Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tXcFA8apHU.exe

Overview

General Information

Sample name:tXcFA8apHU.exe
renamed because original name is a hash value
Original sample name:7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Analysis ID:1569310
MD5:c9d033467bd4405db131e2db7dd8abbf
SHA1:31a47ebb0a372ce4dea8f9ad0d7e547816ff7103
SHA256:7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • tXcFA8apHU.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\tXcFA8apHU.exe" MD5: C9D033467BD4405DB131E2DB7DD8ABBF)
    • powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7704 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5756 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tXcFA8apHU.exe (PID: 4620 cmdline: "C:\Users\user\Desktop\tXcFA8apHU.exe" MD5: C9D033467BD4405DB131E2DB7DD8ABBF)
  • njEnUdtKgG.exe (PID: 7500 cmdline: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe MD5: C9D033467BD4405DB131E2DB7DD8ABBF)
    • schtasks.exe (PID: 1860 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • njEnUdtKgG.exe (PID: 6836 cmdline: "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe" MD5: C9D033467BD4405DB131E2DB7DD8ABBF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["lack.work.gd:3124:1"], "Assigned name": "le", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "sos", "Hide file": "Disable", "Mutex": "gig-RM2DNS", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "ios", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000014.00000002.1351775759.0000000000BB7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x691e0:$a1: Remcos restarted by watchdog!
        • 0x69738:$a3: %02i:%02i:%02i:%03i
        • 0x69abd:$a4: * Remcos v
        00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6320c:$str_b2: Executing file:
        • 0x64328:$str_b3: GetDirectListeningPort
        • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x63e30:$str_b7: \update.vbs
        • 0x63234:$str_b9: Downloaded file:
        • 0x63220:$str_b10: Downloading file:
        • 0x632c4:$str_b12: Failed to upload file:
        • 0x642f0:$str_b13: StartForward
        • 0x64310:$str_b14: StopForward
        • 0x63dd8:$str_b15: fso.DeleteFile "
        • 0x63d6c:$str_b16: On Error Resume Next
        • 0x63e08:$str_b17: fso.DeleteFolder "
        • 0x632b4:$str_b18: Uploaded file:
        • 0x63274:$str_b19: Unable to delete:
        • 0x63da0:$str_b20: while fso.FileExists("
        • 0x63749:$str_c0: [Firefox StoredLogins not found]
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.tXcFA8apHU.exe.46a9cb0.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          5.2.tXcFA8apHU.exe.46a9cb0.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x661e0:$a1: Remcos restarted by watchdog!
          • 0x66738:$a3: %02i:%02i:%02i:%03i
          • 0x66abd:$a4: * Remcos v
          5.2.tXcFA8apHU.exe.46a9cb0.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6020c:$str_b2: Executing file:
          • 0x61328:$str_b3: GetDirectListeningPort
          • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x60e30:$str_b7: \update.vbs
          • 0x60234:$str_b9: Downloaded file:
          • 0x60220:$str_b10: Downloading file:
          • 0x602c4:$str_b12: Failed to upload file:
          • 0x612f0:$str_b13: StartForward
          • 0x61310:$str_b14: StopForward
          • 0x60dd8:$str_b15: fso.DeleteFile "
          • 0x60d6c:$str_b16: On Error Resume Next
          • 0x60e08:$str_b17: fso.DeleteFolder "
          • 0x602b4:$str_b18: Uploaded file:
          • 0x60274:$str_b19: Unable to delete:
          • 0x60da0:$str_b20: while fso.FileExists("
          • 0x60749:$str_c0: [Firefox StoredLogins not found]
          5.2.tXcFA8apHU.exe.46a9cb0.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x60100:$s1: \Classes\mscfile\shell\open\command
          • 0x60160:$s1: \Classes\mscfile\shell\open\command
          • 0x60148:$s2: eventvwr.exe
          20.2.njEnUdtKgG.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 18 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tXcFA8apHU.exe", ParentImage: C:\Users\user\Desktop\tXcFA8apHU.exe, ParentProcessId: 7880, ParentProcessName: tXcFA8apHU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", ProcessId: 7388, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tXcFA8apHU.exe", ParentImage: C:\Users\user\Desktop\tXcFA8apHU.exe, ParentProcessId: 7880, ParentProcessName: tXcFA8apHU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", ProcessId: 7388, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe, ParentImage: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe, ParentProcessId: 7500, ParentProcessName: njEnUdtKgG.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp", ProcessId: 1860, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tXcFA8apHU.exe", ParentImage: C:\Users\user\Desktop\tXcFA8apHU.exe, ParentProcessId: 7880, ParentProcessName: tXcFA8apHU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp", ProcessId: 5756, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tXcFA8apHU.exe", ParentImage: C:\Users\user\Desktop\tXcFA8apHU.exe, ParentProcessId: 7880, ParentProcessName: tXcFA8apHU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe", ProcessId: 7388, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tXcFA8apHU.exe", ParentImage: C:\Users\user\Desktop\tXcFA8apHU.exe, ParentProcessId: 7880, ParentProcessName: tXcFA8apHU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp", ProcessId: 5756, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T17:54:15.573901+010020365941Malware Command and Control Activity Detected192.168.2.1049711154.216.19.1393124TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T17:54:19.562581+010028033043Unknown Traffic192.168.2.1049724178.237.33.5080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["lack.work.gd:3124:1"], "Assigned name": "le", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "sos", "Hide file": "Disable", "Mutex": "gig-RM2DNS", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "ios", "Keylog file max size": "100"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeReversingLabs: Detection: 65%
            Multi AV Scanner detection for submitted file
            Source: tXcFA8apHU.exeReversingLabs: Detection: 65%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351775759.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 4620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 6836, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: tXcFA8apHU.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,20_2_004315EC
            Source: tXcFA8apHU.exe, 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2c7eed20-d
            Source: tXcFA8apHU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: tXcFA8apHU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: vlzh.pdb source: tXcFA8apHU.exe, njEnUdtKgG.exe.5.dr
            Source: Binary string: vlzh.pdbSHA256|| source: tXcFA8apHU.exe, njEnUdtKgG.exe.5.dr
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,20_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0040838E
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_004087A0
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,20_2_00407848
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004068CD FindFirstFileW,FindNextFileW,20_2_004068CD
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0044BA59 FindFirstFileExA,20_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,20_2_00406D28

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49711 -> 154.216.19.139:3124
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: lack.work.gd
            Source: global trafficTCP traffic: 192.168.2.10:49711 -> 154.216.19.139:3124
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 154.216.19.139 154.216.19.139
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49724 -> 178.237.33.50:80
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,20_2_0041936B
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: lack.work.gd
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, njEnUdtKgG.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: tXcFA8apHU.exe, 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, njEnUdtKgG.exe, 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, njEnUdtKgG.exe, 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpwk
            Source: tXcFA8apHU.exe, 00000005.00000002.1324653197.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, njEnUdtKgG.exe, 00000010.00000002.1371530809.0000000002620000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000020_2_00409340
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\tXcFA8apHU.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,20_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,20_2_00414EC1
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,20_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,20_2_00409468

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351775759.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 4620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 6836, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041A76C SystemParametersInfoW,20_2_0041A76C

