40dc4c 46100 401e45 22 API calls 46098->46100 46099->46098 46101 401e45 22 API calls 46099->46101 46104 40dc55 46100->46104 46103 40dbfc 46101->46103 46102->46090 46606 417f6a 101 API calls 2 library calls 46102->46606 46106 401e45 22 API calls 46103->46106 46105 40dc99 46104->46105 46108 401e45 22 API calls 46104->46108 46366 4195f8 79 API calls 46105->46366 46109 40dc11 46106->46109 46111 40dc69 46108->46111 46361 40c5a1 31 API calls 46109->46361 46110 40dca2 46367 401ef3 28 API calls 46110->46367 46116 401e45 22 API calls 46111->46116 46113 40dcad 46368 401ee9 11 API calls 46113->46368 46119 40dc7e 46116->46119 46117 40dc24 46362 401ef3 28 API calls 46117->46362 46118 40dcb6 CreateThread 46123 40dce5 46118->46123 46124 40dcd9 CreateThread 46118->46124 46607 40e18d 122 API calls 46118->46607 46364 439867 39 API calls _strftime 46119->46364 46122 40dc30 46363 401ee9 11 API calls 46122->46363 46123->45977 46126 40dcee CreateThread 46123->46126 46124->46123 46608 410b5c 137 API calls 46124->46608 46126->45977 46610 411140 38 API calls ___scrt_fastfail 46126->46610 46128 40dc39 CreateThread 46128->46098 46605 401bc9 49 API calls _strftime 46128->46605 46129 40dc8b 46365 40b0a3 7 API calls 46129->46365 46132 432739 46131->46132 46132->45867 46133 44091f 46132->46133 46613 44069c 46133->46613 46136->45849 46137->45853 46138->45858 46139->45856 46140->45869 46141->45855 46142->45875 46143->45877 46148 44cd48 46144->46148 46147 436cfa 8 API calls 3 library calls 46147->45882 46151 44cd65 46148->46151 46152 44cd61 46148->46152 46150 432372 46150->45879 46150->46147 46151->46152 46154 4475a6 46151->46154 46166 432d4b 46152->46166 46155 4475b2 CallCatchBlock 46154->46155 46173 442d9a EnterCriticalSection 46155->46173 46157 4475b9 46174 44d363 46157->46174 46159 4475c8 46165 4475d7 46159->46165 46185 44743a 23 API calls 46159->46185 46162 4475d2 46186 4474f0 GetStdHandle GetFileType 46162->46186 46163 4475e8 CallCatchBlock 46163->46151 46187 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 46165->46187 46167 432d56 IsProcessorFeaturePresent 46166->46167 46168 432d54 46166->46168 46170 432d98 46167->46170 46168->46150 46209 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46170->46209 46172 432e7b 46172->46150 46173->46157 46175 44d36f CallCatchBlock 46174->46175 46176 44d393 46175->46176 46177 44d37c 46175->46177 46188 442d9a EnterCriticalSection 46176->46188 46196 43ad91 20 API calls __dosmaperr 46177->46196 46180 44d3cb 46197 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 46180->46197 46181 44d39f 46181->46180 46189 44d2b4 46181->46189 46183 44d381 _strftime CallCatchBlock 46183->46159 46185->46162 46186->46165 46187->46163 46188->46181 46198 443005 46189->46198 46191 44d2d3 46206 443c92 20 API calls __dosmaperr 46191->46206 46193 44d2c6 46193->46191 46205 445fb3 11 API calls 2 library calls 46193->46205 46194 44d325 46194->46181 46196->46183 46197->46183 46203 443012 ___crtLCMapStringA 46198->46203 46199 443052 46208 43ad91 20 API calls __dosmaperr 46199->46208 46200 44303d RtlAllocateHeap 46201 443050 46200->46201 46200->46203 46201->46193 46203->46199 46203->46200 46207 440480 7 API calls 2 library calls 46203->46207 46205->46193 46206->46194 46207->46203 46208->46201 46209->46172 46211 4328dc GetStartupInfoW 46210->46211 46211->45886 46213 44c24b 46212->46213 46214 44c242 46212->46214 46213->45889 46217 44c138 48 API calls 5 library calls 46214->46217 46216->45889 46217->46213 46219 41a919 LoadLibraryA GetProcAddress 46218->46219 46220 41a909 GetModuleHandleA GetProcAddress 46218->46220 46221 41a947 GetModuleHandleA GetProcAddress 46219->46221 46222 41a937 GetModuleHandleA GetProcAddress 46219->46222 46220->46219 46223 41a973 24 API calls 46221->46223 46224 41a95f GetModuleHandleA GetProcAddress 46221->46224 46222->46221 46223->45894 46224->46223 46374 419493 FindResourceA 46225->46374 46228 439adb new 21 API calls 46229 40ddad ctype 46228->46229 46377 402097 46229->46377 46232 401fc2 28 API calls 46233 40ddd3 46232->46233 46234 401fb8 11 API calls 46233->46234 46235 40dddc 46234->46235 46236 439adb new 21 API calls 46235->46236 46237 40dded ctype 46236->46237 46383 4062ee 46237->46383 46239 40de20 46239->45896 46241 4020ec 46240->46241 46242 4023ae 11 API calls 46241->46242 46243 402106 46242->46243 46244 402549 28 API calls 46243->46244 46245 402114 46244->46245 46245->45899 46435 4020bf 46246->46435 46248 401fb8 11 API calls 46249 419e3c 46248->46249 46250 401fb8 11 API calls 46249->46250 46252 419e44 46250->46252 46251 419e0c 46441 404182 28 API calls 46251->46441 46255 401fb8 11 API calls 46252->46255 46257 40d43c 46255->46257 46256 419e18 46258 401fc2 28 API calls 46256->46258 46268 40e563 46257->46268 46260 419e21 46258->46260 46259 401fc2 28 API calls 46266 419d9a 46259->46266 46261 401fb8 11 API calls 46260->46261 46263 419e29 46261->46263 46262 401fb8 11 API calls 46262->46266 46442 41ab9a 28 API calls 46263->46442 46266->46251 46266->46259 46266->46262 46267 419e0a 46266->46267 46439 404182 28 API calls 46266->46439 46440 41ab9a 28 API calls 46266->46440 46267->46248 46269 40e56f 46268->46269 46271 40e576 46268->46271 46443 402143 11 API calls 46269->46443 46271->45904 46273 402143 46272->46273 46274 40217f 46273->46274 46444 402710 11 API calls 46273->46444 46274->45906 46276 402164 46445 4026f2 11 API calls std::_Deallocate 46276->46445 46279 40e624 46278->46279 46446 40f57c 46279->46446 46285 40e663 46286 40d473 46285->46286 46462 40f663 46285->46462 46288 401e45 46286->46288 46289 401e4d 46288->46289 46291 401e55 46289->46291 46557 402138 22 API calls 46289->46557 46291->45914 46295 40f997 __EH_prolog 46293->46295 46558 40fcfb 46295->46558 46296 40f663 36 API calls 46297 40fb90 46296->46297 46562 40fce0 46297->46562 46299 40d491 46301 40e5ba 46299->46301 46300 40fa1a 46300->46296 46568 40f4c6 46301->46568 46304 40d49a 46306 40dd70 46304->46306 46305 40f663 36 API calls 46305->46304 46578 40e5da 70 API calls 46306->46578 46308 40dd7b 46310 4020bf 11 API calls 46309->46310 46311 40530a 46310->46311 46579 403280 46311->46579 46313 405326 46313->45919 46583 4051cf 46314->46583 46316 408217 46587 402035 46316->46587 46319 401fc2 46320 401fd1 46319->46320 46327 402019 46319->46327 46321 4023ae 11 API calls 46320->46321 46322 401fda 46321->46322 46323 40201c 46322->46323 46324 401ff5 46322->46324 46325 40265a 11 API calls 46323->46325 46602 403078 28 API calls 46324->46602 46325->46327 46328 401fb8 46327->46328 46329 4023ae 11 API calls 46328->46329 46330 401fc1 46329->46330 46330->45933 46332 401fb2 46331->46332 46333 401fa9 46331->46333 46332->45938 46603 4025c0 28 API calls 46333->46603 46335->45946 46336->45966 46337->45976 46338->45949 46339->45967 46340->45969 46341->45995 46342->45969 46343->45980 46344->46054 46345->46057 46346->46022 46347->46062 46348->46066 46349->46079 46350->45956 46351->45999 46352->46013 46353->46017 46354->46024 46355->46030 46356->46031 46357->46035 46358->46039 46359->46068 46360->46080 46361->46117 46362->46122 46363->46128 46364->46129 46365->46105 46366->46110 46367->46113 46368->46118 46369->45974 46371->45987 46604 418ccd 104 API calls 46373->46604 46375 4194b0 LoadResource LockResource SizeofResource 46374->46375 46376 40dd9e 46374->46376 46375->46376 46376->46228 46378 40209f 46377->46378 46386 4023ae 46378->46386 46380 4020aa 46390 4024ea 46380->46390 46382 4020b9 46382->46232 46384 402097 28 API calls 46383->46384 46385 406302 46384->46385 46385->46239 46387 402408 46386->46387 46388 4023b8 46386->46388 46387->46380 46388->46387 46397 402787 11 API calls std::_Deallocate 46388->46397 46391 4024fa 46390->46391 46392 402500 46391->46392 46393 402515 46391->46393 46398 402549 46392->46398 46408 4028c8 46393->46408 46396 402513 46396->46382 46397->46387 46419 402868 46398->46419 46400 40255d 46401 402572 46400->46401 46402 402587 46400->46402 46424 402a14 22 API calls 46401->46424 46404 4028c8 28 API calls 46402->46404 46407 402585 46404->46407 46405 40257b 46425 4029ba 22 API calls 46405->46425 46407->46396 46409 4028d1 46408->46409 46410 402933 46409->46410 46411 4028db 46409->46411 46433 402884 22 API calls 46410->46433 46414 4028e4 46411->46414 46416 4028f7 46411->46416 46427 402c8e 46414->46427 46417 4028f5 46416->46417 46418 4023ae 11 API calls 46416->46418 46417->46396 46418->46417 46420 402870 46419->46420 46421 402878 46420->46421 46426 402c83 22 API calls 46420->46426 46421->46400 46424->46405 46425->46407 46428 402c98 __EH_prolog 46427->46428 46434 402e34 22 API calls 46428->46434 46430 4023ae 11 API calls 46432 402d72 46430->46432 46431 402d04 46431->46430 46432->46417 46434->46431 46436 4020c7 46435->46436 46437 4023ae 11 API calls 46436->46437 46438 4020d2 46437->46438 46438->46266 46439->46266 46440->46266 46441->46256 46442->46267 46443->46271 46444->46276 46445->46274 46466 40f821 46446->46466 46449 40f55d 46544 40f7fb 46449->46544 46451 40f565 46549 40f44c 46451->46549 46453 40e651 46454 40f502 46453->46454 46455 40f510 46454->46455 46461 40f53f std::ios_base::_Ios_base_dtor 46454->46461 46554 4335cb 65 API calls 46455->46554 46457 40f51d 46458 40f44c 20 API calls 46457->46458 46457->46461 46459 40f52e 46458->46459 46555 40fbc8 77 API calls 6 library calls 46459->46555 46461->46285 46463 40f66b 46462->46463 46464 40f67e 46462->46464 46556 40f854 36 API calls 46463->46556 46464->46286 46473 40d2ce 46466->46473 46470 40f83c 46471 40e631 46470->46471 46472 40f663 36 API calls 46470->46472 46471->46449 46472->46471 46474 40d2ff 46473->46474 46475 43229f new 22 API calls 46474->46475 46476 40d306 46475->46476 46483 40cb7a 46476->46483 46479 40f887 46480 40f896 46479->46480 46518 40f8b7 46480->46518 46482 40f89c std::ios_base::_Ios_base_dtor 46482->46470 46486 4332ea 46483->46486 46485 40cb84 46485->46479 46487 4332f6 __EH_prolog3 46486->46487 46498 4330a5 46487->46498 46490 433332 46504 4330fd 46490->46504 46493 433314 46512 43347f 37 API calls _Atexit 46493->46512 46495 433370 std::locale::_Locimp::_Locimp_dtor 46495->46485 46496 43331c 46513 433240 21 API calls 2 library calls 46496->46513 46499 4330b4 46498->46499 46501 4330bb 46498->46501 46514 442df9 EnterCriticalSection _Atexit 46499->46514 46502 4330b9 46501->46502 46515 43393c EnterCriticalSection 46501->46515 46502->46490 46511 43345a 22 API calls 2 library calls 46502->46511 46505 433107 46504->46505 46506 442e02 46504->46506 46507 43311a 46505->46507 46516 43394a LeaveCriticalSection 46505->46516 46517 442de2 LeaveCriticalSection 46506->46517 46507->46495 46510 442e09 46510->46495 46511->46493 46512->46496 46513->46490 46514->46502 46515->46502 46516->46507 46517->46510 46519 4330a5 std::_Lockit::_Lockit 2 API calls 46518->46519 46520 40f8c9 46519->46520 46539 40cae9 4 API calls 2 library calls 46520->46539 46522 40f8dc 46523 40f8ef 46522->46523 46540 40ccd4 77 API calls new 46522->46540 46524 4330fd std::_Lockit::~_Lockit 2 API calls 46523->46524 46525 40f925 46524->46525 46525->46482 46527 40f8ff 46528 40f906 46527->46528 46529 40f92d 46527->46529 46541 4332b6 22 API calls new 46528->46541 46542 436ec6 RaiseException 46529->46542 46532 40f943 46533 40f984 46532->46533 46543 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46532->46543 46533->46482 46539->46522 46540->46527 46541->46523 46542->46532 46545 43229f new 22 API calls 46544->46545 46546 40f80b 46545->46546 46547 40cb7a 41 API calls 46546->46547 46548 40f813 46547->46548 46548->46451 46550 40f469 46549->46550 46551 40f48b 46550->46551 46553 43aa1a 20 API calls 2 library calls 46550->46553 46551->46453 46553->46551 46554->46457 46555->46461 46556->46464 46560 40fd0e 46558->46560 46559 40fd3c 46559->46300 46560->46559 46566 40fe14 36 API calls 46560->46566 46563 40fce8 46562->46563 46565 40fcf3 46563->46565 46567 40fe79 36 API calls __EH_prolog 46563->46567 46565->46299 46566->46559 46567->46565 46569 40f4d0 46568->46569 46570 40f4d4 46568->46570 46573 40f44c 20 API calls 46569->46573 46576 40f30b 67 API calls 46570->46576 46572 40f4d9 46577 43a716 64 API calls 3 library calls 46572->46577 46575 40e5c5 46573->46575 46575->46304 46575->46305 46576->46572 46577->46569 46578->46308 46581 40328a 46579->46581 46580 4032a9 46580->46313 46581->46580 46582 4028c8 28 API calls 46581->46582 46582->46580 46584 4051db 46583->46584 46593 405254 46584->46593 46586 4051e8 46586->46316 46588 402041 46587->46588 46589 4023ae 11 API calls 46588->46589 46590 40205b 46589->46590 46598 40265a 46590->46598 46594 405262 46593->46594 46597 402884 22 API calls 46594->46597 46599 40266b 46598->46599 46600 4023ae 11 API calls 46599->46600 46601 40206d 46600->46601 46601->46319 46602->46327 46603->46332 46612 411253 61 API calls 46608->46612 46614 4406a8 _Atexit 46613->46614 46615 4406c0 46614->46615 46617 4407f6 _Atexit GetModuleHandleW 46614->46617 46635 442d9a EnterCriticalSection 46615->46635 46618 4406b4 46617->46618 46618->46615 46647 44083a GetModuleHandleExW 46618->46647 46619 440766 46636 4407a6 46619->46636 46622 4406c8 46622->46619 46624 44073d 46622->46624 46655 441450 20 API calls _Atexit 46622->46655 46625 440755 46624->46625 46656 441707 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46624->46656 46657 441707 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46625->46657 46626 440783 46639 4407b5 46626->46639 46627 4407af 46658 454909 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46627->46658 46635->46622 46659 442de2 LeaveCriticalSection 46636->46659 46638 44077f 46638->46626 46638->46627 46660 4461f8 46639->46660 46642 4407e3 46644 44083a _Atexit 8 API calls 46642->46644 46643 4407c3 GetPEB 46643->46642 46645 4407d3 GetCurrentProcess TerminateProcess 46643->46645 46646 4407eb ExitProcess 46644->46646 46645->46642 46648 440864 GetProcAddress 46647->46648 46649 440887 46647->46649 46650 440879 46648->46650 46651 440896 46649->46651 46652 44088d FreeLibrary 46649->46652 46650->46649 46653 432d4b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 46651->46653 46652->46651 46654 4408a0 46653->46654 46654->46615 46655->46624 46656->46625 46657->46619 46659->46638 46661 44621d 46660->46661 46665 446213 46660->46665 46666 4459f9 46661->46666 46663 432d4b __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 46664 4407bf 46663->46664 46664->46642 46664->46643 46665->46663 46667 445a25 46666->46667 46668 445a29 46666->46668 46667->46668 46672 445a49 46667->46672 46673 445a95 46667->46673 46668->46665 46670 445a55 GetProcAddress 46671 445a65 __crt_fast_encode_pointer 46670->46671 46671->46668 46672->46668 46672->46670 46674 445ab6 LoadLibraryExW 46673->46674 46678 445aab 46673->46678 46675 445ad3 GetLastError 46674->46675 46676 445aeb 46674->46676 46675->46676 46679 445ade LoadLibraryExW 46675->46679 46677 445b02 FreeLibrary 46676->46677 46676->46678 46677->46678 46678->46667 46679->46676

                              Executed Functions

                              Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                              • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                              • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                              • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                              • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad
                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                              • API String ID: 551388010-2474455403
                              • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                              • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                              • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                              • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                              Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 456 4407d3-4407dd GetCurrentProcess TerminateProcess 454->456 456->453
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                              • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                              • ExitProcess.KERNEL32 ref: 004407EF
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                              • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                              • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                              • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                              Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 98 40d622-40d63f call 401f8b call 411f34 81->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 81->99 110 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->110 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 108 40d6b0-40d6b4 95->108 109 40d6a9-40d6ab 95->109 126 40d651 98->126 127 40d641-40d650 call 401f8b call 41239a 98->127 99->98 136 40dd2c 105->136 111 40d6b6-40d6c9 call 401e45 call 401f8b 108->111 112 40d717-40d72a call 401e45 call 401f8b 108->112 109->108 177 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 110->177 111->112 140 40d6cb-40d6d1 111->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 112->142 143 40d72c call 40e501 112->143 126->80 127->126 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->112 146 40d6d3-40d6d9 140->146 187 40dd6a-40dd6f call 413980 141->187 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 151 40d6f7-40d710 call 401f8b call 411eea 146->151 152 40d6db-40d6ee call 4060ea 146->152 151->112 175 40d712 call 4066a6 151->175 152->112 168 40d6f0-40d6f5 call 4067a0 152->168 168->112 175->112 221 40da61-40da63 177->221 222 40da65-40da67 177->222 216->110 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 235 40d8b6-40d8de call 40245c call 43254d 224->235 225->235 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 256 40d8f0 235->256 257 40d8e0-40d8ee call 434c30 235->257 250->216 263 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 256->263 257->263 263->177 331 40d96d-40d98c call 401e45 call 419bca call 40de34 263->331 331->177 346 40d98e-40d990 331->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 359->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->372 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->136 416 40dd03-40dd06 412->416 413->412 416->187 418 40dd08-40dd0d 416->418 418->141
                              APIs
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                              • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                              • API String ID: 1529173511-1365410817
                              • Opcode ID: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                              • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                              • Opcode Fuzzy Hash: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                              • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                              Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                              • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                              • closesocket.WS2_32(?), ref: 00404E3A
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                              • String ID:
                              • API String ID: 3658366068-0
                              • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                              • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                              • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                              • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                              Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 445 445ade-445ae9 LoadLibraryExW 441->445 446 445aeb 441->446 443 445b02-445b03 FreeLibrary 442->443 444 445b09 442->444 443->444 448 445b0b-445b0c 444->448 447 445aed-445aef 445->447 446->447 447->442 449 445af1-445af8 447->449 448->440 449->448
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                              • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                              • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                              • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                              • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                              Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 468 445a3c-445a3f 464->468 467 445a51-445a53 465->467 469 445a55-445a63 GetProcAddress 467->469 470 445a7e-445a8c 467->470 471 445a70-445a76 468->471 472 445a41-445a47 468->472 473 445a65-445a6e call 432123 469->473 474 445a78 469->474 470->460 471->467 472->464 476 445a49 472->476 473->462 474->470 476->465
                              APIs
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc__crt_fast_encode_pointer
                              • String ID:
                              • API String ID: 2279764990-0
                              • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                              • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                              • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                              • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                              Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 478 40163e-401644 479 401646-401648 478->479 480 401649-401654 478->480 481 401656 480->481 482 40165b-401665 480->482 481->482 483 401667-40166d 482->483 484 401688-401689 call 43229f 482->484 483->484 486 40166f-401674 483->486 487 40168e-40168f 484->487 486->481 488 401676-401686 call 43229f 486->488 489 401691-401693 487->489 488->489
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                              • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                              • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                              • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                              Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 492 44d2b4-44d2c1 call 443005 494 44d2c6-44d2d1 492->494 495 44d2d7-44d2df 494->495 496 44d2d3-44d2d5 494->496 497 44d31f-44d32d call 443c92 495->497 498 44d2e1-44d2e5 495->498 496->497 500 44d2e7-44d319 call 445fb3 498->500 504 44d31b-44d31e 500->504 504->497
                              APIs
                                • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                              • _free.LIBCMT ref: 0044D320
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap_free
                              • String ID:
                              • API String ID: 614378929-0
                              • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                              • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
                              • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                              • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
                              Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 505 443005-443010 506 443012-44301c 505->506 507 44301e-443024 505->507 506->507 508 443052-44305d call 43ad91 506->508 509 443026-443027 507->509 510 44303d-44304e RtlAllocateHeap 507->510 515 44305f-443061 508->515 509->510 511 443050 510->511 512 443029-443030 call 442a57 510->512 511->515 512->508 518 443032-44303b call 440480 512->518 518->508 518->510
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                              • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                              • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                              • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                              Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 521 443649-443655 522 443687-443692 call 43ad91 521->522 523 443657-443659 521->523 531 443694-443696 522->531 524 443672-443683 RtlAllocateHeap 523->524 525 44365b-44365c 523->525 527 443685 524->527 528 44365e-443665 call 442a57 524->528 525->524 527->531 528->522 533 443667-443670 call 440480 528->533 533->522 533->524
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                              • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                              • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                              • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                              Non-executed Functions

                              Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                              • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                              • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                              • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                              • API String ID: 3018269243-1736093966
                              • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                              • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                              • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                              • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                              Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 00406D4A
                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                              • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                              • DeleteFileA.KERNEL32(?), ref: 0040768E
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                              • API String ID: 1385304114-1507758755
                              • Opcode ID: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                              • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                              • Opcode Fuzzy Hash: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                              • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                              Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004056C6