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: njEnUdtKgG.exe PID: 6836, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_00414DB4
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeCode function: 5_2_0298DE145_2_0298DE14
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_0256DE1416_2_0256DE14
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1798816_2_04C17988
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1004016_2_04C10040
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1000716_2_04C10007
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1797916_2_04C17979
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_05219AE816_2_05219AE8
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_0521E56816_2_0521E568
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_0521E13016_2_0521E130
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_0521EE4016_2_0521EE40
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_0521CE9016_2_0521CE90
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_05219AD816_2_05219AD8
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0042515220_2_00425152
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0043528620_2_00435286
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004513D420_2_004513D4
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0045050B20_2_0045050B
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0043651020_2_00436510
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004316FB20_2_004316FB
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0043569E20_2_0043569E
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0044370020_2_00443700
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004257FB20_2_004257FB
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004128E320_2_004128E3
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0042596420_2_00425964
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041B91720_2_0041B917
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0043D9CC20_2_0043D9CC
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00435AD320_2_00435AD3
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00424BC320_2_00424BC3
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0043DBFB20_2_0043DBFB
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0044ABA920_2_0044ABA9
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00433C0B20_2_00433C0B
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00434D8A20_2_00434D8A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0043DE2A20_2_0043DE2A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041CEAF20_2_0041CEAF
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00435F0820_2_00435F08
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: String function: 00402073 appears 51 times
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: String function: 00432B90 appears 53 times
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: String function: 00432525 appears 41 times
            Source: tXcFA8apHU.exe, 00000005.00000002.1327846063.0000000005220000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs tXcFA8apHU.exe
            Source: tXcFA8apHU.exe, 00000005.00000002.1325620534.0000000003CD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs tXcFA8apHU.exe
            Source: tXcFA8apHU.exe, 00000005.00000002.1328819513.0000000007900000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs tXcFA8apHU.exe
            Source: tXcFA8apHU.exe, 00000005.00000002.1322649352.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs tXcFA8apHU.exe
            Source: tXcFA8apHU.exeBinary or memory string: OriginalFilenamevlzh.exe" vs tXcFA8apHU.exe
            Source: tXcFA8apHU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: njEnUdtKgG.exe PID: 6836, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: tXcFA8apHU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: njEnUdtKgG.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, eQKgF25LTNMlXvF3Mj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, JxavqxQjqmpnLA54qd.csSecurity API names: _0020.SetAccessControl
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, JxavqxQjqmpnLA54qd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, JxavqxQjqmpnLA54qd.csSecurity API names: _0020.AddAccessRule
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, JxavqxQjqmpnLA54qd.csSecurity API names: _0020.SetAccessControl
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, JxavqxQjqmpnLA54qd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, JxavqxQjqmpnLA54qd.csSecurity API names: _0020.AddAccessRule
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, eQKgF25LTNMlXvF3Mj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@19/17@3/2
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_00415C90
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,20_2_0040E2E7
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,20_2_00419493
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,20_2_00418A00
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeFile created: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMutant created: \Sessions\1\BaseNamedObjects\QAGvCtl
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_03
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMutant created: \Sessions\1\BaseNamedObjects\gig-RM2DNS
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_03
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4537.tmpJump to behavior
            Source: tXcFA8apHU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: tXcFA8apHU.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: tXcFA8apHU.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeFile read: C:\Users\user\Desktop\tXcFA8apHU.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\tXcFA8apHU.exe "C:\Users\user\Desktop\tXcFA8apHU.exe"
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Users\user\Desktop\tXcFA8apHU.exe "C:\Users\user\Desktop\tXcFA8apHU.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess created: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Users\user\Desktop\tXcFA8apHU.exe "C:\Users\user\Desktop\tXcFA8apHU.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess created: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: tXcFA8apHU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: tXcFA8apHU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: tXcFA8apHU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: vlzh.pdb source: tXcFA8apHU.exe, njEnUdtKgG.exe.5.dr
            Source: Binary string: vlzh.pdbSHA256|| source: tXcFA8apHU.exe, njEnUdtKgG.exe.5.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, JxavqxQjqmpnLA54qd.cs.Net Code: I8p8IEBymg System.Reflection.Assembly.Load(byte[])
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, JxavqxQjqmpnLA54qd.cs.Net Code: I8p8IEBymg System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041A8DA
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeCode function: 14_2_02B1F978 push ebp; retf 14_2_02B1F97A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1A189 push cs; ret 16_2_04C1A18A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1A280 push cs; ret 16_2_04C1A282
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1A283 push cs; ret 16_2_04C1A29A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1AB33 push ss; ret 16_2_04C1AB3A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1B7FB push ds; ret 16_2_04C1B802
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C19149 push es; ret 16_2_04C1914A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C19258 push es; ret 16_2_04C1925A
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 16_2_04C1934B push es; ret 16_2_04C19352
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004000D8 push es; iretd 20_2_004000D9
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040008C push es; iretd 20_2_0040008D
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004542E6 push ecx; ret 20_2_004542F9
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0045B4FD push esi; ret 20_2_0045B506
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00432BD6 push ecx; ret 20_2_00432BE9
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00454C08 push eax; ret 20_2_00454C26
            Source: tXcFA8apHU.exeStatic PE information: section name: .text entropy: 7.913890207128523
            Source: njEnUdtKgG.exe.5.drStatic PE information: section name: .text entropy: 7.913890207128523
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, y8Bw73aARi5Z4DoIxW.csHigh entropy of concatenated method names: 'jjNfAAM3Md', 'ld0fR2BP1F', 'eQhfGpVEZY', 'NH3GUtldaO', 'UD8GzSuhtR', 'H0cfWPSK4l', 'El2fPajPA4', 'dqlfD3owlZ', 'N4xfbRZ3UU', 'AYWf8wL6fI'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, xLPlI3CcHciwhq420o.csHigh entropy of concatenated method names: 'Ghc39K28PP', 'NgP3Zw0oC9', 'Lyr3C3W4Pq', 'Jab3p9OFtG', 'mtk3hYLgbT', 'hcR3OxFdUf', 'TY63HhrQef', 'Fe53VwHjKa', 'ffP3eWRO4B', 'x2g3armxxw'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, sHCwVIiAwf3lvMZsky.csHigh entropy of concatenated method names: 'QHdJLGhfaP', 'JtvJ7kyOjD', 'ToString', 'DQsJAUYYsT', 'IcoJXAZllV', 'TWZJR25TfJ', 'o7ZJoAWiHn', 'FuxJGFdLMl', 'gHsJfOiAjD', 'ry3JQKVryv'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, jwm2ZIjs6AGpIaeP4u.csHigh entropy of concatenated method names: 'MUiq5TmQ3g', 'eZPqKWv1uv', 'OUvqFlgJaJ', 'sJ0qhpS0oc', 'Y47qHXY6e6', 'TpTqVp6fWE', 's3cqaLAJUH', 'QreqMflZHk', 'kNYq9WWpq5', 'OloqB3o2j8'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, vuMwaHXh3RJW2dATXx.csHigh entropy of concatenated method names: 'Dispose', 'FBMPmZRsqQ', 'XxYDh8I7jY', 'PrU0cPgTOM', 'At0PUJADdZ', 'MisPzlIkQ9', 'ProcessDialogKey', 'C2MDW59c6k', 'YtqDPyQcGH', 'MkPDDRJdoO'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, JxavqxQjqmpnLA54qd.csHigh entropy of concatenated method names: 'wOCbxUtpcB', 'GUFbAXyEnj', 'wyLbXujZ9g', 'EQnbRd1gYP', 'cTUboN4qN5', 'ztqbGFBpd0', 'mIebfSHaeT', 'gKlbQOc5BS', 'apSbYNdwrP', 'ogobLYee8v'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, jChadtPPxI8C0pfTdAQ.csHigh entropy of concatenated method names: 'bdK0UoXo1E', 'uyR0zkvo8y', 'C6xyWBE9S9', 'SOWyPj86LM', 'N3AyD77nGL', 'NZ6yby8U4F', 'fdly8snDWT', 'IuDyx4Unqb', 'xr8yAjSie0', 'NNWyX3TeDX'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, C0EbbtsfydNiIN0dNP.csHigh entropy of concatenated method names: 'cTIJ1FEUwZ', 'zW4JUY1Wnd', 'WlrSWjunmK', 'WdiSPlvE3V', 'p1mJByhoC5', 'Jk8JZnvIql', 'lsWJji0bHN', 'qRuJCjtJRH', 'kFKJpYk3eS', 'f9jJT0AI6C'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, L59c6kmUtqyQcGHMkP.csHigh entropy of concatenated method names: 'z522FT5FHa', 'J6K2hDSmlf', 'eqw2OroLpr', 'N9X2HnRGhx', 'HRD2VDPnX3', 'TLu2eeUdIF', 'bhX2aojYEa', 'il62M4iPWy', 'Bag2nuajeI', 'FR429ly2bj'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, OYIIpkKfDpsGNxxttJ.csHigh entropy of concatenated method names: 'VDvRNYC4iU', 'YvCRcykf4X', 'c8HR5ApsbB', 'eWYRK6j6xu', 'xA8R3gLxZP', 'WC7RkN1cFr', 'GuARJvd05j', 'QctRSq7raM', 'ylwR2Bw3hV', 'PPaR0q1y5a'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, SQhuDezJM10m7Opmf4.csHigh entropy of concatenated method names: 'qpV0cW21j4', 'Bxc053Ujvt', 'WNW0KyW3P7', 'z580FN3Fo0', 'BZO0hSKNNT', 'YRx0HuDT8R', 'hYq0Vik0oB', 'qo40uB4esQ', 'Maw0ddpWij', 'gTt0tmXIYX'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, qDQcgXneHl3d89VFyi.csHigh entropy of concatenated method names: 'QPlfdEVwTq', 'APxft5JPv2', 'GxdfInYThb', 'LnsfNsqbtI', 'lGmf4wdoZq', 'skrfcZqZYe', 'TlBflKuPMu', 'xEyf5cvQV7', 'YQAfKiUc6q', 'NfZfrYn569'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, cbkM15P8gTZ1OFR5M7d.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lhTE28226o', 'iZwE0v9MPU', 'TNQEy6Qarc', 'j6WEEYq4PB', 'VHhEwk8IQ4', 'WN2Eg1XlaM', 'GDVEu7w3qk'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, FTdjLT8AchGKdUXO70.csHigh entropy of concatenated method names: 'xexPfQKgF2', 'mTNPQMlXvF', 'pfDPLpsGNx', 'ettP7JP4JW', 'M24P3JHIxL', 'YJ3PkeTuJ9', 'Wyp9EndJ2CwpKu5F4p', 'FA7KOqQYAj2FRv9RJE', 'NEvPPfaA3v', 'fRePbqSspq'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, eQKgF25LTNMlXvF3Mj.csHigh entropy of concatenated method names: 'aAcXCmquDm', 'XRAXpmNekm', 'XacXTnHMMH', 'wHBXiEaYD6', 'A3mX6fMDDI', 'yTdXsrYqMW', 'j5PXvoJSNO', 'ofNX16LU12', 'l4fXmXAJqB', 'k2SXUwW0Kp'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, R31DT4D8L5hVH2wAZa.csHigh entropy of concatenated method names: 'NviIHwJ5U', 'e9eNvtqSx', 'SOAc9EDGv', 'lnklelbQ3', 'esAKMcDkk', 'A43rKZZRr', 'QC01rh9FkeiSceUtoh', 'RV3m9cTjvN4j0xCWha', 'dpNSj8IE8', 'yvn0VZGoW'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, tHQfgiPWZJmhumwjONa.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IcG0BpqVHH', 'AT40ZPpSri', 'AgB0j1JoO9', 'OZR0CMeGfK', 'TRI0pjC1uE', 'PTC0TJ1MRq', 'pVd0iMCmED'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, zxLUJ3FeTuJ98MTT82.csHigh entropy of concatenated method names: 'w66GxQMLDK', 'CC5GXSmUJX', 'zIiGoFSt9v', 'KoaGf78Bbn', 'ruSGQ1UugX', 'Sh6o6ncpha', 'RAMosfpkhV', 'IgjovLoFDT', 'z7Qo1FGSIq', 'R0Nom8cTwI'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, uLxNn2TKVZPb2cMt2Z.csHigh entropy of concatenated method names: 'ToString', 'QO0kBvxwhD', 'qO5khnAWPG', 'VYRkOgoFs5', 'UONkH6Db7k', 'uxPkV07bal', 'AybkeI0out', 'JdfkaWK8Cc', 'vMJkMiP3ZT', 'as8knFh8cH'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, hJdoOKUh4eK1WtLonc.csHigh entropy of concatenated method names: 'WQO0RVb6Yv', 'acj0oqyYBp', 'yOl0Ggc2M6', 'lxS0f8gAkO', 'R6s022t1ws', 'rKX0Q7jbst', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 5.2.tXcFA8apHU.exe.7900000.4.raw.unpack, UrkoT0v9cFBMZRsqQN.csHigh entropy of concatenated method names: 'Mq823T8qQS', 'Jo72JjQSmT', 'Bed222Lq2m', 'Rfq2ywXMgV', 'p4R2w0fPHf', 'NfG2urEQ7q', 'Dispose', 'kJUSAWWOoD', 'YsfSXaT7su', 'DIESReJjOD'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, y8Bw73aARi5Z4DoIxW.csHigh entropy of concatenated method names: 'jjNfAAM3Md', 'ld0fR2BP1F', 'eQhfGpVEZY', 'NH3GUtldaO', 'UD8GzSuhtR', 'H0cfWPSK4l', 'El2fPajPA4', 'dqlfD3owlZ', 'N4xfbRZ3UU', 'AYWf8wL6fI'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, xLPlI3CcHciwhq420o.csHigh entropy of concatenated method names: 'Ghc39K28PP', 'NgP3Zw0oC9', 'Lyr3C3W4Pq', 'Jab3p9OFtG', 'mtk3hYLgbT', 'hcR3OxFdUf', 'TY63HhrQef', 'Fe53VwHjKa', 'ffP3eWRO4B', 'x2g3armxxw'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, sHCwVIiAwf3lvMZsky.csHigh entropy of concatenated method names: 'QHdJLGhfaP', 'JtvJ7kyOjD', 'ToString', 'DQsJAUYYsT', 'IcoJXAZllV', 'TWZJR25TfJ', 'o7ZJoAWiHn', 'FuxJGFdLMl', 'gHsJfOiAjD', 'ry3JQKVryv'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, jwm2ZIjs6AGpIaeP4u.csHigh entropy of concatenated method names: 'MUiq5TmQ3g', 'eZPqKWv1uv', 'OUvqFlgJaJ', 'sJ0qhpS0oc', 'Y47qHXY6e6', 'TpTqVp6fWE', 's3cqaLAJUH', 'QreqMflZHk', 'kNYq9WWpq5', 'OloqB3o2j8'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, vuMwaHXh3RJW2dATXx.csHigh entropy of concatenated method names: 'Dispose', 'FBMPmZRsqQ', 'XxYDh8I7jY', 'PrU0cPgTOM', 'At0PUJADdZ', 'MisPzlIkQ9', 'ProcessDialogKey', 'C2MDW59c6k', 'YtqDPyQcGH', 'MkPDDRJdoO'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, JxavqxQjqmpnLA54qd.csHigh entropy of concatenated method names: 'wOCbxUtpcB', 'GUFbAXyEnj', 'wyLbXujZ9g', 'EQnbRd1gYP', 'cTUboN4qN5', 'ztqbGFBpd0', 'mIebfSHaeT', 'gKlbQOc5BS', 'apSbYNdwrP', 'ogobLYee8v'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, jChadtPPxI8C0pfTdAQ.csHigh entropy of concatenated method names: 'bdK0UoXo1E', 'uyR0zkvo8y', 'C6xyWBE9S9', 'SOWyPj86LM', 'N3AyD77nGL', 'NZ6yby8U4F', 'fdly8snDWT', 'IuDyx4Unqb', 'xr8yAjSie0', 'NNWyX3TeDX'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, C0EbbtsfydNiIN0dNP.csHigh entropy of concatenated method names: 'cTIJ1FEUwZ', 'zW4JUY1Wnd', 'WlrSWjunmK', 'WdiSPlvE3V', 'p1mJByhoC5', 'Jk8JZnvIql', 'lsWJji0bHN', 'qRuJCjtJRH', 'kFKJpYk3eS', 'f9jJT0AI6C'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, L59c6kmUtqyQcGHMkP.csHigh entropy of concatenated method names: 'z522FT5FHa', 'J6K2hDSmlf', 'eqw2OroLpr', 'N9X2HnRGhx', 'HRD2VDPnX3', 'TLu2eeUdIF', 'bhX2aojYEa', 'il62M4iPWy', 'Bag2nuajeI', 'FR429ly2bj'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, OYIIpkKfDpsGNxxttJ.csHigh entropy of concatenated method names: 'VDvRNYC4iU', 'YvCRcykf4X', 'c8HR5ApsbB', 'eWYRK6j6xu', 'xA8R3gLxZP', 'WC7RkN1cFr', 'GuARJvd05j', 'QctRSq7raM', 'ylwR2Bw3hV', 'PPaR0q1y5a'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, SQhuDezJM10m7Opmf4.csHigh entropy of concatenated method names: 'qpV0cW21j4', 'Bxc053Ujvt', 'WNW0KyW3P7', 'z580FN3Fo0', 'BZO0hSKNNT', 'YRx0HuDT8R', 'hYq0Vik0oB', 'qo40uB4esQ', 'Maw0ddpWij', 'gTt0tmXIYX'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, qDQcgXneHl3d89VFyi.csHigh entropy of concatenated method names: 'QPlfdEVwTq', 'APxft5JPv2', 'GxdfInYThb', 'LnsfNsqbtI', 'lGmf4wdoZq', 'skrfcZqZYe', 'TlBflKuPMu', 'xEyf5cvQV7', 'YQAfKiUc6q', 'NfZfrYn569'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, cbkM15P8gTZ1OFR5M7d.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lhTE28226o', 'iZwE0v9MPU', 'TNQEy6Qarc', 'j6WEEYq4PB', 'VHhEwk8IQ4', 'WN2Eg1XlaM', 'GDVEu7w3qk'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, FTdjLT8AchGKdUXO70.csHigh entropy of concatenated method names: 'xexPfQKgF2', 'mTNPQMlXvF', 'pfDPLpsGNx', 'ettP7JP4JW', 'M24P3JHIxL', 'YJ3PkeTuJ9', 'Wyp9EndJ2CwpKu5F4p', 'FA7KOqQYAj2FRv9RJE', 'NEvPPfaA3v', 'fRePbqSspq'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, eQKgF25LTNMlXvF3Mj.csHigh entropy of concatenated method names: 'aAcXCmquDm', 'XRAXpmNekm', 'XacXTnHMMH', 'wHBXiEaYD6', 'A3mX6fMDDI', 'yTdXsrYqMW', 'j5PXvoJSNO', 'ofNX16LU12', 'l4fXmXAJqB', 'k2SXUwW0Kp'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, R31DT4D8L5hVH2wAZa.csHigh entropy of concatenated method names: 'NviIHwJ5U', 'e9eNvtqSx', 'SOAc9EDGv', 'lnklelbQ3', 'esAKMcDkk', 'A43rKZZRr', 'QC01rh9FkeiSceUtoh', 'RV3m9cTjvN4j0xCWha', 'dpNSj8IE8', 'yvn0VZGoW'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, tHQfgiPWZJmhumwjONa.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IcG0BpqVHH', 'AT40ZPpSri', 'AgB0j1JoO9', 'OZR0CMeGfK', 'TRI0pjC1uE', 'PTC0TJ1MRq', 'pVd0iMCmED'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, zxLUJ3FeTuJ98MTT82.csHigh entropy of concatenated method names: 'w66GxQMLDK', 'CC5GXSmUJX', 'zIiGoFSt9v', 'KoaGf78Bbn', 'ruSGQ1UugX', 'Sh6o6ncpha', 'RAMosfpkhV', 'IgjovLoFDT', 'z7Qo1FGSIq', 'R0Nom8cTwI'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, uLxNn2TKVZPb2cMt2Z.csHigh entropy of concatenated method names: 'ToString', 'QO0kBvxwhD', 'qO5khnAWPG', 'VYRkOgoFs5', 'UONkH6Db7k', 'uxPkV07bal', 'AybkeI0out', 'JdfkaWK8Cc', 'vMJkMiP3ZT', 'as8knFh8cH'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, hJdoOKUh4eK1WtLonc.csHigh entropy of concatenated method names: 'WQO0RVb6Yv', 'acj0oqyYBp', 'yOl0Ggc2M6', 'lxS0f8gAkO', 'R6s022t1ws', 'rKX0Q7jbst', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 5.2.tXcFA8apHU.exe.3d29410.2.raw.unpack, UrkoT0v9cFBMZRsqQN.csHigh entropy of concatenated method names: 'Mq823T8qQS', 'Jo72JjQSmT', 'Bed222Lq2m', 'Rfq2ywXMgV', 'p4R2w0fPHf', 'NfG2urEQ7q', 'Dispose', 'kJUSAWWOoD', 'YsfSXaT7su', 'DIESReJjOD'
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004063C6 ShellExecuteW,URLDownloadToFileW,20_2_004063C6
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeFile created: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp"
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,20_2_00418A00

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041A8DA
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTR
            Delayed program exit found
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040E18D Sleep,ExitProcess,20_2_0040E18D
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: 8EC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: 9EC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: A0D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: B0D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: 45B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: 8420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: 9420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: 9620000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory allocated: A620000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,20_2_004186FE
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7631Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1480Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8261Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1344Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeWindow / User API: threadDelayed 3806Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeWindow / User API: threadDelayed 5675Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeWindow / User API: foregroundWindowGot 1770Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeAPI coverage: 5.0 %
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 7992Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 6252Thread sleep count: 233 > 30Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 6252Thread sleep time: -116500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 6156Thread sleep count: 3806 > 30Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 6156Thread sleep time: -11418000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 6156Thread sleep count: 5675 > 30Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exe TID: 6156Thread sleep time: -17025000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe TID: 7048Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,20_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0040838E
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_004087A0
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,20_2_00407848
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004068CD FindFirstFileW,FindNextFileW,20_2_004068CD
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0044BA59 FindFirstFileExA,20_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,20_2_00406D28
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_004327AE
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041A8DA
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004407B5 mov eax, dword ptr fs:[00000030h]20_2_004407B5
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,20_2_00410763
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_004327AE
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004328FC SetUnhandledExceptionFilter,20_2_004328FC
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_004398AC
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00432D5C
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe"
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeMemory written: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe20_2_00410B5C
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004175E1 mouse_event,20_2_004175E1
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeProcess created: C:\Users\user\Desktop\tXcFA8apHU.exe "C:\Users\user\Desktop\tXcFA8apHU.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeProcess created: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"Jump to behavior
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNS\&
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNS\
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerm
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfor
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNS\y
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager^
            Source: tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004329DA cpuid 20_2_004329DA
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: EnumSystemLocalesW,20_2_0044F17B
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: EnumSystemLocalesW,20_2_0044F130
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: EnumSystemLocalesW,20_2_0044F216
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_0044F2A3
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetLocaleInfoA,20_2_0040E2BB
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetLocaleInfoW,20_2_0044F4F3
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_0044F61C
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetLocaleInfoW,20_2_0044F723
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_0044F7F0
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: EnumSystemLocalesW,20_2_00445914
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: GetLocaleInfoW,20_2_00445E1C
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_0044EEB8
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeQueries volume information: C:\Users\user\Desktop\tXcFA8apHU.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeQueries volume information: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_0040A0B0 GetLocalTime,wsprintfW,20_2_0040A0B0
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004195F8 GetUserNameW,20_2_004195F8
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: 20_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,20_2_004466BF
            Source: C:\Users\user\Desktop\tXcFA8apHU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351775759.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 4620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 6836, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data20_2_0040A953
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\20_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: \key3.db20_2_0040AA71