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • __Init_thread_footer.LIBCMT ref: 00405703
                              • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                              • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                              • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                              • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                              • CloseHandle.KERNEL32 ref: 00405A03
                              • CloseHandle.KERNEL32 ref: 00405A0B
                              • CloseHandle.KERNEL32 ref: 00405A1D
                              • CloseHandle.KERNEL32 ref: 00405A25
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                              • String ID: SystemDrive$cmd.exe
                              • API String ID: 2994406822-3633465311
                              • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                              • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                              • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                              • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                              Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                              • FindClose.KERNEL32(00000000), ref: 0040AB0A
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                              • FindClose.KERNEL32(00000000), ref: 0040AC53
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                              • API String ID: 1164774033-3681987949
                              • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                              • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                              • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                              • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                              Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                              • FindClose.KERNEL32(00000000), ref: 0040AD0A
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                              • FindClose.KERNEL32(00000000), ref: 0040ADF0
                              • FindClose.KERNEL32(00000000), ref: 0040AE11
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$File$FirstNext
                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 3527384056-432212279
                              • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                              • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                              • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                              • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                              Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 00414EC2
                              • EmptyClipboard.USER32 ref: 00414ED0
                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                              • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                              • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                              • CloseClipboard.USER32 ref: 00414F55
                              • OpenClipboard.USER32 ref: 00414F5C
                              • GetClipboardData.USER32(0000000D), ref: 00414F6C
                              • GlobalLock.KERNEL32(00000000), ref: 00414F75
                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                              • CloseClipboard.USER32 ref: 00414F84
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                              • String ID:
                              • API String ID: 3520204547-0
                              • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                              • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                              • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                              • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                              Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0$1$2$3$4$5$6$7
                              • API String ID: 0-3177665633
                              • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                              • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                              • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                              • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                              Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                              • GetLastError.KERNEL32 ref: 00418771
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                              • String ID:
                              • API String ID: 3587775597-0
                              • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                              • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                              • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                              • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                              Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                              • FindClose.KERNEL32(00000000), ref: 0040B3BE
                              • FindClose.KERNEL32(00000000), ref: 0040B3E9
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 1164774033-405221262
                              • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                              • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                              • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                              • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                              Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                              • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID:
                              • API String ID: 2341273852-0
                              • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                              • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                              • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                              • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                              Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                              • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                              • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                              • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                              • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                              • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                              • String ID: $.F
                              • API String ID: 3950776272-1421728423
                              • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                              • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                              • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                              • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                              Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                              • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                              • GetLastError.KERNEL32 ref: 00409375
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                              • TranslateMessage.USER32(?), ref: 004093D2
                              • DispatchMessageA.USER32(?), ref: 004093DD
                              Strings
                              • Keylogger initialization failure: error , xrefs: 00409389
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                              • String ID: Keylogger initialization failure: error
                              • API String ID: 3219506041-952744263
                              • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                              • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                              • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                              • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                              Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                              • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressCloseCreateLibraryLoadProcsend
                              • String ID: SHDeleteKeyW$Shlwapi.dll
                              • API String ID: 2127411465-314212984
                              • Opcode ID: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                              • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                              • Opcode Fuzzy Hash: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                              • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                              Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00446741
                              • _free.LIBCMT ref: 00446765
                              • _free.LIBCMT ref: 004468EC
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                              • _free.LIBCMT ref: 00446AB8
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                              • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                              • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                              • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                              Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                              • Sleep.KERNEL32(00000BB8), ref: 0040E243
                              • ExitProcess.KERNEL32 ref: 0040E2B4
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseExitOpenProcessQuerySleepValue
                              • String ID: 3.8.0 Pro$override$pth_unenc$!G
                              • API String ID: 2281282204-1386060931
                              • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                              • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                              • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                              • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                              Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                              • InternetCloseHandle.WININET(00000000), ref: 00419407
                              • InternetCloseHandle.WININET(00000000), ref: 0041940A
                              Strings
                              • http://geoplugin.net/json.gp, xrefs: 004193A2
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleOpen$FileRead
                              • String ID: http://geoplugin.net/json.gp
                              • API String ID: 3121278467-91888290
                              • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                              • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                              • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                              • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                              Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                              • GetLastError.KERNEL32 ref: 0040A999
                              Strings
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                              • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                              • UserProfile, xrefs: 0040A95F
                              • [Chrome StoredLogins not found], xrefs: 0040A9B3
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 2018770650-1062637481
                              • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                              • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                              • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                              • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                              Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                              • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                              • GetLastError.KERNEL32 ref: 00415CDB
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                              • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                              • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                              • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                              Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00408393
                                • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                              • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                              • FindClose.KERNEL32(00000000), ref: 004086F4
                                • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                              • String ID:
                              • API String ID: 1824512719-0
                              • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                              • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                              • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                              • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                              Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 0040949C
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                              • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                              • GetKeyState.USER32(00000010), ref: 004094B8
                              • GetKeyboardState.USER32(?), ref: 004094C5
                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                              • String ID:
                              • API String ID: 3566172867-0
                              • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                              • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                              • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                              • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                              Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ManagerStart
                              • String ID:
                              • API String ID: 276877138-0
                              • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                              • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                              • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                              • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                              Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$CreateFirstNext
                              • String ID: H"G$`'G$`'G
                              • API String ID: 341183262-2774397156
                              • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                              • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                              • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                              • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                              Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                              • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                              • String ID: PowrProf.dll$SetSuspendState
                              • API String ID: 1589313981-1420736420
                              • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                              • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                              • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                              • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                              Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                              • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                              • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                              • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                              • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                              Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                              • wsprintfW.USER32 ref: 0040A13F
                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: EventLocalTimewsprintf
                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                              • API String ID: 1497725170-248792730
                              • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                              • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                              • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                              • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                              Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                              • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                              • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                              • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Resource$FindLoadLockSizeof
                              • String ID: SETTINGS
                              • API String ID: 3473537107-594951305
                              • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                              • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                              • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                              • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                              Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 004087A5
                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstH_prologNext
                              • String ID:
                              • API String ID: 1157919129-0
                              • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                              • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                              • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                              • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                              Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                              • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                              • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                              • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                              • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID:
                              • API String ID: 745075371-0
                              • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                              • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                              • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                              • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                              Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0040784D
                              • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                              • String ID:
                              • API String ID: 1771804793-0
                              • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                              • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                              • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                              • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                              Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                              • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                              • String ID:
                              • API String ID: 1735047541-0
                              • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                              • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                              • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                              • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                              Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: A%E$A%E
                              • API String ID: 0-137320553
                              • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                              • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                              • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                              • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                              Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateInfoParametersSystemValue
                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                              • API String ID: 4127273184-3576401099
                              • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                              • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                              • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                              • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                              Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                              • _wcschr.LIBVCRUNTIME ref: 0044F02A
                              • _wcschr.LIBVCRUNTIME ref: 0044F038
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                              • String ID:
                              • API String ID: 4212172061-0
                              • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                              • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                              • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                              • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                              Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: DownloadExecuteFileShell
                              • String ID: open
                              • API String ID: 2825088817-2758837156
                              • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                              • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                              • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                              • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                              Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorInfoLastLocale$_free$_abort
                              • String ID:
                              • API String ID: 2829624132-0
                              • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                              • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                              • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                              • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                              Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 004399A4
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                              • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                              • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                              • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                              Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Crypt$Context$AcquireRandomRelease
                              • String ID:
                              • API String ID: 1815803762-0
                              • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                              • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                              • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                              • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                              Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(00000000), ref: 0040A65D
                              • GetClipboardData.USER32(0000000D), ref: 0040A669
                              • CloseClipboard.USER32 ref: 0040A671
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseDataOpen
                              • String ID:
                              • API String ID: 2058664381-0
                              • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                              • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                              • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                              • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                              Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-3916222277
                              • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                              • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                              • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                              • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                              Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .
                              • API String ID: 0-248832578
                              • Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                              • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                              • Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                              • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                              Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx
                              • API String ID: 2299586839-2904428671
                              • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                              • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                              • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                              • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                              Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$FirstNextsend
                              • String ID:
                              • API String ID: 4113138495-0
                              • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                              • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                              • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                              • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                              Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$InfoLocale_abort
                              • String ID:
                              • API String ID: 1663032902-0
                              • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                              • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                              • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                              • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                              Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                              • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                              • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                              • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                              Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale_abort_free
                              • String ID:
                              • API String ID: 2692324296-0
                              • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                              • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                              • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                              • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                              Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                              • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                              • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                              • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                              Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                              • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                              • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                              • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                              Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                              • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalEnterEnumLocalesSectionSystem
                              • String ID:
                              • API String ID: 1272433827-0
                              • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                              • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                              • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                              • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                              Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                              • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                              • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                              • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                              Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                              • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                              • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                              • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                              Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                              • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                              • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                              • Instruction Fuzzy Hash:
                              Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                              • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                              • DeleteDC.GDI32(00000000), ref: 00416F32
                              • DeleteDC.GDI32(00000000), ref: 00416F35
                              • DeleteObject.GDI32(00000000), ref: 00416F38
                              • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                              • DeleteDC.GDI32(00000000), ref: 00416F6A
                              • DeleteDC.GDI32(00000000), ref: 00416F6D
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                              • GetIconInfo.USER32(?,?), ref: 00416FC5
                              • DeleteObject.GDI32(?), ref: 00416FF4
                              • DeleteObject.GDI32(?), ref: 00417001
                              • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                              • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                              • DeleteDC.GDI32(?), ref: 0041713C
                              • DeleteDC.GDI32(00000000), ref: 0041713F
                              • DeleteObject.GDI32(00000000), ref: 00417142
                              • GlobalFree.KERNEL32(?), ref: 0041714D
                              • DeleteObject.GDI32(00000000), ref: 00417201
                              • GlobalFree.KERNEL32(?), ref: 00417208
                              • DeleteDC.GDI32(?), ref: 00417218
                              • DeleteDC.GDI32(00000000), ref: 00417223
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                              • String ID: DISPLAY
                              • API String ID: 479521175-865373369
                              • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                              • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                              • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                              • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                              Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                              • GetProcAddress.KERNEL32(00000000), ref: 00416477
                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                              • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                              • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                              • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                              • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                              • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                              • ResumeThread.KERNEL32(?), ref: 00416773
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                              • GetCurrentProcess.KERNEL32(?), ref: 00416795
                              • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                              • GetLastError.KERNEL32 ref: 004167B8
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                              • API String ID: 4188446516-3035715614
                              • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                              • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                              • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                              • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                              Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                              • ExitProcess.KERNEL32 ref: 0040C389
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                              • API String ID: 1861856835-1953526029
                              • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                              • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                              • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                              • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                              Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                              • ExitProcess.KERNEL32(00000000), ref: 00410F05
                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                              • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                              • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                              • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                              • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                              • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                              • Sleep.KERNEL32(000001F4), ref: 004110E7
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                              • CloseHandle.KERNEL32(00000000), ref: 0041110E
                              • GetCurrentProcessId.KERNEL32 ref: 00411114
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                              • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                              • API String ID: 2649220323-71629269
                              • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                              • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                              • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                              • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                              Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0040B882
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                              • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                              • _wcslen.LIBCMT ref: 0040B968
                              • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                              • _wcslen.LIBCMT ref: 0040BA25
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                              • ExitProcess.KERNEL32 ref: 0040BC36
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                              • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                              • API String ID: 2743683619-2376316431
                              • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                              • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                              • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                              • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                              Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                              • ExitProcess.KERNEL32 ref: 0040BFD7
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                              • API String ID: 3797177996-2974882535
                              • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                              • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                              • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                              • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                              Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                              • SetEvent.KERNEL32 ref: 004191CF
                              • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                              • CloseHandle.KERNEL32 ref: 004191F0
                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                              • API String ID: 738084811-1354618412
                              • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                              • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                              • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                              • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                              Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                              • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                              • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                              • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Write$Create
                              • String ID: RIFF$WAVE$data$fmt
                              • API String ID: 1602526932-4212202414
                              • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                              • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                              • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                              • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                              Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                              • LoadLibraryA.KERNEL32(?), ref: 0041386D
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                              • FreeLibrary.KERNEL32(00000000), ref: 00413894
                              • LoadLibraryA.KERNEL32(?), ref: 004138CC
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                              • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                              • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                              • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                              • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                              • API String ID: 2490988753-3443138237
                              • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                              • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                              • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                              • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                              Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$EnvironmentVariable$_wcschr
                              • String ID:
                              • API String ID: 3899193279-0
                              • Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                              • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                              • Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                              • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                              Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                              • _free.LIBCMT ref: 0044E4DF
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 0044E501
                              • _free.LIBCMT ref: 0044E516
                              • _free.LIBCMT ref: 0044E521
                              • _free.LIBCMT ref: 0044E543
                              • _free.LIBCMT ref: 0044E556
                              • _free.LIBCMT ref: 0044E564
                              • _free.LIBCMT ref: 0044E56F
                              • _free.LIBCMT ref: 0044E5A7
                              • _free.LIBCMT ref: 0044E5AE
                              • _free.LIBCMT ref: 0044E5CB
                              • _free.LIBCMT ref: 0044E5E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID: pF
                              • API String ID: 161543041-2973420481
                              • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                              • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                              • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                              • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                              Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                              • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                              • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                              • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                              • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                              • Sleep.KERNEL32(00000064), ref: 00411C63
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                              • String ID: /stext "$$.F$@#G$@#G
                              • API String ID: 1223786279-2596709126
                              • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                              • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                              • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                              • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                              Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: pF
                              • API String ID: 269201875-2973420481
                              • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                              • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                              • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                              • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                              Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                              • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                              • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                              • API String ID: 193334293-3226144251
                              • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                              • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                              • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                              • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                              Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                              • RegCloseKey.ADVAPI32(?), ref: 0041A749
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnumOpen
                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                              • API String ID: 1332880857-3714951968
                              • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                              • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                              • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                              • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                              Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                              • GetCursorPos.USER32(?), ref: 0041B39E
                              • SetForegroundWindow.USER32(?), ref: 0041B3A7
                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                              • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                              • ExitProcess.KERNEL32 ref: 0041B41A
                              • CreatePopupMenu.USER32 ref: 0041B420
                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                              • String ID: Close
                              • API String ID: 1657328048-3535843008
                              • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                              • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                              • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                              • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                              Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                              • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                              • Opcode Fuzzy Hash: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                              • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                              Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                              • __aulldiv.LIBCMT ref: 00407D89
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                              • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                              • CloseHandle.KERNEL32(00000000), ref: 00408038
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                              • API String ID: 3086580692-2596673759
                              • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                              • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                              • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                              • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                              Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                              • ExitProcess.KERNEL32 ref: 0040C57D
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                              • API String ID: 1913171305-2600661426
                              • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                              • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                              • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                              • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                              Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                              Download Yara Rule