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.njEnUdtKgG.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.471f2d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tXcFA8apHU.exe.46a9cb0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351775759.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 7880, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: tXcFA8apHU.exe PID: 4620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 7500, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: njEnUdtKgG.exe PID: 6836, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\njEnUdtKgG.exeCode function: cmd.exe20_2_0040567A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		211
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol211
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Windows Service            		3
            Obfuscated Files or Information            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook122
            Process Injection            		12
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Scheduled Task/Job            		1
            DLL Side-Loading            		LSA Secrets33
            System Information Discovery            		SSHKeylogging12
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials121
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt122
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569310 Sample: tXcFA8apHU.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 46 lack.work.gd 2->46 48 geoplugin.net 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 9 other signatures 2->60 8 tXcFA8apHU.exe 7 2->8         started        12 njEnUdtKgG.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\njEnUdtKgG.exe, PE32 8->38 dropped 40 C:\Users\...\njEnUdtKgG.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp4537.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\tXcFA8apHU.exe.log, ASCII 8->44 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 tXcFA8apHU.exe 2 16 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 21 8->20         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Contains functionalty to change the wallpaper 12->68 70 Machine Learning detection for dropped file 12->70 72 5 other signatures 12->72 24 schtasks.exe 1 12->24         started        26 njEnUdtKgG.exe 12->26         started        signatures6 process7 dnsIp8 50 lack.work.gd 154.216.19.139, 3124, 49711 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 14->50 52 geoplugin.net 178.237.33.50, 49724, 80 ATOM86-ASATOM86NL Netherlands 14->52 74 Installs a global keyboard hook 14->74 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            tXcFA8apHU.exe66%ReversingLabsWin32.Backdoor.Remcos
            tXcFA8apHU.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\njEnUdtKgG.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\njEnUdtKgG.exe66%ReversingLabsWin32.Backdoor.Remcos

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            lack.work.gd0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            lack.work.gd
            		154.216.19.139
            		truetrue
              		unknown
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  		high
                  lack.work.gdtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gp/CtXcFA8apHU.exe, 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, njEnUdtKgG.exe, 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, njEnUdtKgG.exe, 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    		high
                    http://geoplugin.net/json.gpltXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CD6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gpwktXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CD6000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametXcFA8apHU.exe, 00000005.00000002.1324653197.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, njEnUdtKgG.exe, 00000010.00000002.1371530809.0000000002620000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gpSystem32tXcFA8apHU.exe, 0000000E.00000002.3725647810.0000000000CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            154.216.19.139
                            		lack.work.gdSeychelles
                            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                            178.237.33.50
                            		geoplugin.netNetherlands
                            		8455ATOM86-ASATOM86NLfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1569310
                            Start date and time:2024-12-05 17:53:18 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 45s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:25
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:tXcFA8apHU.exe
                            renamed because original name is a hash value
                            Original Sample Name:7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
                            Detection:MAL
                            Classification:mal100.rans.troj.spyw.evad.winEXE@19/17@3/2
                            EGA Information:
                            • Successful, ratio: 75%
                            HCA Information:
                            • Successful, ratio: 96%
                            • Number of executed functions: 51
                            • Number of non-executed functions: 184
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target tXcFA8apHU.exe, PID 4620 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: tXcFA8apHU.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:54:09API Interceptor6207617x Sleep call for process: tXcFA8apHU.exe modified
                            11:54:11API Interceptor28x Sleep call for process: powershell.exe modified
                            11:54:14API Interceptor3x Sleep call for process: njEnUdtKgG.exe modified
                            17:54:13Task SchedulerRun new task: njEnUdtKgG path: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            154.216.19.139x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                            m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                178.237.33.50f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                • www.geoplugin.net/json.gp?ip=
                                                17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                togiveme.docGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                greatnew.docGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87_d.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                geoplugin.net17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                togiveme.docGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                greatnew.docGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87_d.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                SKHT-ASShenzhenKatherineHengTechnologyInformationCox86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 154.216.19.139
                                                m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 154.216.19.139
                                                sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                • 45.207.215.90
                                                zmap.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 154.216.18.131
                                                zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 154.216.18.131
                                                zmap.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 154.216.18.131
                                                armv7l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 156.241.11.68
                                                zmap.x86.elfGet hashmaliciousOkiruBrowse
                                                • 154.216.18.131
                                                armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 156.230.19.162
                                                zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 154.216.18.131
                                                ATOM86-ASATOM86NLf5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                • 178.237.33.50
                                                17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                togiveme.docGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                greatnew.docGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87_d.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\ios\logs.dat

                                                Download File
                                                Process:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):232
                                                Entropy (8bit):7.135787568310166
                                                Encrypted:false
                                                SSDEEP:6:qEyO5oVLFlZQ0qkZ0XpfpjRJzSuxyNnq7o21e5Y:rCXo+0ZhjRJzJxhr1eq
                                                MD5:64F98EA0A57F0E44575E8C283E867DCB
                                                SHA1:2620C456325858FD11381921D24DA5048941A5B1
                                                SHA-256:54897B591E9F67F6DE722DFEEDED4A901346127EE8556E0DF86D229421C2C5C3
                                                SHA-512:44F560346185E9B1A1DC98A6FEB85A2202DB1A196BF57123AF3565683F68733962E5E36D91DEA7DF37E103C95957F86DC32EFA44A80FF1CC4127AD73BDBB7AEE
                                                Malicious:false
                                                Preview:..U.IX2..U.F.n'.....[.N../x.B.\_.0.c.Pvs......V.q..=..a4..\Fl..).e`.W.u.'E.J..F....!...K.,k~5O.Z.>G.x......?\.4.Lx..{.].#..}|a..}..>b.+n.C..v..........O.Q;-.c.....N.Rv.sI.2....d{:/;....F..x...u..<.>KJ.!...eq.<.{O...

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\njEnUdtKgG.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                Malicious:false
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tXcFA8apHU.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                Malicious:true
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

                                                Download File
                                                Process:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):963
                                                Entropy (8bit):5.014904284428935
                                                Encrypted:false
                                                SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                MD5:B66CFB6461E507BB577CDE91F270844E
                                                SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                Malicious:false
                                                Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2232
                                                Entropy (8bit):5.3810236212315665
                                                Encrypted:false
                                                SSDEEP:48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeoPUyus:lGLHxv2IfLZ2KRH6OugYs
                                                MD5:CF67394596448ACE4EF5F912410BAA2D
                                                SHA1:4EDB87B6EC25C392290AAE60DEE946AAC603DC68
                                                SHA-256:1B0BCE6991D6BF482FD79B73CD522D16C9837C7B3C54065B8177B305E3114253
                                                SHA-512:0B1A283BFD4D65C2B144A9BC74D555C4742F183ABE1340351EC4C8A504EE439C251C87BE01E3002A9A67892E60F42DACE7B4FFED8C4210A5FB82D5CBF5CB514B
                                                Malicious:false
                                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5s1qqder.zv2.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbsqu42i.vio.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gcdvkeoo.ele.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgovraet.xnn.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qddpywou.dnd.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smrffnk4.th0.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueitrzuw.dme.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vf3ue2j0.p2g.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\tmp4537.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1569
                                                Entropy (8bit):5.108999483360095
                                                Encrypted:false
                                                SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTWv:He7XQBBYrFdOFzOz6dKrsuo
                                                MD5:D77A4DBFE38DC5761C9AC6F8478D237E
                                                SHA1:6B3D9A9CEF3FA0F2AFE3E02BCB3800A10FEFEA6E
                                                SHA-256:F517C94CBBE019596F5E7DF01C909EC186A3653A76660CFA063FF349AF5DCA18
                                                SHA-512:A5AC32E17DEB3ADE5BD7F94961944148F0601F1D70ECA40F622DBD4C9F6E5CD2CF370E1720E893E3022E6A882F294F3F00880187F8B105F92B3D3739FEFC71D3
                                                Malicious:true
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                C:\Users\user\AppData\Local\Temp\tmp567D.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1569
                                                Entropy (8bit):5.108999483360095
                                                Encrypted:false
                                                SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTWv:He7XQBBYrFdOFzOz6dKrsuo
                                                MD5:D77A4DBFE38DC5761C9AC6F8478D237E
                                                SHA1:6B3D9A9CEF3FA0F2AFE3E02BCB3800A10FEFEA6E
                                                SHA-256:F517C94CBBE019596F5E7DF01C909EC186A3653A76660CFA063FF349AF5DCA18
                                                SHA-512:A5AC32E17DEB3ADE5BD7F94961944148F0601F1D70ECA40F622DBD4C9F6E5CD2CF370E1720E893E3022E6A882F294F3F00880187F8B105F92B3D3739FEFC71D3
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                C:\Users\user\AppData\Roaming\njEnUdtKgG.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):922112
                                                Entropy (8bit):7.908751468566825
                                                Encrypted:false
                                                SSDEEP:24576:QHIlObe6kDOI8hCMghsuN3OqyDzORPW3fa:FciJ2N4spU+i
                                                MD5:C9D033467BD4405DB131E2DB7DD8ABBF
                                                SHA1:31A47EBB0A372CE4DEA8F9AD0D7E547816FF7103
                                                SHA-256:7943AAB15DC5804448102C5C1FC5341B65708BFF970773E25F0F27D807E90D29
                                                SHA-512:08B643C8ED42B6F59D9879EFF287F9CF1F11696794C084DCC337F4D893CC759868457D8EF2FC095B73AA43DEEC5527D12DFFBBDCE528A71F758E8C0AF335FFC2
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 66%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6g..............0.................. ... ....@.. .......................`............`.....................................O.... ..l....................@......h...T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...l.... ......................@..@.reloc.......@......................@..B........................H........=..PC..........@...({...........................................0...........(.....(.....{...........%.r...p(....s.....%.r...p(....s.....%.r!..p(....s.......{....o.......(...+...rC..p......%...W....%.....(....*..(....}.....(.....{....o ...,..(....*.(....*..0..H........{.....o!....{.....o!....{.....o!.....{....o"...(#...}.....(......}....*.0..~........{....o$...o%.....+`s&.......X...('...o(....o)...rQ..po*...&.o)...ra..po*...&.o)...ra..po*...&.{....o$....o+...&..X...{.

                                                C:\Users\user\AppData\Roaming\njEnUdtKgG.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.908751468566825
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:tXcFA8apHU.exe
                                                File size:922'112 bytes
                                                MD5:c9d033467bd4405db131e2db7dd8abbf
                                                SHA1:31a47ebb0a372ce4dea8f9ad0d7e547816ff7103
                                                SHA256:7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29
                                                SHA512:08b643c8ed42b6f59d9879eff287f9cf1f11696794c084dcc337f4d893cc759868457d8ef2fc095b73aa43deec5527d12dffbbdce528a71f758e8c0af335ffc2
                                                SSDEEP:24576:QHIlObe6kDOI8hCMghsuN3OqyDzORPW3fa:FciJ2N4spU+i
                                                TLSH:D8151291F935D863DAE887B49271D77E0A328E4CE900D25B8BFEDCE778477167904282
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6g..............0.................. ... ....@.. .......................`............`................................

                                                File Icon

                                                Icon Hash:69723d9b2653b169

                                                Static PE Info

                                                General

                                                Entrypoint:0x4e141e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6736B595 [Fri Nov 15 02:44:37 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xe13cc0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x176c.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xdfc680x54.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xdf4240xdf600127d80c20cba801d437b4c696bf36c74False0.9526965584778959data7.913890207128523IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xe20000x176c0x1800bc971f67ee06cf00907423ad7d3b873cFalse0.8448893229166666data7.181367202693059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xe40000xc0x200d47c04ed731e76733cfcd22f0c7d875aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xe20c80x133aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9553027224705404
                                                RT_GROUP_ICON0xe34140x14data1.05
                                                RT_VERSION0xe34380x330data0.4424019607843137

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-12-05T17:54:15.573901+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1049711154.216.19.1393124TCP
                                                2024-12-05T17:54:19.562581+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1049724178.237.33.5080TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 5, 2024 17:54:14.040163994 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:14.159956932 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:14.160217047 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:14.170614958 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:14.290572882 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:15.464282036 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:15.573900938 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:15.698194981 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:15.702816963 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:15.823479891 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:15.823571920 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:15.943429947 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:16.552875042 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:16.554054022 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:16.674585104 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:16.744885921 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:16.882503986 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:18.199254990 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:54:18.319062948 CET8049724178.237.33.50192.168.2.10
                                                Dec 5, 2024 17:54:18.319289923 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:54:18.331248999 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:54:18.451421976 CET8049724178.237.33.50192.168.2.10
                                                Dec 5, 2024 17:54:19.562427998 CET8049724178.237.33.50192.168.2.10
                                                Dec 5, 2024 17:54:19.562581062 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:54:19.572278023 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:19.692107916 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:20.563124895 CET8049724178.237.33.50192.168.2.10
                                                Dec 5, 2024 17:54:20.563261032 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:54:52.144567013 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:54:52.146322966 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:54:52.269588947 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:55:24.163340092 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:55:24.167207003 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:55:24.287734985 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:55:56.000452995 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:55:56.002105951 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:55:56.123356104 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:56:08.052247047 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:08.489311934 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:09.301821947 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:10.598973036 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:13.286283970 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:18.489350080 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:28.116638899 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:56:28.118010044 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:56:28.239887953 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:56:28.598702908 CET4972480192.168.2.10178.237.33.50
                                                Dec 5, 2024 17:56:58.748135090 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:56:58.749360085 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:56:58.869213104 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:57:30.269046068 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:57:30.271034956 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:57:30.390883923 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:58:01.580861092 CET312449711154.216.19.139192.168.2.10
                                                Dec 5, 2024 17:58:01.582129002 CET497113124192.168.2.10154.216.19.139
                                                Dec 5, 2024 17:58:01.701980114 CET312449711154.216.19.139192.168.2.10

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 5, 2024 17:54:12.869467020 CET6495153192.168.2.101.1.1.1
                                                Dec 5, 2024 17:54:13.868025064 CET6495153192.168.2.101.1.1.1
                                                Dec 5, 2024 17:54:14.035999060 CET53649511.1.1.1192.168.2.10
                                                Dec 5, 2024 17:54:14.036011934 CET53649511.1.1.1192.168.2.10
                                                Dec 5, 2024 17:54:18.054930925 CET6336053192.168.2.101.1.1.1
                                                Dec 5, 2024 17:54:18.195272923 CET53633601.1.1.1192.168.2.10