                              APIs
                              • connect.WS2_32(?,?,?), ref: 004048C0
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                              • WSAGetLastError.WS2_32 ref: 00404A01
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                              • API String ID: 994465650-2151626615
                              • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                              • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                              • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                              • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                              Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                              • __dosmaperr.LIBCMT ref: 00452ED6
                              • GetFileType.KERNEL32(00000000), ref: 00452EE2
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                              • __dosmaperr.LIBCMT ref: 00452EF5
                              • CloseHandle.KERNEL32(00000000), ref: 00452F15
                              • CloseHandle.KERNEL32(00000000), ref: 0045305F
                              • GetLastError.KERNEL32 ref: 00453091
                              • __dosmaperr.LIBCMT ref: 00453098
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                              • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                              • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                              • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                              Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 65535$udp
                              • API String ID: 0-1267037602
                              • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                              • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                              • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                              • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                              Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 00409C81
                              • Sleep.KERNEL32(000001F4), ref: 00409C8C
                              • GetForegroundWindow.USER32 ref: 00409C92
                              • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                              • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                              • String ID: [${ User has been idle for $ minutes }$]
                              • API String ID: 911427763-3954389425
                              • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                              • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                              • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                              • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                              Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: LongNamePath
                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 82841172-425784914
                              • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                              • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                              • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                              • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                              Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                              • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                              • __dosmaperr.LIBCMT ref: 00438646
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                              • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                              • __dosmaperr.LIBCMT ref: 00438683
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                              • __dosmaperr.LIBCMT ref: 004386D7
                              • _free.LIBCMT ref: 004386E3
                              • _free.LIBCMT ref: 004386EA
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                              • String ID:
                              • API String ID: 2441525078-0
                              • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                              • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                              • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                              • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                              Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: pF$tF
                              • API String ID: 269201875-2954683558
                              • Opcode ID: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                              • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                              • Opcode Fuzzy Hash: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                              • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                              Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 0040549F
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                              • TranslateMessage.USER32(?), ref: 0040555E
                              • DispatchMessageA.USER32(?), ref: 00405569
                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                              • String ID: CloseChat$DisplayMessage$GetMessage
                              • API String ID: 2956720200-749203953
                              • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                              • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                              • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                              • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                              Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                              • CloseHandle.KERNEL32(00000000), ref: 00416123
                              • DeleteFileA.KERNEL32(00000000), ref: 00416132
                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                              • String ID: <$@$@%G$@%G$Temp
                              • API String ID: 1704390241-4139030828
                              • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                              • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                              • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                              • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                              Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                              • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                              • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                              • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                              Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00445645
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 00445651
                              • _free.LIBCMT ref: 0044565C
                              • _free.LIBCMT ref: 00445667
                              • _free.LIBCMT ref: 00445672
                              • _free.LIBCMT ref: 0044567D
                              • _free.LIBCMT ref: 00445688
                              • _free.LIBCMT ref: 00445693
                              • _free.LIBCMT ref: 0044569E
                              • _free.LIBCMT ref: 004456AC
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                              • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                              • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                              • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                              Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00417F6F
                              • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                              • Sleep.KERNEL32(000003E8), ref: 004180B3
                              • GetLocalTime.KERNEL32(?), ref: 004180BB
                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                              • API String ID: 489098229-3790400642
                              • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                              • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                              • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                              • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                              Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00001388), ref: 00409738
                                • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                              • String ID: H"G$H"G
                              • API String ID: 3795512280-1424798214
                              • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                              • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                              • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                              • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                              Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: DecodePointer
                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                              • API String ID: 3527080286-3064271455
                              • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                              • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                              • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                              • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                              Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • Sleep.KERNEL32(00000064), ref: 00415A46
                              • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CreateDeleteExecuteShellSleep
                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                              • API String ID: 1462127192-2001430897
                              • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                              • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                              • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                              • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                              Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                              • ExitProcess.KERNEL32 ref: 00406782
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteExitProcessShell
                              • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                              • API String ID: 1124553745-1488154373
                              • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                              • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                              • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                              • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                              Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                              • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocConsoleShowWindow
                              • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                              • API String ID: 4118500197-4025029772
                              • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                              • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                              • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                              • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                              Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                              • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                              • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                              • TranslateMessage.USER32(?), ref: 0041B29E
                              • DispatchMessageA.USER32(?), ref: 0041B2A8
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                              • String ID: Remcos
                              • API String ID: 1970332568-165870891
                              • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                              • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                              • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                              • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                              Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                              • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                              • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                              • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                              Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                              • __alloca_probe_16.LIBCMT ref: 004510CA
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                              • __alloca_probe_16.LIBCMT ref: 00451174
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                              • __freea.LIBCMT ref: 004511E3
                              • __freea.LIBCMT ref: 004511EF
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                              • String ID:
                              • API String ID: 201697637-0
                              • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                              • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                              • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                              • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                              Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • _memcmp.LIBVCRUNTIME ref: 00442935
                              • _free.LIBCMT ref: 004429A6
                              • _free.LIBCMT ref: 004429BF
                              • _free.LIBCMT ref: 004429F1
                              • _free.LIBCMT ref: 004429FA
                              • _free.LIBCMT ref: 00442A06
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorLast$_abort_memcmp
                              • String ID: C
                              • API String ID: 1679612858-1037565863
                              • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                              • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                              • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                              • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                              Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: tcp$udp
                              • API String ID: 0-3725065008
                              • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                              • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                              • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                              • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                              Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Eventinet_ntoa
                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                              • API String ID: 3578746661-168337528
                              • Opcode ID: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                              • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                              • Opcode Fuzzy Hash: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                              • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                              Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                              • String ID: .part
                              • API String ID: 1303771098-3499674018
                              • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                              • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                              • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                              • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                              Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                              • __alloca_probe_16.LIBCMT ref: 00447056
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                              • __alloca_probe_16.LIBCMT ref: 0044713B
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                              • __freea.LIBCMT ref: 004471AB
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • __freea.LIBCMT ref: 004471B4
                              • __freea.LIBCMT ref: 004471D9
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                              • String ID:
                              • API String ID: 3864826663-0
                              • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                              • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                              • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                              • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                              Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                              • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: InputSend
                              • String ID:
                              • API String ID: 3431551938-0
                              • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                              • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                              • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                              • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                              Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 00414F41
                              • EmptyClipboard.USER32 ref: 00414F4F
                              • CloseClipboard.USER32 ref: 00414F55
                              • OpenClipboard.USER32 ref: 00414F5C
                              • GetClipboardData.USER32(0000000D), ref: 00414F6C
                              • GlobalLock.KERNEL32(00000000), ref: 00414F75
                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                              • CloseClipboard.USER32 ref: 00414F84
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                              • String ID:
                              • API String ID: 2172192267-0
                              • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                              • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                              • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                              • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                              Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                              • __fassign.LIBCMT ref: 00447814
                              • __fassign.LIBCMT ref: 0044782F
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                              • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                              • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                              • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                              • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                              • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                              Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: $-E$$-E
                              • API String ID: 269201875-3140958853
                              • Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                              • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                              • Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                              • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                              Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • _strftime.LIBCMT ref: 00401D30
                                • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                              • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                              • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                              • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                              • String ID: %Y-%m-%d %H.%M$.wav
                              • API String ID: 3809562944-3597965672
                              • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                              • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                              • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                              • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                              Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                              • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                              • API String ID: 1133728706-4073444585
                              • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                              • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                              • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                              • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                              Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                              • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                              • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                              • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                              Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                              • _free.LIBCMT ref: 0044E128