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Dec 5, 2024 17:54:12.869467020 CET192.168.2.101.1.1.10x40f9Standard query (0)lack.work.gdA (IP address)IN (0x0001)false
                                                Dec 5, 2024 17:54:13.868025064 CET192.168.2.101.1.1.10x40f9Standard query (0)lack.work.gdA (IP address)IN (0x0001)false
                                                Dec 5, 2024 17:54:18.054930925 CET192.168.2.101.1.1.10x89eaStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 5, 2024 17:54:14.035999060 CET1.1.1.1192.168.2.100x40f9No error (0)lack.work.gd154.216.19.139A (IP address)IN (0x0001)false
                                                Dec 5, 2024 17:54:14.036011934 CET1.1.1.1192.168.2.100x40f9No error (0)lack.work.gd154.216.19.139A (IP address)IN (0x0001)false
                                                Dec 5, 2024 17:54:18.195272923 CET1.1.1.1192.168.2.100x89eaNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • geoplugin.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.1049724178.237.33.50804620C:\Users\user\Desktop\tXcFA8apHU.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 5, 2024 17:54:18.331248999 CET71OUTGET /json.gp HTTP/1.1
                                                Host: geoplugin.net
                                                Cache-Control: no-cache
                                                Dec 5, 2024 17:54:19.562427998 CET1171INHTTP/1.1 200 OK
                                                date: Thu, 05 Dec 2024 16:54:19 GMT
                                                server: Apache
                                                content-length: 963
                                                content-type: application/json; charset=utf-8
                                                cache-control: public, max-age=300
                                                access-control-allow-origin: *
                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:5
                                                Start time:11:54:08
                                                Start date:05/12/2024
                                                Path:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\tXcFA8apHU.exe"
                                                Imagebase:0x670000
                                                File size:922'112 bytes
                                                MD5 hash:C9D033467BD4405DB131E2DB7DD8ABBF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1325620534.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:11:54:10
                                                Start date:05/12/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tXcFA8apHU.exe"
                                                Imagebase:0xbb0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:11:54:10
                                                Start date:05/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:11:54:10
                                                Start date:05/12/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"
                                                Imagebase:0xbb0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:11:54:10
                                                Start date:05/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:11:54:10
                                                Start date:05/12/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp4537.tmp"
                                                Imagebase:0x860000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:11:54:11
                                                Start date:05/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:11:54:11
                                                Start date:05/12/2024
                                                Path:C:\Users\user\Desktop\tXcFA8apHU.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\tXcFA8apHU.exe"
                                                Imagebase:0x770000
                                                File size:922'112 bytes
                                                MD5 hash:C9D033467BD4405DB131E2DB7DD8ABBF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3725647810.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:15
                                                Start time:11:54:13
                                                Start date:05/12/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff6616b0000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:11:54:13
                                                Start date:05/12/2024
                                                Path:C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
                                                Imagebase:0x200000
                                                File size:922'112 bytes
                                                MD5 hash:C9D033467BD4405DB131E2DB7DD8ABBF
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1374108041.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 66%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:11:54:15
                                                Start date:05/12/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\user\AppData\Local\Temp\tmp567D.tmp"
                                                Imagebase:0x860000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:11:54:15
                                                Start date:05/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:11:54:16
                                                Start date:05/12/2024
                                                Path:C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\njEnUdtKgG.exe"
                                                Imagebase:0x580000
                                                File size:922'112 bytes
                                                MD5 hash:C9D033467BD4405DB131E2DB7DD8ABBF
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1351775759.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:9.5%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:37
                                                  Total number of Limit Nodes:1
                                                  execution_graph 15541 2984668 15542 298466a 15541->15542 15543 2984672 15542->15543 15545 2984758 15542->15545 15546 298477d 15545->15546 15550 2984858 15546->15550 15554 2984868 15546->15554 15551 298488f 15550->15551 15552 298496c 15551->15552 15558 29844e0 15551->15558 15552->15552 15556 298488f 15554->15556 15555 298496c 15555->15555 15556->15555 15557 29844e0 CreateActCtxA 15556->15557 15557->15555 15559 29858f8 CreateActCtxA 15558->15559 15561 29859bb 15559->15561 15562 298af30 15566 298b028 15562->15566 15571 298b017 15562->15571 15563 298af3f 15567 298b05c 15566->15567 15568 298b039 15566->15568 15567->15563 15568->15567 15569 298b260 GetModuleHandleW 15568->15569 15570 298b28d 15569->15570 15570->15563 15572 298b05c 15571->15572 15573 298b039 15571->15573 15572->15563 15573->15572 15574 298b260 GetModuleHandleW 15573->15574 15575 298b28d 15574->15575 15575->15563 15576 298d2c0 15577 298d306 15576->15577 15581 298d490 15577->15581 15584 298d4a0 15577->15584 15578 298d3f3 15587 298af14 15581->15587 15585 298d4ce 15584->15585 15586 298af14 DuplicateHandle 15584->15586 15585->15578 15586->15585 15588 298d508 DuplicateHandle 15587->15588 15589 298d4ce 15588->15589 15589->15578

                                                  Executed Functions

                                                  Function 0298B028 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0298B27E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 00c6c9c53d64f898c619ba05b26bcf7ecb40b5eb874a3ff8d0d14a1b02ca9f1e
                                                  • Instruction ID: c72b19576e066d60ef65521377503acb963e8952f3c543c838b2503a38c9a5e5
                                                  • Opcode Fuzzy Hash: 00c6c9c53d64f898c619ba05b26bcf7ecb40b5eb874a3ff8d0d14a1b02ca9f1e
                                                  • Instruction Fuzzy Hash: 84714470A00B058FDB24EF29D05576ABBF5FF88308F08892ED49ADBA50D775E845CB91
                                                  Function 029858EC Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 59 29858ec-298596c 60 298596f-29859b9 CreateActCtxA 59->60 62 29859bb-29859c1 60->62 63 29859c2-2985a1c 60->63 62->63 70 2985a2b-2985a2f 63->70 71 2985a1e-2985a21 63->71 72 2985a40 70->72 73 2985a31-2985a3d 70->73 71->70 75 2985a41 72->75 73->72 75->75
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 029859A9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: a4084a8aa1e7192b41c5e146e5f088b79aeb36a935f85b17cdf37647d90848d7
                                                  • Instruction ID: 38ff4ad40b7da74f28ed6589aab9edebc946fe4a6f72b218608c8c1f723491a1
                                                  • Opcode Fuzzy Hash: a4084a8aa1e7192b41c5e146e5f088b79aeb36a935f85b17cdf37647d90848d7
                                                  • Instruction Fuzzy Hash: B34108B4C00719CFEB24DFA9C884BDDBBB5BF48304F65805AD408AB251DBB1694ACF90
                                                  Function 029844E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 76 29844e0-29859b9 CreateActCtxA 80 29859bb-29859c1 76->80 81 29859c2-2985a1c 76->81 80->81 88 2985a2b-2985a2f 81->88 89 2985a1e-2985a21 81->89 90 2985a40 88->90 91 2985a31-2985a3d 88->91 89->88 93 2985a41 90->93 91->90 93->93
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 029859A9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 960271bc90bd7aec4639eb5d10492d39e7b47dd10cf137bd1a9ae4f5bd4b85ec
                                                  • Instruction ID: 870c46a448d97d4f34eddd6acaaaf653b143187eb1b506dad3a92f3ea0e572ae
                                                  • Opcode Fuzzy Hash: 960271bc90bd7aec4639eb5d10492d39e7b47dd10cf137bd1a9ae4f5bd4b85ec
                                                  • Instruction Fuzzy Hash: 3C41E5B0C0071DCBEB24DFA9C884BDDBBB5BF48304F65806AD419AB251DBB16949CF90
                                                  Function 02985A64 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 94 2985a64-2985a70 95 2985a22 94->95 96 2985a72-2985a77 94->96 98 2985a92-2985a97 95->98 99 2985a24-2985a27 95->99 97 2985ae9-2985af4 96->97 98->97 101 2985a2b-2985a2f 99->101 102 2985a40 101->102 103 2985a31-2985a3d 101->103 105 2985a41 102->105 103->102 105->105
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b739a54be71bb96e025cae029aaa1211c72ae574f7c5747f8e05b087a4ba98ff
                                                  • Instruction ID: 09c440fcffd7b2684b0341c1a1a8c232a0c54b4e2c34fe7b0a697aa63cc54032
                                                  • Opcode Fuzzy Hash: b739a54be71bb96e025cae029aaa1211c72ae574f7c5747f8e05b087a4ba98ff
                                                  • Instruction Fuzzy Hash: 1531F070804749CFEF11EFE8C885BEDBBF1AF46308F9A414AC016AB265C775994ACB11
                                                  Function 0298AF14 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 106 298af14-298d59c DuplicateHandle 108 298d59e-298d5a4 106->108 109 298d5a5-298d5c2 106->109 108->109
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0298D4CE,?,?,?,?,?), ref: 0298D58F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 0287540630b8752d8489c982d8b6527b08e96c413a04faf57942d9b001c7df10
                                                  • Instruction ID: e7a4aa5773c6731e80af163e2fc9cdf7484d30f5e95ed532d438b27f164ca999
                                                  • Opcode Fuzzy Hash: 0287540630b8752d8489c982d8b6527b08e96c413a04faf57942d9b001c7df10
                                                  • Instruction Fuzzy Hash: 902114B5900308AFDB10DFAAD484AEEBBF8EB48314F14841AE914A3350D374A940CFA4
                                                  Function 0298D500 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 112 298d500-298d59c DuplicateHandle 113 298d59e-298d5a4 112->113 114 298d5a5-298d5c2 112->114 113->114
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0298D4CE,?,?,?,?,?), ref: 0298D58F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 835f7833cfa0dada835f1ec09924e37cef596b9bc59b87829e02a77f7598ebe3
                                                  • Instruction ID: 713862442292d5c268132d89dbb3bc593d7597248097932797950cfbee12087d
                                                  • Opcode Fuzzy Hash: 835f7833cfa0dada835f1ec09924e37cef596b9bc59b87829e02a77f7598ebe3
                                                  • Instruction Fuzzy Hash: 072114B5D00309AFDB10DFAAD884ADEBBF4FB48310F14801AE918A7350D374A940CFA1
                                                  Function 0298B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 117 298b218-298b258 118 298b25a-298b25d 117->118 119 298b260-298b28b GetModuleHandleW 117->119 118->119 120 298b28d-298b293 119->120 121 298b294-298b2a8 119->121 120->121
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0298B27E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 7d6f6f650813f23659a8e6bc17d7a6f1fb62dbd9b9d7429928497fe79ecef6d8
                                                  • Instruction ID: 6a0a42fe924399fc542eef98a7507059650abcf91025307b49ef2e64a562bac4
                                                  • Opcode Fuzzy Hash: 7d6f6f650813f23659a8e6bc17d7a6f1fb62dbd9b9d7429928497fe79ecef6d8
                                                  • Instruction Fuzzy Hash: 8F11E3B6D003498FDB20DF9AD444BDEFBF4EB88324F14842AD429A7210D375A545CFA5
                                                  Function 027ED3D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323815355.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27ed000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6107129f01d2b92ab834dcc47c0b0835dce2b0c2736860b0e2ef6f62877d539d
                                                  • Instruction ID: 8bdc1c0d9f6eb49143efdf0d217bb42fdfbc6a3fd187afa0399a978fef29b264
                                                  • Opcode Fuzzy Hash: 6107129f01d2b92ab834dcc47c0b0835dce2b0c2736860b0e2ef6f62877d539d
                                                  • Instruction Fuzzy Hash: 472124B1500204DFDF29DF00C9C0B16BBA9FB99324F24C169EC0A0B246C336E456CAB2
                                                  Function 027ED4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323815355.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27ed000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11cd1edce6287e44919e5668a78189c2d382091c5e19bb33ada1d584b5155af2
                                                  • Instruction ID: bd670118eef78bb7ffd248b9e6f8d91b037c4a52123a36feda0d24b9c322294f
                                                  • Opcode Fuzzy Hash: 11cd1edce6287e44919e5668a78189c2d382091c5e19bb33ada1d584b5155af2
                                                  • Instruction Fuzzy Hash: 8521F5B2504244DFDF25DF14D9C0B26BF69FB88318F24C569E90A1B256C336D456CAB2
                                                  Function 027FD01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323955392.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27fd000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4722b11051a7db99f8a07f1c9209bd9f1d8d2a307562ec395f2a59fdc216db1d
                                                  • Instruction ID: 0e59399385cc6b2da5a62bb27854f2402493368f86384742b837124af2496362
                                                  • Opcode Fuzzy Hash: 4722b11051a7db99f8a07f1c9209bd9f1d8d2a307562ec395f2a59fdc216db1d
                                                  • Instruction Fuzzy Hash: 492122B1608304DFDB64DF14D9C0B26BBA1EB88314F24C56DEA0A4B746C33AD847CA62
                                                  Function 027FD1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323955392.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27fd000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c80da98bf15c7987c76cf11c2273f75518cb8028b5c06463b63b52bdbdc425cb
                                                  • Instruction ID: 9154de9b78bc93dbec3fbe4ed1499bf61030b9c136d5a894faf20d5ef4ffac83
                                                  • Opcode Fuzzy Hash: c80da98bf15c7987c76cf11c2273f75518cb8028b5c06463b63b52bdbdc425cb
                                                  • Instruction Fuzzy Hash: 272129B1508304DFDB65DF10D5C0B27BBA5FB88314F24C56DDA0A5B356C376D446CAA1
                                                  Function 027FD007 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323955392.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27fd000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 62b2db8d861d17f248c0c910025219133ad209ac1ec539d2f6680bfd7df97f73
                                                  • Instruction ID: d70e35d1ffb5ddb64e921943a52674f109f6a7094e6fb7434035c3f3034c2996
                                                  • Opcode Fuzzy Hash: 62b2db8d861d17f248c0c910025219133ad209ac1ec539d2f6680bfd7df97f73
                                                  • Instruction Fuzzy Hash: 28219F7550D3C08FCB12CF24D990715BF71EB46214F28C5EAD9898F6A7C33A980ACB62
                                                  Function 027ED4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323815355.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27ed000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction ID: 30602f7f5fc4823049361c11743e60331b310275809bbae453240a9675baa433
                                                  • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction Fuzzy Hash: 8D11D376504280CFCF16CF14D9C4B16BF72FB88318F24C6AAD84A0B656C33AD556CBA1
                                                  Function 027ED3D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323815355.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27ed000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction ID: 025809621ca2a7798b963f5a4d86f6ca5991939d7ba25f70d8ff5a1e76c5ed6f
                                                  • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction Fuzzy Hash: 3311CD76404280CFCF16CF00D5C0B16BF72FB98224F2482A9DC0A0A656C33AE456CBA1
                                                  Function 027FD1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323955392.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27fd000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                  • Instruction ID: d3c27e12b74c5e7e395b44e334926a9713ca0acbfd1fdebfef0a545f82aa45d6
                                                  • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                  • Instruction Fuzzy Hash: 99118E75508240DFDB56CF10D5C4B16BB71FB84214F24C6AAD9494B756C33AD44ACB91
                                                  Function 027ED745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323815355.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27ed000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5aa1a81ecdcbc5a6fc23d2812c8ad0facdc30d0d86f47db92a77f30f2b2e5e4f
                                                  • Instruction ID: c8f76396df7617a568fdaf81562bf997c434430cdabc1ed2f67b14f24914de2f
                                                  • Opcode Fuzzy Hash: 5aa1a81ecdcbc5a6fc23d2812c8ad0facdc30d0d86f47db92a77f30f2b2e5e4f
                                                  • Instruction Fuzzy Hash: 89012B710043419FEB305F25CD85B66BB9CDF46324F18C51AED0B1F282D7799440CAB1
                                                  Function 027ED744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1323815355.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_27ed000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a19b967674fe19ceae8df3477976360c91ec428df2087aa834a99f2e73ab53a
                                                  • Instruction ID: d6adfe25ae3da4f6ae5a79de06836a43490aabe461c0849419ceb789e98bea64
                                                  • Opcode Fuzzy Hash: 0a19b967674fe19ceae8df3477976360c91ec428df2087aa834a99f2e73ab53a
                                                  • Instruction Fuzzy Hash: 6AF062754043449EEB209F15CD88B62FB9CEB45734F28C45AED494F286C3799844CBB1

                                                  Non-executed Functions

                                                  Function 0298DE14 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1324368770.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2980000_tXcFA8apHU.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07e56f85878cf9b55b39d808cb072054e80c66ceb3b048326b6d0853977ee5c7
                                                  • Instruction ID: 5db0baa3bf3075d6450fbe961e4c1355064cb51818400f0904ae29d73b7d9dc5
                                                  • Opcode Fuzzy Hash: 07e56f85878cf9b55b39d808cb072054e80c66ceb3b048326b6d0853977ee5c7
                                                  • Instruction Fuzzy Hash: 50A19F32E002098FCF15EFB4D9445AEB7B7FF84300B1945AAE805AB261DB35E955CF90

                                                  Execution Graph

                                                  Execution Coverage:9.7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:192
                                                  Total number of Limit Nodes:7
                                                  execution_graph 36678 521f500 36679 521f54b ReadProcessMemory 36678->36679 36681 521f58f 36679->36681 36682 4c19e23 36683 4c19e30 36682->36683 36684 4c176f4 2 API calls 36683->36684 36685 4c19e3f 36684->36685 36686 256af30 36690 256b017 36686->36690 36695 256b028 36686->36695 36687 256af3f 36691 256b05c 36690->36691 36692 256b039 36690->36692 36691->36687 36692->36691 36693 256b260 GetModuleHandleW 36692->36693 36694 256b28d 36693->36694 36694->36687 36696 256b05c 36695->36696 36697 256b039 36695->36697 36696->36687 36697->36696 36698 256b260 GetModuleHandleW 36697->36698 36699 256b28d 36698->36699 36699->36687 36537 4c17988 36538 4c179b3 36537->36538 36553 4c16894 36538->36553 36540 4c179de 36558 4c170f8 36540->36558 36543 4c16894 2 API calls 36544 4c17a1a 36543->36544 36545 4c16894 2 API calls 36544->36545 36546 4c17b0a 36545->36546 36547 4c170f8 2 API calls 36546->36547 36548 4c17b28 36547->36548 36549 4c16894 2 API calls 36548->36549 36550 4c17b46 36549->36550 36551 4c16894 2 API calls 36550->36551 36552 4c17b64 36551->36552 36554 4c1689f 36553->36554 36555 4c18fcb 36554->36555 36562 2565d54 36554->36562 36567 2568568 36554->36567 36555->36540 36559 4c17103 36558->36559 36644 4c176f4 36559->36644 36561 4c179fc 36561->36543 36564 2565d5f 36562->36564 36563 2568889 36563->36555 36564->36563 36572 256cbf0 36564->36572 36577 256cbe0 36564->36577 36569 2568569 36567->36569 36568 2568511 36568->36555 36569->36555 36569->36568 36570 256cbf0 2 API calls 36569->36570 36571 256cbe0 2 API calls 36569->36571 36570->36568 36571->36568 36573 256cc11 36572->36573 36574 256cc35 36573->36574 36582 256d199 36573->36582 36586 256d1a8 36573->36586 36574->36563 36578 256cc11 36577->36578 36579 256cc35 36578->36579 36580 256d1a8 2 API calls 36578->36580 36581 256d199 2 API calls 36578->36581 36579->36563 36580->36579 36581->36579 36583 256d1a8 36582->36583 36584 256d1ef 36583->36584 36590 256cfd0 36583->36590 36584->36574 36588 256d1b5 36586->36588 36587 256d1ef 36587->36574 36588->36587 36589 256cfd0 2 API calls 36588->36589 36589->36587 36591 256cfd5 36590->36591 36593 256db00 36591->36593 36594 256d0ec 36591->36594 36593->36593 36595 256d0f7 36594->36595 36596 2565d54 2 API calls 36595->36596 36597 256db6f 36596->36597 36601 256f8e8 36597->36601 36607 256f900 36597->36607 36598 256dba9 36598->36593 36603 256fa31 36601->36603 36604 256f931 36601->36604 36602 256f93d 36602->36598 36603->36598 36604->36602 36613 4c109c0 36604->36613 36619 4c109b0 36604->36619 36609 256fa31 36607->36609 36610 256f931 36607->36610 36608 256f93d 36608->36598 36609->36598 36610->36608 36611 4c109c0 2 API calls 36610->36611 36612 4c109b0 2 API calls 36610->36612 36611->36609 36612->36609 36614 4c109eb 36613->36614 36615 4c10a9a 36614->36615 36625 4c11ca0 36614->36625 36628 4c11ce4 36614->36628 36636 4c11bf2 36614->36636 36620 4c109b6 36619->36620 36621 4c10a9a 36620->36621 36622 4c11ca0 CreateWindowExW 36620->36622 36623 4c11bf2 CreateWindowExW 36620->36623 36624 4c11ce4 2 API calls 36620->36624 36622->36621 36623->36621 36624->36621 36640 4c11110 36625->36640 36629 4c11c97 36628->36629 36630 4c11ce7 36628->36630 36632 4c11110 CreateWindowExW 36629->36632 36630->36629 36631 4c11cef CreateWindowExW 36630->36631 36635 4c11e14 36631->36635 36633 4c11cd5 36632->36633 36633->36615 36637 4c11beb 36636->36637 36638 4c11ba3 36636->36638 36637->36636 36637->36638 36639 4c11110 CreateWindowExW 36637->36639 36638->36615 36639->36638 36641 4c11cf0 CreateWindowExW 36640->36641 36643 4c11e14 36641->36643 36645 4c176ff 36644->36645 36646 4c19e72 36645->36646 36647 2565d54 2 API calls 36645->36647 36648 2568568 2 API calls 36645->36648 36646->36561 36647->36646 36648->36646 36700 acd01c 36701 acd034 36700->36701 36702 acd08e 36701->36702 36707 4c1113c CallWindowProcW 36701->36707 36708 4c12c08 36701->36708 36712 4c11f30 36701->36712 36717 4c11e9a 36701->36717 36722 4c11ea8 36701->36722 36707->36702 36710 4c12c45 36708->36710 36711 4c12c69 36710->36711 36726 4c11264 CallWindowProcW 36710->36726 36713 4c11ee3 36712->36713 36714 4c1113c CallWindowProcW 36713->36714 36715 4c11f37 36713->36715 36716 4c11eef 36714->36716 36715->36702 36716->36702 36718 4c11e53 36717->36718 36719 4c11ea3 36717->36719 36720 4c1113c CallWindowProcW 36719->36720 36721 4c11eef 36720->36721 36721->36702 36723 4c11ece 36722->36723 36724 4c1113c CallWindowProcW 36723->36724 36725 4c11eef 36724->36725 36725->36702 36726->36711 36649 4c14290 36650 4c14302 36649->36650 36651 4c143ac 36649->36651 36653 4c1435a CallWindowProcW 36650->36653 36654 4c14309 36650->36654 36655 4c1113c 36651->36655 36653->36654 36656 4c11147 36655->36656 36658 4c12c69 36656->36658 36659 4c11264 CallWindowProcW 36656->36659 36659->36658 36727 521f350 36728 521f390 VirtualAllocEx 36727->36728 36730 521f3cd 36728->36730 36731 521ed90 36732 521edd0 ResumeThread 36731->36732 36734 521ee01 36732->36734 36735 521f410 36736 521f458 WriteProcessMemory 36735->36736 36738 521f4af 36736->36738 36660 256d2c0 36661 256d306 36660->36661 36665 256d490 36661->36665 36668 256d4a0 36661->36668 36662 256d3f3 36671 256af14 36665->36671 36669 256d4ce 36668->36669 36670 256af14 DuplicateHandle 36668->36670 36669->36662 36670->36669 36672 256d508 DuplicateHandle 36671->36672 36673 256d4ce 36672->36673 36673->36662 36674 521f278 36675 521f2bd Wow64SetThreadContext 36674->36675 36677 521f305 36675->36677 36739 521f698 36740 521f721 CreateProcessA 36739->36740 36742 521f8e3 36740->36742 36743 2564668 36744 2564672 36743->36744 36748 2564758 36743->36748 36753 2564218 36744->36753 36746 256468d 36749 256477d 36748->36749 36757 2564868 36749->36757 36761 2564858 36749->36761 36754 2564223 36753->36754 36769 2565cd4 36754->36769 36756 2566f8f 36756->36746 36758 256488f 36757->36758 36760 256496c 36758->36760 36765 25644e0 36758->36765 36762 256488f 36761->36762 36763 25644e0 CreateActCtxA 36762->36763 36764 256496c 36762->36764 36763->36764 36766 25658f8 CreateActCtxA 36765->36766 36768 25659bb 36766->36768 36770 2565cdf 36769->36770 36773 2565cf4 36770->36773 36772 2567115 36772->36756 36774 2565cff 36773->36774 36777 2565d24 36774->36777 36776 25671fa 36776->36772 36778 2565d2f 36777->36778 36779 2565d54 2 API calls 36778->36779 36780 25672ed 36779->36780 36780->36776