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 0044E133
                              • _free.LIBCMT ref: 0044E13E
                              • _free.LIBCMT ref: 0044E192
                              • _free.LIBCMT ref: 0044E19D
                              • _free.LIBCMT ref: 0044E1A8
                              • _free.LIBCMT ref: 0044E1B3
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                              • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                              • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                              • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                              Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                              • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCurrentOpenProcessQueryValue
                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              • API String ID: 1866151309-2070987746
                              • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                              • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                              • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                              • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                              Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                              • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                              • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                              • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                              • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                              Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                              • GetLastError.KERNEL32 ref: 0040AA28
                              Strings
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                              • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                              • [Chrome Cookies not found], xrefs: 0040AA42
                              • UserProfile, xrefs: 0040A9EE
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 2018770650-304995407
                              • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                              • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                              • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                              • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                              Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 00438A09
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                              • __allrem.LIBCMT ref: 00438A3C
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                              • __allrem.LIBCMT ref: 00438A71
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                              • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                              • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                              • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                              Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: __cftoe
                              • String ID:
                              • API String ID: 4189289331-0
                              • Opcode ID: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                              • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                              • Opcode Fuzzy Hash: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                              • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                              Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$__alloca_probe_16_free
                              • String ID: a/p$am/pm
                              • API String ID: 2936374016-3206640213
                              • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                              • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                              • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                              • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                              Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                              • int.LIBCPMT ref: 0040F8D7
                                • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                              • std::_Facet_Register.LIBCPMT ref: 0040F917
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                              • __Init_thread_footer.LIBCMT ref: 0040F97F
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                              • String ID:
                              • API String ID: 3815856325-0
                              • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                              • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                              • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                              • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                              Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                              • String ID:
                              • API String ID: 493672254-0
                              • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                              • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                              • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                              • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                              Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                              • _free.LIBCMT ref: 0044575C
                              • _free.LIBCMT ref: 00445784
                              • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                              • _abort.LIBCMT ref: 004457A3
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                              • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                              • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                              • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                              Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                              • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                              • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                              • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                              Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                              • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                              • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                              • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                              Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                              • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                              • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                              • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                              Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                              • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                              • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSizeSleep
                              • String ID: h G
                              • API String ID: 1958988193-3300504347
                              • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                              • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                              • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                              • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                              Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegisterClassExA.USER32(00000030), ref: 0041B310
                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                              • GetLastError.KERNEL32 ref: 0041B335
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ClassCreateErrorLastRegisterWindow
                              • String ID: 0$MsgWindowClass
                              • API String ID: 2877667751-2410386613
                              • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                              • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                              • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                              • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                              Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                              • _UnwindNestedFrames.LIBCMT ref: 00437631
                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                              • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                              • String ID: /zC
                              • API String ID: 2633735394-4132788633
                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                              • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                              • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                              Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                              • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                              • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                              • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: MetricsSystem
                              • String ID: ]tA
                              • API String ID: 4116985748-3517819141
                              • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                              • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                              • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                              • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                              Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                              Strings
                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                              • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateProcess
                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                              • API String ID: 2922976086-4183131282
                              • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                              • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                              • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                              • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                              Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                              • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                              • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                              • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                              • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                              Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              Strings
                              • Connection KeepAlive | Disabled, xrefs: 004050D9
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                              • String ID: Connection KeepAlive | Disabled
                              • API String ID: 2993684571-3818284553
                              • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                              • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                              • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                              • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                              Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                              • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                              • Sleep.KERNEL32(00002710), ref: 00418DBD
                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: PlaySound$HandleLocalModuleSleepTime
                              • String ID: Alarm triggered
                              • API String ID: 614609389-2816303416
                              • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                              • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                              • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                              • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                              Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                              • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                              • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                              • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                              Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prologSleep
                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                              • API String ID: 3469354165-3547787478
                              • Opcode ID: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                              • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                              • Opcode Fuzzy Hash: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                              • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                              Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • _free.LIBCMT ref: 00442318
                              • _free.LIBCMT ref: 0044232F
                              • _free.LIBCMT ref: 0044234E
                              • _free.LIBCMT ref: 00442369
                              • _free.LIBCMT ref: 00442380
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$AllocateHeap
                              • String ID:
                              • API String ID: 3033488037-0
                              • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                              • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                              • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                              • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                              Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                              • _free.LIBCMT ref: 004468EC
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 00446AB8
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                              • String ID:
                              • API String ID: 1286116820-0
                              • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                              • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                              • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                              • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                              Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                              • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                              • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                              • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                              Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                              • __alloca_probe_16.LIBCMT ref: 0044E391
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                              • __freea.LIBCMT ref: 0044E3FD
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                              • String ID:
                              • API String ID: 313313983-0
                              • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                              • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                              • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                              • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                              Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                              • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                              • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                              • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                              • waveInStart.WINMM ref: 00401CDE
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                              • String ID:
                              • API String ID: 1356121797-0
                              • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                              • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                              • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                              • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                              Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                              • _free.LIBCMT ref: 0044C59F
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                              • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                              • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                              • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                              Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                              • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreatePointerWrite
                              • String ID:
                              • API String ID: 1852769593-0
                              • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                              • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                              • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                              • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                              Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                              • int.LIBCPMT ref: 0040FBE8
                                • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                              • std::_Facet_Register.LIBCPMT ref: 0040FC28
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                              • String ID:
                              • API String ID: 2536120697-0
                              • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                              • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                              • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                              • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                              Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                              • _free.LIBCMT ref: 004457E3
                              • _free.LIBCMT ref: 0044580A
                              • SetLastError.KERNEL32(00000000), ref: 00445817
                              • SetLastError.KERNEL32(00000000), ref: 00445820
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                              • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                              • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                              • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                              Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0044DBB4
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 0044DBC6
                              • _free.LIBCMT ref: 0044DBD8
                              • _free.LIBCMT ref: 0044DBEA
                              • _free.LIBCMT ref: 0044DBFC
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                              • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                              • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                              • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                              Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00441566
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 00441578
                              • _free.LIBCMT ref: 0044158B
                              • _free.LIBCMT ref: 0044159C
                              • _free.LIBCMT ref: 004415AD
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                              • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                              • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                              • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                              Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Enum$InfoQueryValue
                              • String ID: [regsplt]
                              • API String ID: 3554306468-4262303796
                              • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                              • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                              • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                              • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                              Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • _strpbrk.LIBCMT ref: 0044B918
                              • _free.LIBCMT ref: 0044BA35
                                • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                              • String ID: *?$.