                                                  Executed Functions

                                                  Function 0521F698 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 712 521f698-521f72d 714 521f766-521f786 712->714 715 521f72f-521f739 712->715 722 521f788-521f792 714->722 723 521f7bf-521f7ee 714->723 715->714 716 521f73b-521f73d 715->716 718 521f760-521f763 716->718 719 521f73f-521f749 716->719 718->714 720 521f74b 719->720 721 521f74d-521f75c 719->721 720->721 721->721 724 521f75e 721->724 722->723 725 521f794-521f796 722->725 729 521f7f0-521f7fa 723->729 730 521f827-521f8e1 CreateProcessA 723->730 724->718 727 521f7b9-521f7bc 725->727 728 521f798-521f7a2 725->728 727->723 731 521f7a4 728->731 732 521f7a6-521f7b5 728->732 729->730 733 521f7fc-521f7fe 729->733 743 521f8e3-521f8e9 730->743 744 521f8ea-521f970 730->744 731->732 732->732 734 521f7b7 732->734 735 521f821-521f824 733->735 736 521f800-521f80a 733->736 734->727 735->730 738 521f80c 736->738 739 521f80e-521f81d 736->739 738->739 739->739 740 521f81f 739->740 740->735 743->744 754 521f980-521f984 744->754 755 521f972-521f976 744->755 757 521f994-521f998 754->757 758 521f986-521f98a 754->758 755->754 756 521f978 755->756 756->754 760 521f9a8-521f9ac 757->760 761 521f99a-521f99e 757->761 758->757 759 521f98c 758->759 759->757 763 521f9be-521f9c5 760->763 764 521f9ae-521f9b4 760->764 761->760 762 521f9a0 761->762 762->760 765 521f9c7-521f9d6 763->765 766 521f9dc 763->766 764->763 765->766
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0521F8CE
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1377456535.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_5210000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: aeb72d9d84d5c8efffc4a60498c88333d1c5741be2dcdceec6effe4c25936ef9
                                                  • Instruction ID: 4d8c72107d5cca7a1eb74e43abf72376c279a0fb7823b7cb3e1666a71ccf40f6
                                                  • Opcode Fuzzy Hash: aeb72d9d84d5c8efffc4a60498c88333d1c5741be2dcdceec6effe4c25936ef9
                                                  • Instruction Fuzzy Hash: 82915B71D1071A9FEB20DF68C980BEEBBF2BF48310F158169D819A7240DB749985CFA5
                                                  Function 0256B028 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 768 256b028-256b037 769 256b063-256b067 768->769 770 256b039-256b046 call 2569a98 768->770 772 256b07b-256b0bc 769->772 773 256b069-256b073 769->773 775 256b05c 770->775 776 256b048 770->776 779 256b0be-256b0c6 772->779 780 256b0c9-256b0d7 772->780 773->772 775->769 826 256b04e call 256b2c0 776->826 827 256b04e call 256b2b0 776->827 779->780 781 256b0fb-256b0fd 780->781 782 256b0d9-256b0de 780->782 787 256b100-256b107 781->787 784 256b0e0-256b0e7 call 256ace0 782->784 785 256b0e9 782->785 783 256b054-256b056 783->775 786 256b198-256b258 783->786 791 256b0eb-256b0f9 784->791 785->791 819 256b260-256b28b GetModuleHandleW 786->819 820 256b25a-256b25d 786->820 789 256b114-256b11b 787->789 790 256b109-256b111 787->790 794 256b11d-256b125 789->794 795 256b128-256b131 call 256acf0 789->795 790->789 791->787 794->795 799 256b133-256b13b 795->799 800 256b13e-256b143 795->800 799->800 801 256b145-256b14c 800->801 802 256b161-256b165 800->802 801->802 804 256b14e-256b15e call 256ad00 call 256ad10 801->804 824 256b168 call 256b5c0 802->824 825 256b168 call 256b5b1 802->825 804->802 806 256b16b-256b16e 809 256b170-256b18e 806->809 810 256b191-256b197 806->810 809->810 821 256b294-256b2a8 819->821 822 256b28d-256b293 819->822 820->819 822->821 824->806 825->806 826->783 827->783
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0256B27E
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 479d99fa2eaa43d8b345850db40f0367924c2f13edd07c5aef5b8beade2fe7b2
                                                  • Instruction ID: 650719c997361adcdf94cc9e7712d2e6e8606a4150be63206488a46aa160a054
                                                  • Opcode Fuzzy Hash: 479d99fa2eaa43d8b345850db40f0367924c2f13edd07c5aef5b8beade2fe7b2
                                                  • Instruction Fuzzy Hash: 2D715670A00B059FDB24DF2AD44976ABBF1FF88308F00892DD49AE7A50DB75E945CB94
                                                  Function 04C11CE4 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 828 4c11ce4-4c11ce5 829 4c11c97-4c11c9a 828->829 830 4c11ce7-4c11ce9 828->830 831 4c11c9b-4c11c9f 829->831 830->831 832 4c11ceb-4c11ced 830->832 833 4c11ca0-4c11cd0 call 4c11110 831->833 832->833 834 4c11cef-4c11d56 832->834 838 4c11cd5-4c11cd6 833->838 836 4c11d61-4c11d68 834->836 837 4c11d58-4c11d5e 834->837 839 4c11d73-4c11e12 CreateWindowExW 836->839 840 4c11d6a-4c11d70 836->840 837->836 842 4c11e14-4c11e1a 839->842 843 4c11e1b-4c11e53 839->843 840->839 842->843 848 4c11e60 843->848 849 4c11e55-4c11e58 843->849 850 4c11e61 848->850 849->848 850->850
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C11E02
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1376280983.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_4c10000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 0e1e1b1fe0d76d118e96f27b4623767c787002704bf2eee78a0cdacdf184b3f8
                                                  • Instruction ID: fd8384479578c393112335770b1624d207d26591043cb9cbd3ff8d8ad9a11fd5
                                                  • Opcode Fuzzy Hash: 0e1e1b1fe0d76d118e96f27b4623767c787002704bf2eee78a0cdacdf184b3f8
                                                  • Instruction Fuzzy Hash: 755101B1C00249AFDF11CF99C884ADDBFB2FF49310F14812AE918AB220DB75A955DF80
                                                  Function 04C11110 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 851 4c11110-4c11d56 853 4c11d61-4c11d68 851->853 854 4c11d58-4c11d5e 851->854 855 4c11d73-4c11e12 CreateWindowExW 853->855 856 4c11d6a-4c11d70 853->856 854->853 858 4c11e14-4c11e1a 855->858 859 4c11e1b-4c11e53 855->859 856->855 858->859 864 4c11e60 859->864 865 4c11e55-4c11e58 859->865 866 4c11e61 864->866 865->864 866->866
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C11E02
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1376280983.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_4c10000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 7b9b3636b6e71ba20d37f55bee33f12b2f6469c5f0e2e870cb993e02dfee7cb9
                                                  • Instruction ID: 4c59b13060213fd7a8672e767f53535e51c6786293a07129d6422b8ceea6cbdc
                                                  • Opcode Fuzzy Hash: 7b9b3636b6e71ba20d37f55bee33f12b2f6469c5f0e2e870cb993e02dfee7cb9
                                                  • Instruction Fuzzy Hash: C151C5B1D00359DFDB14CF9AC484ADEBBB6FF49310F64812AE918AB210DB74A945CF90
                                                  Function 025658EC Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 867 25658ec-256596c 868 256596f-25659b9 CreateActCtxA 867->868 870 25659c2-2565a1c 868->870 871 25659bb-25659c1 868->871 878 2565a1e-2565a21 870->878 879 2565a2b-2565a2f 870->879 871->870 878->879 880 2565a40-2565a70 879->880 881 2565a31-2565a3d 879->881 885 2565a22 880->885 886 2565a72-2565a77 880->886 881->880 888 2565a24-2565a27 885->888 889 2565a92-2565a97 885->889 887 2565ae9-2565af4 886->887 888->879 889->887
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 025659A9
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 68f1f418f4984a3a6b7364cb33bea5a27aad70d0b31cecb711cd94e4e331b31e
                                                  • Instruction ID: ffd8cd329b2fb1f11c2abe7cd8832acbde812a8c22cb2a3c167d2bf0760063b6
                                                  • Opcode Fuzzy Hash: 68f1f418f4984a3a6b7364cb33bea5a27aad70d0b31cecb711cd94e4e331b31e
                                                  • Instruction Fuzzy Hash: 9C41D4B0C00719DBEB24DFA5C884BEDBBB5FF49304F60815AD419AB251DBB16986CF90
                                                  Function 04C11264 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 891 4c11264-4c142fc 894 4c14302-4c14307 891->894 895 4c143ac-4c143cc call 4c1113c 891->895 897 4c14309-4c14340 894->897 898 4c1435a-4c14392 CallWindowProcW 894->898 902 4c143cf-4c143dc 895->902 905 4c14342-4c14348 897->905 906 4c14349-4c14358 897->906 899 4c14394-4c1439a 898->899 900 4c1439b-4c143aa 898->900 899->900 900->902 905->906 906->902
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04C14381
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1376280983.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_4c10000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: c1144fc1d59c7b17cd909c1e714e78c3c53fe4c7b3d3c8074b6baa4097a7102d
                                                  • Instruction ID: 790fde2abf7e3690194db718be91aa024a497ef775e43537e1bad7e8a9f97867
                                                  • Opcode Fuzzy Hash: c1144fc1d59c7b17cd909c1e714e78c3c53fe4c7b3d3c8074b6baa4097a7102d
                                                  • Instruction Fuzzy Hash: F24129B5A003059FDB14CF9AC488BAABBF6FB89314F24C459D519AB321D734A841CBA5
                                                  Function 025644E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 908 25644e0-25659b9 CreateActCtxA 912 25659c2-2565a1c 908->912 913 25659bb-25659c1 908->913 920 2565a1e-2565a21 912->920 921 2565a2b-2565a2f 912->921 913->912 920->921 922 2565a40-2565a70 921->922 923 2565a31-2565a3d 921->923 927 2565a22 922->927 928 2565a72-2565a77 922->928 923->922 930 2565a24-2565a27 927->930 931 2565a92-2565a97 927->931 929 2565ae9-2565af4 928->929 930->921 931->929
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 025659A9
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 564e6410d90e00f1fd3536edad134a095e079182802bd695b5b4f77a2e79c6f6
                                                  • Instruction ID: b958e5b5e95577b4b9ecea4b6e894b8f315c28c813d819378b4729df759b3ff2
                                                  • Opcode Fuzzy Hash: 564e6410d90e00f1fd3536edad134a095e079182802bd695b5b4f77a2e79c6f6
                                                  • Instruction Fuzzy Hash: 7541E5B0C0071DCBEB24DFAAC884BEDBBB5BF48304F608159D418AB251DBB16945CF94
                                                  Function 02565A64 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 933 2565a64-2565a70 934 2565a22 933->934 935 2565a72-2565a77 933->935 937 2565a24-2565a27 934->937 938 2565a92-2565a97 934->938 936 2565ae9-2565af4 935->936 940 2565a2b-2565a2f 937->940 938->936 941 2565a40-2565a41 940->941 942 2565a31-2565a3d 940->942 941->933 942->941
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a870322fbab2b71c7c3853090cf5109064f9e17590536f7ebf40dcd7b44c8afa
                                                  • Instruction ID: b66f3a37b3afad3051f8c17b7e86bbd4b26f34928b5f7dfb576a63e8aa4c73c8
                                                  • Opcode Fuzzy Hash: a870322fbab2b71c7c3853090cf5109064f9e17590536f7ebf40dcd7b44c8afa
                                                  • Instruction Fuzzy Hash: 5C31EFB0844749CFEB10CFA4C889BEDBBF1FF45309F944149C406AB251D7B6A98ACB55
                                                  Function 0521F410 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 945 521f410-521f45e 947 521f460-521f46c 945->947 948 521f46e-521f4ad WriteProcessMemory 945->948 947->948 950 521f4b6-521f4e6 948->950 951 521f4af-521f4b5 948->951 951->950
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0521F4A0
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1377456535.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_5210000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: bbfc3ad80c6c6006971eb08aa80c19453bf01277d1e1e2a8e176c42e6f1a89ef
                                                  • Instruction ID: 27c5879cdfa56ae81fed0cd980ee7f9127d5f8d3d2a1df730259305001d0506c
                                                  • Opcode Fuzzy Hash: bbfc3ad80c6c6006971eb08aa80c19453bf01277d1e1e2a8e176c42e6f1a89ef
                                                  • Instruction Fuzzy Hash: 56213975D003199FDB20DFAAC980BDEBBF5FF48310F108429E919A7241C7789944CBA4
                                                  Function 0256D500 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 955 256d500-256d506 956 256d508-256d59c DuplicateHandle 955->956 957 256d5a5-256d5c2 956->957 958 256d59e-256d5a4 956->958 958->957
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0256D4CE,?,?,?,?,?), ref: 0256D58F
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: ce6e39483e3e215a95a10f2b777b7bd8070b696959c7eff9f2aabcebcb087ef4
                                                  • Instruction ID: 1617eef9996f69354bac8bf85d5e2d4ec73f094e501ab83d45356c00fd549433
                                                  • Opcode Fuzzy Hash: ce6e39483e3e215a95a10f2b777b7bd8070b696959c7eff9f2aabcebcb087ef4
                                                  • Instruction Fuzzy Hash: 362105B59003189FDB10CF9AD484AEEBBF8FB48314F14841AE918A3310D374A940CFA5
                                                  Function 0256AF14 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 961 256af14-256d59c DuplicateHandle 963 256d5a5-256d5c2 961->963 964 256d59e-256d5a4 961->964 964->963
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0256D4CE,?,?,?,?,?), ref: 0256D58F
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: e1e2bab1ca1868fcf30e4744ca39743025cca18896fd85d58e299dd6833d84b6
                                                  • Instruction ID: 435ba3d27f5ee5b46c3854c321b1689ad6b85ef98acfd437069b732990ec5bed
                                                  • Opcode Fuzzy Hash: e1e2bab1ca1868fcf30e4744ca39743025cca18896fd85d58e299dd6833d84b6
                                                  • Instruction Fuzzy Hash: 522114B5D00358AFDB10CF9AD484AEEBBF8FB48314F14841AE914A7310D374A940CFA4
                                                  Function 0521F500 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 977 521f500-521f58d ReadProcessMemory 980 521f596-521f5c6 977->980 981 521f58f-521f595 977->981 981->980
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0521F580
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1377456535.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_5210000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: acb6444a91abec61bcc6617cc0313c1139d368db0ade5ad43376cf656f7911f8
                                                  • Instruction ID: 07ce03b027569253bd86be41338a3d3d0262368ff92e89fe4a2b3310d51e68ca
                                                  • Opcode Fuzzy Hash: acb6444a91abec61bcc6617cc0313c1139d368db0ade5ad43376cf656f7911f8
                                                  • Instruction Fuzzy Hash: 3C2128B1C003599FDB20DFAAC880BEEBBF5FF48310F108429E919A7240C7789944CBA4
                                                  Function 0521F278 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 967 521f278-521f2c3 969 521f2d3-521f303 Wow64SetThreadContext 967->969 970 521f2c5-521f2d1 967->970 972 521f305-521f30b 969->972 973 521f30c-521f33c 969->973 970->969 972->973
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0521F2F6
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1377456535.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_5210000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 34a88fa8bc278d923c7bed4729abd7c0abff7974f5ba0ba31965ab3567151a3b
                                                  • Instruction ID: bd39a1dcd302b73faf51f2b6b4a9c7fc1f86ccc585c2bfc6ff6ad975aaf3fba6
                                                  • Opcode Fuzzy Hash: 34a88fa8bc278d923c7bed4729abd7c0abff7974f5ba0ba31965ab3567151a3b
                                                  • Instruction Fuzzy Hash: 01213875D043098FDB24DFAAC5847EEBBF5EF48310F14842AD819A7240C7789945CFA4
                                                  Function 0521F350 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0521F3BE
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1377456535.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_5210000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 1e5c34eb08bccf9a51e8ae99481fbd57287aa907303c30789309c58825447c66
                                                  • Instruction ID: eedbaca144ec9c975439e73689aafe4f4b2d1a218bef27c5b48ecb48eba8c52d
                                                  • Opcode Fuzzy Hash: 1e5c34eb08bccf9a51e8ae99481fbd57287aa907303c30789309c58825447c66
                                                  • Instruction Fuzzy Hash: AA1126769003499FDB24DFAAC844BDFBBF5EF48320F24841AE919A7250C775A944CBA4
                                                  Function 0521ED90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1377456535.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_5210000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 55b4970dd8f1d6ddbf74607f038431f076e71a1696ac616a267fc7aff844bbd7
                                                  • Instruction ID: 795d880fda19a92b85dbbf9ec36182c43d5cd3b495814e1d45607f964d51d53c
                                                  • Opcode Fuzzy Hash: 55b4970dd8f1d6ddbf74607f038431f076e71a1696ac616a267fc7aff844bbd7
                                                  • Instruction Fuzzy Hash: E1112871D043498FDB24DFAAC4447DFFBF9EF88220F248419D919A7240C6756945CBA5
                                                  Function 0256B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0256B27E
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1371298846.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_2560000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 5a0989695fffff720f2836315d10ea6319a3cfc8eb7efe20cdb037ddf52d88cf
                                                  • Instruction ID: 4cb85944c34952f3070d361621caf6a76adc53e7c118044c0b79618dd9dfcc8d
                                                  • Opcode Fuzzy Hash: 5a0989695fffff720f2836315d10ea6319a3cfc8eb7efe20cdb037ddf52d88cf
                                                  • Instruction Fuzzy Hash: D511FDB6C002498BCB20DF9AC444ADEFBF4EB88314F10842AD828A7210D379A545CFA5
                                                  Function 00ABD4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370891044.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_abd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22abe3cf573ec1a77346417c0ee782a3f56fcc156f10cccb23728bf739cfd354
                                                  • Instruction ID: 3dd541109cfd1606f741f97ddfced67ee9dfad9988e367ca7879841d65cc9b2d
                                                  • Opcode Fuzzy Hash: 22abe3cf573ec1a77346417c0ee782a3f56fcc156f10cccb23728bf739cfd354
                                                  • Instruction Fuzzy Hash: 8B2125B2504244DFDB25DF14D9C0B66BF69FB88318F24C669E8090B257D336D856CAA2
                                                  Function 00ACD01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370951994.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_acd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39e30c4b604151254d545739a0496fe443c153af00c24f543631ac400698681b
                                                  • Instruction ID: 62ae0893abf291e9019738eea21a6aa583ed7df719b0d588f2b2129829a6f998
                                                  • Opcode Fuzzy Hash: 39e30c4b604151254d545739a0496fe443c153af00c24f543631ac400698681b
                                                  • Instruction Fuzzy Hash: 8521D075604244EFDB14DF18D980F26BBA5FB84314F24C57DD84B4B286C33AD847CA62
                                                  Function 00ACD1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370951994.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_acd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a57a2867cdbd62ca6e7ce7f544f813b80f5c3e6b550bb1bedde7b9ab512828ad
                                                  • Instruction ID: f83b84f51ed27b2acd0a356935b58adfc14348602b8c37d5503df6a8007e442b
                                                  • Opcode Fuzzy Hash: a57a2867cdbd62ca6e7ce7f544f813b80f5c3e6b550bb1bedde7b9ab512828ad
                                                  • Instruction Fuzzy Hash: 112104B5504304EFDB05DF10D9C0F66BBA5FB84314F24C67DE84A5B296C336D846CA61
                                                  Function 00ACD006 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370951994.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_acd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e15216614115172df1fa130f71df2e8f0809ecb5d2c38b211956e4d813af12f
                                                  • Instruction ID: 71180a5f695c46785c399ac6ab0345ffbedbc0f395af451a3c9ee0594135495c
                                                  • Opcode Fuzzy Hash: 4e15216614115172df1fa130f71df2e8f0809ecb5d2c38b211956e4d813af12f
                                                  • Instruction Fuzzy Hash: 4E2180755093808FCB12CF24D990B15BF71EB46314F29C5EED8498F6A7C33A980ACB62
                                                  Function 00ABD4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370891044.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_abd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction ID: 9a04ec6bd6e329b3f06d51713863dfad5dc5c0c1513a3ddb2828e2deba5172e1
                                                  • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction Fuzzy Hash: 8F11D376504280CFCB16CF10D5C4B56BF71FB94314F24C6A9D8490B657C33AD856CBA1
                                                  Function 00ACD1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370951994.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_acd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                  • Instruction ID: 44a670006d2a389c7017de1d305ea6741c2fe49d4e3bd1a23eecf9d175e3456f
                                                  • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                  • Instruction Fuzzy Hash: A3119D76504280DFDB16CF10D9C4B55FBB1FB84314F28C6AED8495B696C33AD84ACB61
                                                  Function 00ABD745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370891044.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_abd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c560ef6f45393f7f351b4a36d68ebcd7936b45e7872b48c4b0fe73d2f83095d
                                                  • Instruction ID: 94f2c2830e83ac6dc24cfbc0ea50458a417b9c245468044b8aebfbff90b729c8
                                                  • Opcode Fuzzy Hash: 1c560ef6f45393f7f351b4a36d68ebcd7936b45e7872b48c4b0fe73d2f83095d
                                                  • Instruction Fuzzy Hash: 3C01A7714043409BE7205F16CDC4BE6BBACEF42364F28C52AED094E287EA799880CA71
                                                  Function 00ABD744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.1370891044.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_abd000_njEnUdtKgG.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 941dff3391f6696b3c6f8e6f8ae94fdd71465c7fd2e48bf16075ece5edc1862e
                                                  • Instruction ID: f082bfea09804c057e9a5e5d75887c38d4aa19115c5a6ab3f746c2e8274ba8db
                                                  • Opcode Fuzzy Hash: 941dff3391f6696b3c6f8e6f8ae94fdd71465c7fd2e48bf16075ece5edc1862e
                                                  • Instruction Fuzzy Hash: 82F06275404344AFE7208F16C9C4BA6FF9CEB51734F18C45AED484F287D6799884CAB1

                                                  Execution Graph

                                                  Execution Coverage:1.8%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:3.6%
                                                  Total number of Nodes:643
                                                  Total number of Limit Nodes:13
                                                  execution_graph 45774 404e06 WaitForSingleObject 45775 404e20 SetEvent CloseHandle 45774->45775 45776 404e37 closesocket 45774->45776 45777 404eb8 45775->45777 45778 404e44 45776->45778 45779 404e5a 45778->45779 45787 4050c4 83 API calls 45778->45787 45781 404e6c WaitForSingleObject 45779->45781 45782 404eae SetEvent CloseHandle 45779->45782 45788 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45781->45788 45782->45777 45784 404e7b SetEvent WaitForSingleObject 45789 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45784->45789 45786 404e93 SetEvent CloseHandle CloseHandle 45786->45782 45787->45779 45788->45784 45789->45786 45790 40163e 45791 401646 45790->45791 45792 401649 45790->45792 45793 401688 45792->45793 45795 401676 45792->45795 45798 43229f 45793->45798 45797 43229f new 22 API calls 45795->45797 45796 40167c 45797->45796 45802 4322a4 45798->45802 45800 4322d0 45800->45796 45802->45800 45805 439adb 45802->45805 45812 440480 7 API calls 2 library calls 45802->45812 45813 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45802->45813 45814 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45802->45814 45810 443649 ___crtLCMapStringA 45805->45810 45806 443687 45816 43ad91 20 API calls __dosmaperr 45806->45816 45808 443672 RtlAllocateHeap 45809 443685 45808->45809 45808->45810 45809->45802 45810->45806 45810->45808 45815 440480 7 API calls 2 library calls 45810->45815 45812->45802 45815->45810 45816->45809 45817 43263c 45818 432648 ___scrt_is_nonwritable_in_current_image 45817->45818 45843 43234b 45818->45843 45820 43264f 45822 432678 45820->45822 46107 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45820->46107 45827 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45822->45827 46108 441763 5 API calls CatchGuardHandler 45822->46108 45824 432691 45826 432697 ___scrt_is_nonwritable_in_current_image 45824->45826 46109 441707 5 API calls CatchGuardHandler 45824->46109 45833 432717 45827->45833 46110 4408e7 35 API calls 6 library calls 45827->46110 45854 4328c9 45833->45854 45838 432743 45840 43274c 45838->45840 46111 4408c2 28 API calls _Atexit 45838->46111 46112 4324c2 13 API calls 2 library calls 45840->46112 45844 432354 45843->45844 46113 4329da IsProcessorFeaturePresent 45844->46113 45846 432360 46114 436cd1 10 API calls 4 library calls 45846->46114 45848 432365 45853 432369 45848->45853 46115 4415bf 45848->46115 45851 432380 45851->45820 45853->45820 46181 434c30 45854->46181 45857 43271d 45858 4416b4 45857->45858 46183 44c239 45858->46183 45860 432726 45863 40d3f0 45860->45863 45861 4416bd 45861->45860 46187 443d25 35 API calls 45861->46187 46189 41a8da LoadLibraryA GetProcAddress 45863->46189 45865 40d40c 46196 40dd83 45865->46196 45867 40d415 46211 4020d6 45867->46211 45870 4020d6 28 API calls 45871 40d433 45870->45871 46217 419d87 45871->46217 45875 40d445 46243 401e6d 45875->46243 45877 40d44e 45878 40d461 45877->45878 45879 40d4b8 45877->45879 46249 40e609 45878->46249 45880 401e45 22 API calls 45879->45880 45882 40d4c6 45880->45882 45886 401e45 22 API calls 45882->45886 45885 40d47f 46264 40f98d 45885->46264 45887 40d4e5 45886->45887 46280 4052fe 45887->46280 45891 40d4f4 46285 408209 45891->46285 45899 40d4a3 45901 401fb8 11 API calls 45899->45901 45903 40d4ac 45901->45903 46102 4407f6 GetModuleHandleW 45903->46102 45904 401fb8 11 API calls 45905 40d520 45904->45905 45906 401e45 22 API calls 45905->45906 45907 40d529 45906->45907 46302 401fa0 45907->46302 45909 40d534 45910 401e45 22 API calls 45909->45910 45911 40d54f 45910->45911 45912 401e45 22 API calls 45911->45912 45913 40d569 45912->45913 45914 40d5cf 45913->45914 46306 40822a 28 API calls 45913->46306 45915 401e45 22 API calls 45914->45915 45921 40d5dc 45915->45921 45917 40d594 45918 401fc2 28 API calls 45917->45918 45919 40d5a0 45918->45919 45922 401fb8 11 API calls 45919->45922 45920 40d650 45926 40d660 CreateMutexA GetLastError 45920->45926 45921->45920 45923 401e45 22 API calls 45921->45923 45924 40d5a9 45922->45924 45925 40d5f5 45923->45925 46307 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45924->46307 45929 40d5fc OpenMutexA 45925->45929 45927 40d987 45926->45927 45928 40d67f 45926->45928 45932 401fb8 11 API calls 45927->45932 45971 40d9ec 45927->45971 45930 40d688 45928->45930 45931 40d68a GetModuleFileNameW 45928->45931 45935 40d622 45929->45935 45936 40d60f WaitForSingleObject CloseHandle 45929->45936 45930->45931 46310 4192ae 33 API calls 45931->46310 45956 40d99a ___scrt_fastfail 45932->45956 45934 40d5c5 45934->45914 45938 40dd0f 45934->45938 46308 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45935->46308 45936->45935 46340 41239a 30 API calls 45938->46340 45939 40d6a0 45940 40d6f5 45939->45940 45942 401e45 22 API calls 45939->45942 45944 401e45 22 API calls 45940->45944 45950 40d6bf 45942->45950 45952 40d720 45944->45952 45945 40dd22 46341 410eda 65 API calls ___scrt_fastfail 45945->46341 45947 40d63b 45947->45920 46309 41239a 30 API calls 45947->46309 45948 40dcfa 45978 40dd6a 45948->45978 46342 402073 28 API calls 45948->46342 45950->45940 45957 40d6f7 45950->45957 45965 40d6db 45950->45965 45951 40d731 45953 401e45 22 API calls 45951->45953 45952->45951 46314 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45952->46314 45963 40d73a 45953->45963 46322 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45956->46322 46312 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45957->46312 45958 40dd3a 46343 4052dd 28 API calls 45958->46343 45970 401e45 22 API calls 45963->45970 45965->45940 46311 4067a0 36 API calls ___scrt_fastfail 45965->46311 45967 40d70d 45967->45940 46313 4066a6 58 API calls 45967->46313 45973 40d755 45970->45973 45975 401e45 22 API calls 45971->45975 45980 401e45 22 API calls 45973->45980 45976 40da10 45975->45976 46323 402073 28 API calls 45976->46323 46344 413980 161 API calls 45978->46344 45983 40d76f 45980->45983 45985 401e45 22 API calls 45983->45985 45984 40da22 46324 41215f 14 API calls 45984->46324 45987 40d789 45985->45987 45990 401e45 22 API calls 45987->45990 45988 40da38 45989 401e45 22 API calls 45988->45989 45991 40da44 45989->45991 45994 40d7a3 45990->45994 46325 439867 39 API calls _swprintf 45991->46325 45993 40d810 45993->45956 46000 401e45 22 API calls 45993->46000 46031 40d89f ___scrt_fastfail 45993->46031 45994->45993 45996 401e45 22 API calls 45994->45996 45995 40da51 45997 40da7e 45995->45997 46326 41aa4f 81 API calls ___scrt_fastfail 45995->46326 46005 40d7b8 _wcslen 45996->46005 46327 402073 28 API calls 45997->46327 46001 40d831 46000->46001 46007 401e45 22 API calls 46001->46007 46002 40da70 CreateThread 46002->45997 46579 41b212 10 API calls 46002->46579 46003 40da8d 46328 402073 28 API calls 46003->46328 46005->45993 46011 401e45 22 API calls 46005->46011 46006 40da9c 46329 4194da 79 API calls 46006->46329 46009 40d843 46007->46009 46015 401e45 22 API calls 46009->46015 46010 40daa1 46012 401e45 22 API calls 46010->46012 46013 40d7d3 46011->46013 46014 40daad 46012->46014 46016 401e45 22 API calls 46013->46016 46018 401e45 22 API calls 46014->46018 46017 40d855 46015->46017 46019 40d7e8 46016->46019 46021 401e45 22 API calls 46017->46021 46020 40dabf 46018->46020 46315 40c5ed 31 API calls 46019->46315 46024 401e45 22 API calls 46020->46024 46023 40d87e 46021->46023 46029 401e45 22 API calls 46023->46029 46026 40dad5 46024->46026 46025 40d7fb 46316 401ef3 28 API calls 46025->46316 46033 401e45 22 API calls 46026->46033 46028 40d807 46317 401ee9 11 API calls 46028->46317 46030 40d88f 46029->46030 46318 40b871 46 API calls _wcslen 46030->46318 46319 412338 31 API calls 46031->46319 46034 40daf5 46033->46034 46330 439867 39 API calls _swprintf 46034->46330 46037 40d942 ctype 46040 401e45 22 API calls 46037->46040 46039 40db02 46041 401e45 22 API calls 46039->46041 46044 40d959 46040->46044 46042 40db0d 46041->46042 46043 401e45 22 API calls 46042->46043 46045 40db1e 46043->46045 46044->45971 46046 401e45 22 API calls 46044->46046 46331 408f1f 163 API calls _wcslen 46045->46331 46047 40d976 46046->46047 46320 419bca 28 API calls 46047->46320 46050 40d982 46321 40de34 88 API calls 46050->46321 46051 40db33 46053 401e45 22 API calls 46051->46053 46055 40db3c 46053->46055 46054 40db83 46056 401e45 22 API calls 46054->46056 46055->46054 46057 43229f new 22 API calls 46055->46057 46062 40db91 46056->46062 46058 40db53 46057->46058 46059 401e45 22 API calls 46058->46059 46060 40db65 46059->46060 46064 40db6c CreateThread 46060->46064 46061 40dbd9 46063 401e45 22 API calls 46061->46063 46062->46061 46065 43229f new 22 API calls 46062->46065 46070 40dbe2 46063->46070 46064->46054 46577 417f6a 101 API calls __EH_prolog 46064->46577 46066 40dba5 46065->46066 46067 401e45 22 API calls 46066->46067 46068 40dbb6 46067->46068 46073 40dbbd CreateThread 46068->46073 46069 40dc4c 46071 401e45 22 API calls 46069->46071 46070->46069 46072 401e45 22 API calls 46070->46072 46075 40dc55 46071->46075 46074 40dbfc 46072->46074 46073->46061 46581 417f6a 101 API calls __EH_prolog 46073->46581 46077 401e45 22 API calls 46074->46077 46076 40dc99 46075->46076 46079 401e45 22 API calls 46075->46079 46337 4195f8 79 API calls 46076->46337 46080 40dc11 46077->46080 46082 40dc69 46079->46082 46332 40c5a1 31 API calls 46080->46332 46081 40dca2 46338 401ef3 28 API calls 46081->46338 46087 401e45 22 API calls 46082->46087 46084 40dcad 46339 401ee9 11 API calls 46084->46339 46090 40dc7e 46087->46090 46088 40dc24 46333 401ef3 28 API calls 46088->46333 46089 40dcb6 CreateThread 46095 40dce5 46089->46095 46096 40dcd9 CreateThread 46089->46096 46582 40e18d 121 API calls 46089->46582 46335 439867 39 API calls _swprintf 46090->46335 46092 40dc30 46334 401ee9 11 API calls 46092->46334 46095->45948 46097 40dcee CreateThread 46095->46097 46096->46095 46576 410b5c 137 API calls 46096->46576 46097->45948 46578 411140 38 API calls ___scrt_fastfail 46097->46578 46099 40dc39 CreateThread 46099->46069 46580 401bc9 49 API calls 46099->46580 46100 40dc8b 46336 40b0a3 7 API calls 46100->46336 46103 432739 46102->46103 46103->45838 46104 44091f 46103->46104 46584 44069c 46104->46584 46107->45820 46108->45824 46109->45827 46110->45833 46111->45840 46112->45826 46113->45846 46114->45848 46119 44cd48 46115->46119 46118 436cfa 8 API calls 3 library calls 46118->45853 46122 44cd65 46119->46122 46123 44cd61 46119->46123 46121 432372 46121->45851 46121->46118 46122->46123 46125 4475a6 46122->46125 46137 432d4b 46123->46137 46126 4475b2 ___scrt_is_nonwritable_in_current_image 46125->46126 46144 442d9a EnterCriticalSection 46126->46144 46128 4475b9 46145 44d363 46128->46145 46130 4475c8 46131 4475d7 46130->46131 46156 44743a 23 API calls 46130->46156 46158 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 46131->46158 46134 4475e8 ___scrt_is_nonwritable_in_current_image 46134->46122 46135 4475d2 46157 4474f0 GetStdHandle GetFileType 46135->46157 46138 432d56 IsProcessorFeaturePresent 46137->46138 46139 432d54 46137->46139 46141 432d98 46138->46141 46139->46121 46180 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46141->46180 46143 432e7b 46143->46121 46144->46128 46146 44d36f ___scrt_is_nonwritable_in_current_image 46145->46146 46147 44d393 46146->46147 46148 44d37c 46146->46148 46159 442d9a EnterCriticalSection 46147->46159 46167 43ad91 20 API calls __dosmaperr 46148->46167 46151 44d3cb 46168 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 46151->46168 46152 44d381 ___scrt_is_nonwritable_in_current_image __cftof 46152->46130 46153 44d39f 46153->46151 46160 44d2b4 46153->46160 46156->46135 46157->46131 46158->46134 46159->46153 46169 443005 46160->46169 46162 44d2d3 46177 443c92 20 API calls __dosmaperr 46162->46177 46164 44d2c6 46164->46162 46176 445fb3 11 API calls 2 library calls 46164->46176 46165 44d325 46165->46153 46167->46152 46168->46152 46174 443012 ___crtLCMapStringA 46169->46174 46170 443052 46179 43ad91 20 API calls __dosmaperr 46170->46179 46171 44303d RtlAllocateHeap 46172 443050 46171->46172 46171->46174 46172->46164 46174->46170 46174->46171 46178 440480 7 API calls 2 library calls 46174->46178 46176->46164 46177->46165 46178->46174 46179->46172 46180->46143 46182 4328dc GetStartupInfoW 46181->46182 46182->45857 46184 44c24b 46183->46184 46185 44c242 46183->46185 46184->45861 46188 44c138 48 API calls 5 library calls 46185->46188 46187->45861 46188->46184 46190 41a919 LoadLibraryA GetProcAddress 46189->46190 46191 41a909 GetModuleHandleA GetProcAddress 46189->46191 46192 41a947 GetModuleHandleA GetProcAddress 46190->46192 46193 41a937 GetModuleHandleA GetProcAddress 46190->46193 46191->46190 46194 41a973 24 API calls 46192->46194 46195 41a95f GetModuleHandleA GetProcAddress 46192->46195 46193->46192 46194->45865 46195->46194 46345 419493 FindResourceA 46196->46345 46199 439adb _Yarn 21 API calls 46200 40ddad ctype 46199->46200 46348 402097 46200->46348 46203 401fc2 28 API calls 46204 40ddd3 46203->46204 46205 401fb8 11 API calls 46204->46205 46206 40dddc 46205->46206 46207 439adb _Yarn 21 API calls 46206->46207 46208 40dded ctype 46207->46208 46354 4062ee 46208->46354 46210 40de20 46210->45867 46212 4020ec 46211->46212 46213 4023ae 11 API calls 46212->46213 46214 402106 46213->46214 46215 402549 28 API calls 46214->46215 46216 402114 46215->46216 46216->45870 46406 4020bf 46217->46406 46219 419d9a 46222 419e0c 46219->46222 46231 401fc2 28 API calls 46219->46231 46234 401fb8 11 API calls 46219->46234 46238 419e0a 46219->46238 46410 404182 28 API calls 46219->46410 46411 41ab9a 28 API calls 46219->46411 46220 401fb8 11 API calls 46221 419e3c 46220->46221 46223 401fb8 11 API calls 46221->46223 46412 404182 28 API calls 46222->46412 46224 419e44 46223->46224 46227 401fb8 11 API calls 46224->46227 46229 40d43c 46227->46229 46228 419e18 46230 401fc2 28 API calls 46228->46230 46239 40e563 46229->46239 46232 419e21 46230->46232 46231->46219 46233 401fb8 11 API calls 46232->46233 46235 419e29 46233->46235 46234->46219 46413 41ab9a 28 API calls 46235->46413 46238->46220 46240 40e56f 46239->46240 46242 40e576 46239->46242 46414 402143 11 API calls 46240->46414 46242->45875 46244 402143 46243->46244 46248 40217f 46244->46248 46415 402710 11 API calls 46244->46415 46246 402164 46416 4026f2 11 API calls std::_Deallocate 46246->46416 46248->45877 46250 40e624 46249->46250 46417 40f57c 46250->46417 46256 40d473 46259 401e45 46256->46259 46257 40e663 46257->46256 46433 40f663 46257->46433 46261 401e4d 46259->46261 46260 401e55 46260->45885 46261->46260 46528 402138 22 API calls 46261->46528 46266 40f997 __EH_prolog 46264->46266 46529 40fcfb 46266->46529 46267 40f663 36 API calls 46268 40fb90 46267->46268 46533 40fce0 46268->46533 46270 40d491 46272 40e5ba 46270->46272 46271 40fa1a 46271->46267 46539 40f4c6 46272->46539 46275 40d49a 46277 40dd70 46275->46277 46276 40f663 36 API calls 46276->46275 46549 40e5da 70 API calls 46277->46549 46279 40dd7b 46281 4020bf 11 API calls 46280->46281 46282 40530a 46281->46282 46550 403280 46282->46550 46284 405326 46284->45891 46554 4051cf 46285->46554 46287 408217 46558 402035 46287->46558 46290 401fc2 46291 401fd1 46290->46291 46298 402019 46290->46298 46292 4023ae 11 API calls 46291->46292 46293 401fda 46292->46293 46294 401ff5 46293->46294 46295 40201c 46293->46295 46573 403078 28 API calls 46294->46573 46296 40265a 11 API calls 46295->46296 46296->46298 46299 401fb8 46298->46299 46300 4023ae 11 API calls 46299->46300 46301 401fc1 46300->46301 46301->45904 46303 401fb2 46302->46303 46304 401fa9 46302->46304 46303->45909 46574 4025c0 28 API calls 46304->46574 46306->45917 46307->45934 46308->45947 46309->45920 46310->45939 46311->45940 46312->45967 46313->45940 46314->45951 46315->46025 46316->46028 46317->45993 46318->46031 46319->46037 46320->46050 46321->45927 46322->45971 46323->45984 46324->45988 46325->45995 46326->46002 46327->46003 46328->46006 46329->46010 46330->46039 46331->46051 46332->46088 46333->46092 46334->46099 46335->46100 46336->46076 46337->46081 46338->46084 46339->46089 46340->45945 46342->45958 46575 418ccd 103 API calls 46344->46575 46346 4194b0 LoadResource LockResource SizeofResource 46345->46346 46347 40dd9e 46345->46347 46346->46347 46347->46199 46349 40209f 46348->46349 46357 4023ae 46349->46357 46351 4020aa 46361 4024ea 46351->46361 46353 4020b9 46353->46203 46355 402097 28 API calls 46354->46355 46356 406302 46355->46356 46356->46210 46358 402408 46357->46358 46359 4023b8 46357->46359 46358->46351 46359->46358 46368 402787 11 API calls std::_Deallocate 46359->46368 46362 4024fa 46361->46362 46363 402500 46362->46363 46364 402515 46362->46364 46369 402549 46363->46369 46379 4028c8 46364->46379 46367 402513 46367->46353 46368->46358 46390 402868 46369->46390 46371 40255d 46372 402572 46371->46372 46373 402587 46371->46373 46395 402a14 22 API calls 46372->46395 46375 4028c8 28 API calls 46373->46375 46378 402585 46375->46378 46376 40257b 46396 4029ba 22 API calls 46376->46396 46378->46367 46380 4028d1 46379->46380 46381 402933 46380->46381 46382 4028db 46380->46382 46404 402884 22 API calls 46381->46404 46385 4028e4 46382->46385 46386 4028f7 46382->46386 46398 402c8e 46385->46398 46388 4028f5 46386->46388 46389 4023ae 11 API calls 46386->46389 46388->46367 46389->46388 46391 402870 46390->46391 46392 402878 46391->46392 46397 402c83 22 API calls 46391->46397 46392->46371 46395->46376 46396->46378 46399 402c98 __EH_prolog 46398->46399 46405 402e34 22 API calls 46399->46405 46401 402d04 46402 4023ae 11 API calls 46401->46402 46403 402d72 46402->46403 46403->46388 46405->46401 46407 4020c7 46406->46407 46408 4023ae 11 API calls 46407->46408 46409 4020d2 46408->46409 46409->46219 46410->46219 46411->46219 46412->46228 46413->46238 46414->46242 46415->46246 46416->46248 46437 40f821 46417->46437 46420 40f55d 46515 40f7fb 46420->46515 46422 40f565 46520 40f44c 46422->46520 46424 40e651 46425 40f502 46424->46425 46426 40f510 46425->46426 46432 40f53f std::ios_base::_Ios_base_dtor 46425->46432 46525 4335cb 65 API calls 46426->46525 46428 40f51d 46429 40f44c 20 API calls 46428->46429 46428->46432 46430 40f52e 46429->46430 46526 40fbc8 77 API calls 6 library calls 46430->46526 46432->46257 46434 40f66b 46433->46434 46435 40f67e 46433->46435 46527 40f854 36 API calls 46434->46527 46435->46256 46444 40d2ce 46437->46444 46441 40f83c 46442 40e631 46441->46442 46443 40f663 36 API calls 46441->46443 46442->46420 46443->46442 46445 40d2ff 46444->46445 46446 43229f new 22 API calls 46445->46446 46447 40d306 46446->46447 46454 40cb7a 46447->46454 46450 40f887 46451 40f896 46450->46451 46489 40f8b7 46451->46489 46453 40f89c std::ios_base::_Ios_base_dtor 46453->46441 46457 4332ea 46454->46457 46456 40cb84 46456->46450 46458 4332f6 __EH_prolog3 46457->46458 46469 4330a5 46458->46469 46461 433332 46475 4330fd 46461->46475 46463 433314 46483 43347f 37 API calls _Atexit 46463->46483 46465 433370 std::locale::_Locimp::_Locimp_dtor 46465->46456 46467 43331c 46484 433240 21 API calls 2 library calls 46467->46484 46470 4330b4 46469->46470 46471 4330bb 46469->46471 46485 442df9 EnterCriticalSection std::_Lockit::_Lockit 46470->46485 46472 4330b9 46471->46472 46486 43393c EnterCriticalSection 46471->46486 46472->46461 46482 43345a 22 API calls 2 library calls 46472->46482 46476 433107 46475->46476 46477 442e02 46475->46477 46478 43311a 46476->46478 46487 43394a LeaveCriticalSection 46476->46487 46488 442de2 LeaveCriticalSection 46477->46488 46478->46465 46481 442e09 46481->46465 46482->46463 46483->46467 46484->46461 46485->46472 46486->46472 46487->46478 46488->46481 46490 4330a5 std::_Lockit::_Lockit 2 API calls 46489->46490 46491 40f8c9 46490->46491 46510 40cae9 4 API calls 2 library calls 46491->46510 46493 40f8dc 46502 40f8ef 46493->46502 46511 40ccd4 77 API calls new 46493->46511 46494 4330fd std::_Lockit::~_Lockit 2 API calls 46495 40f925 46494->46495 46495->46453 46497 40f8ff 46498 40f906 46497->46498 46499 40f92d 46497->46499 46512 4332b6 22 API calls new 46498->46512 46513 436ec6 RaiseException 46499->46513 46502->46494 46503 40f943 46504 40f984 46503->46504 46514 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 46503->46514 46504->46453 46510->46493 46511->46497 46512->46502 46513->46503 46516 43229f new 22 API calls 46515->46516 46517 40f80b 46516->46517 46518 40cb7a 41 API calls 46517->46518 46519 40f813 46518->46519 46519->46422 46521 40f469 46520->46521 46522 40f48b 46521->46522 46524 43aa1a 20 API calls 2 library calls 46521->46524 46522->46424 46524->46522 46525->46428 46526->46432 46527->46435 46531 40fd0e 46529->46531 46530 40fd3c 46530->46271 46531->46530 46537 40fe14 36 API calls 46531->46537 46534 40fce8 46533->46534 46536 40fcf3 46534->46536 46538 40fe79 36 API calls __EH_prolog 46534->46538 46536->46270 46537->46530 46538->46536 46540 40f4d4 46539->46540 46546 40f4d0 46539->46546 46547 40f30b 67 API calls 46540->46547 46542 40f4d9 46548 43a716 64 API calls 3 library calls 46542->46548 46543 40f44c 20 API calls 46545 40e5c5 46543->46545 46545->46275 46545->46276 46546->46543 46547->46542 46548->46546 46549->46279 46552 40328a 46550->46552 46551 4032a9 46551->46284 46552->46551 46553 4028c8 28 API calls 46552->46553 46553->46551 46555 4051db 46554->46555 46564 405254 46555->46564 46557 4051e8 46557->46287 46559 402041 46558->46559 46560 4023ae 11 API calls 46559->46560 46561 40205b 46560->46561 46569 40265a 46561->46569 46565 405262 46564->46565 46568 402884 22 API calls 46565->46568 46570 40266b 46569->46570 46571 4023ae 11 API calls 46570->46571 46572 40206d 46571->46572 46572->46290 46573->46298 46574->46303 46583 411253 61 API calls 46576->46583 46585 4406a8 ___FrameUnwindToState 46584->46585 46586 4406c0 46585->46586 46587 4407f6 _Atexit GetModuleHandleW 46585->46587 46606 442d9a EnterCriticalSection 46586->46606 46589 4406b4 46587->46589 46589->46586 46618 44083a GetModuleHandleExW 46589->46618 46592 4406c8 46602 440766 46592->46602 46604 44073d 46592->46604 46626 441450 20 API calls _Atexit 46592->46626 46594 440783 46610 4407b5 46594->46610 46595 4407af 46629 454909 5 API calls CatchGuardHandler 46595->46629 46601 440755 46628 441707 5 API calls CatchGuardHandler 46601->46628 46607 4407a6 46602->46607 46604->46601 46627 441707 5 API calls CatchGuardHandler 46604->46627 46606->46592 46630 442de2 LeaveCriticalSection 46607->46630 46609 44077f 46609->46594 46609->46595 46631 4461f8 46610->46631 46613 4407e3 46616 44083a _Atexit 8 API calls 46613->46616 46614 4407c3 GetPEB 46614->46613 46615 4407d3 GetCurrentProcess TerminateProcess 46614->46615 46615->46613 46617 4407eb ExitProcess 46616->46617 46619 440864 GetProcAddress 46618->46619 46620 440887 46618->46620 46621 440879 46619->46621 46622 440896 46620->46622 46623 44088d FreeLibrary 46620->46623 46621->46620 46624 432d4b CatchGuardHandler 5 API calls 46622->46624 46623->46622 46625 4408a0 46624->46625 46625->46586 46626->46604 46627->46601 46628->46602 46630->46609 46632 44621d 46631->46632 46636 446213 46631->46636 46637 4459f9 46632->46637 46634 432d4b CatchGuardHandler 5 API calls 46635 4407bf 46634->46635 46635->46613 46635->46614 46636->46634 46638 445a29 46637->46638 46641 445a25 46637->46641 46638->46636 46639 445a49 46639->46638 46642 445a55 GetProcAddress 46639->46642 46641->46638 46641->46639 46644 445a95 46641->46644 46643 445a65 __crt_fast_encode_pointer 46642->46643 46643->46638 46645 445ab6 LoadLibraryExW 46644->46645 46649 445aab 46644->46649 46646 445ad3 GetLastError 46645->46646 46650 445aeb 46645->46650 46648 445ade LoadLibraryExW 46646->46648 46646->46650 46647 445b02 FreeLibrary 46647->46649 46648->46650 46649->46641 46650->46647 46650->46649