                              • API String ID: 2812119850-3972193922
                              • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                              • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                              • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                              • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                              Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: __alloca_probe_16__freea
                              • String ID: H"G$H"GH"G
                              • API String ID: 1635606685-3036711414
                              • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                              • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                              • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                              • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                              Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 0040189E
                              • ExitThread.KERNEL32 ref: 004018D6
                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                              • String ID: 8:G
                              • API String ID: 1649129571-405301104
                              • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                              • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                              • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                              • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                              Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe,00000104), ref: 00440975
                              • _free.LIBCMT ref: 00440A40
                              • _free.LIBCMT ref: 00440A4A
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Users\user\AppData\Roaming\yVSkoplfDgy.exe
                              • API String ID: 2506810119-2240974461
                              • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                              • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                              • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                              • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                              Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                              • _wcslen.LIBCMT ref: 00419744
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                              • String ID: .exe$program files (x86)\$program files\
                              • API String ID: 37874593-1203593143
                              • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                              • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                              • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                              • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                              Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                              • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                              • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTimewsprintf
                              • String ID: Offline Keylogger Started
                              • API String ID: 465354869-4114347211
                              • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                              • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                              • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                              • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                              Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                              • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                              • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTime$wsprintf
                              • String ID: Online Keylogger Started
                              • API String ID: 112202259-1258561607
                              • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                              • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                              • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                              • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                              Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 00404F61
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                              • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                              Strings
                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$EventLocalThreadTime
                              • String ID: Connection KeepAlive | Enabled | Timeout:
                              • API String ID: 2532271599-507513762
                              • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                              • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                              • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                              • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                              Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                              • GetProcAddress.KERNEL32(00000000), ref: 00406097
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: CryptUnprotectData$crypt32
                              • API String ID: 2574300362-2380590389
                              • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                              • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                              • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                              • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                              Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                              • CloseHandle.KERNEL32(?), ref: 004051AA
                              • SetEvent.KERNEL32(?), ref: 004051B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandleObjectSingleWait
                              • String ID: Connection Timeout
                              • API String ID: 2055531096-499159329
                              • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                              • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                              • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                              • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                              Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 2005118841-1866435925
                              • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                              • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                              • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                              • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                              Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                              • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                              • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: origmsc
                              • API String ID: 3677997916-68016026
                              • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                              • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                              • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                              • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                              Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: /C $cmd.exe$open
                              • API String ID: 587946157-3896048727
                              • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                              • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                              • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                              • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                              Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                              Strings
                              • http\shell\open\command, xrefs: 00412026
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: http\shell\open\command
                              • API String ID: 3677997916-1487954565
                              • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                              • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                              • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                              • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                              Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                              • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                              • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                              Strings
                              • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: Software\Classes\mscfile\shell\open\command
                              • API String ID: 1818849710-505396733
                              • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                              • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                              • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                              • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                              Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                              • String ID: bad locale name
                              • API String ID: 3628047217-1405518554
                              • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                              • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                              • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                              • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                              Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                              • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                              • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: P0F
                              • API String ID: 1818849710-3540264436
                              • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                              • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                              • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                              • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                              Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                              • GetProcAddress.KERNEL32(00000000), ref: 00401403
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: GetCursorInfo$User32.dll
                              • API String ID: 1646373207-2714051624
                              • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                              • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                              • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                              • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                              Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                              • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetLastInputInfo$User32.dll
                              • API String ID: 2574300362-1519888992
                              • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                              • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                              • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                              • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                              Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                              • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                              • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                              • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                              Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                              • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                              • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                              • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                              Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                              • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                              • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                              • String ID:
                              • API String ID: 3360349984-0
                              • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                              • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                              • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                              • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                              Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cleared browsers logins and cookies., xrefs: 0040B036
                              • [Cleared browsers logins and cookies.], xrefs: 0040B025
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                              • API String ID: 3472027048-1236744412
                              • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                              • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                              • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                              • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                              Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                              • Sleep.KERNEL32(00000BB8), ref: 004111DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQuerySleepValue
                              • String ID: H"G$exepath$!G
                              • API String ID: 4119054056-2148977334
                              • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                              • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                              • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                              • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                              Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                              • Sleep.KERNEL32(000001F4), ref: 0040955A
                              • Sleep.KERNEL32(00000064), ref: 004095F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$ForegroundLength
                              • String ID: [ $ ]
                              • API String ID: 3309952895-93608704
                              • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                              • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                              • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                              • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                              Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                              • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                              • Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                              • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                              Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                              • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                              • Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                              • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                              Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                              • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleReadSize
                              • String ID:
                              • API String ID: 3919263394-0
                              • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                              • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                              • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                              • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                              Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                              • String ID:
                              • API String ID: 1761009282-0
                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                              • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                              • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                              Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHandling__start
                              • String ID: pow
                              • API String ID: 3213639722-2276729525
                              • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                              • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                              • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                              • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                              Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                              Strings
                              • /sort "Visit Time" /stext ", xrefs: 00404092
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                              • String ID: /sort "Visit Time" /stext "
                              • API String ID: 368326130-1573945896
                              • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                              • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                              • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                              • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                              Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                              • __Init_thread_footer.LIBCMT ref: 0040A6E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Init_thread_footer__onexit
                              • String ID: [End of clipboard]$[Text copied to clipboard]
                              • API String ID: 1881088180-3686566968
                              • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                              • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                              • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                              • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                              Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ACP$OCP
                              • API String ID: 0-711371036
                              • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                              • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                              • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                              • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                              Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                              • IsWindowVisible.USER32(?), ref: 00415B37
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$TextVisible
                              • String ID: (%G
                              • API String ID: 1670992164-3377777310
                              • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                              • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                              • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                              • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                              Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                              Strings
                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: Connection KeepAlive | Enabled | Timeout:
                              • API String ID: 481472006-507513762
                              • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                              • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                              • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                              • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                              Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                              • ___raise_securityfailure.LIBCMT ref: 00432E76
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor___raise_securityfailure
                              • String ID: (F
                              • API String ID: 3761405300-3109638091
                              • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                              • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                              • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                              • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                              Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: | $%02i:%02i:%02i:%03i
                              • API String ID: 481472006-2430845779
                              • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                              • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                              • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                              • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                              Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: alarm.wav$x(G
                              • API String ID: 1174141254-2413638199
                              • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                              • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                              • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                              • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                              Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • CloseHandle.KERNEL32(?), ref: 00409FFD
                              • UnhookWindowsHookEx.USER32 ref: 0040A010
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                              • String ID: Online Keylogger Stopped
                              • API String ID: 1623830855-1496645233
                              • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                              • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                              • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                              • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                              Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                              • API String ID: 1174141254-2800177040
                              • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                              • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                              • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                              • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                              Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                              • API String ID: 1174141254-4188645398
                              • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                              • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                              • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                              • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                              Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: AppData$\Opera Software\Opera Stable\
                              • API String ID: 1174141254-1629609700
                              • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                              • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                              • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                              • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                              Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000011), ref: 0040A597
                                • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                              • String ID: [AltL]$[AltR]
                              • API String ID: 3195419117-2658077756
                              • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                              • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                              • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                              • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                              Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000012), ref: 0040A5F1
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: State
                              • String ID: [CtrlL]$[CtrlR]
                              • API String ID: 1649606143-2446555240
                              • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                              • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                              • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                              • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                              Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                              • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                              Strings
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteOpenValue
                              • String ID: 6h@
                              • API String ID: 2654517830-73392143
                              • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                              • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                              • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                              • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                              Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                              • GetLastError.KERNEL32 ref: 0043B4E9
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                              • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                              • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                              • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                              Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                              • SetLastError.KERNEL32(0000007F), ref: 004106DF
                              • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                              Memory Dump Source
                              • Source File: 00000010.00000002.1370654568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_16_2_400000_yVSkoplfDgy.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastRead
                              • String ID:
                              • API String ID: 4100373531-0
                              • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                              • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                              • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                              • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19