                                                  Executed Functions

                                                  Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                  • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                  • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                  • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule$LibraryLoad
                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                                  • API String ID: 551388010-2474455403
                                                  • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                                  • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                                  • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                                  • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                                  Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 455 4407d3-4407dd GetCurrentProcess TerminateProcess 454->455 455->453
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                                  • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                                  • ExitProcess.KERNEL32 ref: 004407EF
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                                  • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                                  • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                                  • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                                  Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 103 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->103 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 99 40d622-40d63f call 401f8b call 411f34 81->99 100 40d60f-40d61c WaitForSingleObject CloseHandle 81->100 108 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->108 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 106 40d6b0-40d6b4 95->106 107 40d6a9-40d6ab 95->107 122 40d651 99->122 123 40d641-40d650 call 401f8b call 41239a 99->123 100->99 136 40dd2c 103->136 112 40d6b6-40d6c9 call 401e45 call 401f8b 106->112 113 40d717-40d72a call 401e45 call 401f8b 106->113 107->106 179 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 108->179 112->113 140 40d6cb-40d6d1 112->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 113->142 143 40d72c call 40e501 113->143 122->80 123->122 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->113 147 40d6d3-40d6d9 140->147 188 40dd6a-40dd6f call 413980 141->188 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 152 40d6f7-40d710 call 401f8b call 411eea 147->152 153 40d6db-40d6ee call 4060ea 147->153 152->113 178 40d712 call 4066a6 152->178 153->113 169 40d6f0-40d6f5 call 4067a0 153->169 169->113 178->113 221 40da61-40da63 179->221 222 40da65-40da67 179->222 216->108 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 227 40d8a7-40d8b1 call 408093 220->227 228 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->228 223 40da6b-40da7c call 41aa4f CreateThread 221->223 224 40da69 222->224 225 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->225 223->225 224->223 349 40db83-40db9a call 401e45 call 401f8b 225->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 225->350 237 40d8b6-40d8de call 40245c call 43254d 227->237 228->237 257 40d8f0 237->257 258 40d8e0-40d8ee call 434c30 237->258 250->216 260 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 257->260 258->260 260->179 332 40d96d-40d98c call 401e45 call 419bca call 40de34 260->332 332->179 346 40d98e-40d990 332->346 346->90 360 40dbd9-40dbeb call 401e45 call 401f8b 349->360 361 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->361 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 360->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 360->372 361->360 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 405 40dcc1 384->405 406 40dcc4-40dcd7 CreateThread 384->406 405->406 410 40dce5-40dcec 406->410 411 40dcd9-40dce3 CreateThread 406->411 412 40dcfa-40dd01 410->412 413 40dcee-40dcf8 CreateThread 410->413 411->410 412->136 416 40dd03-40dd06 412->416 413->412 416->188 418 40dd08-40dd0d 416->418 418->141
                                                  APIs
                                                    • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                    • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                    • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                    • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                    • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                    • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                    • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                                    • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                                  • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                                  • API String ID: 1529173511-1365410817
                                                  • Opcode ID: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                                                  • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                                  • Opcode Fuzzy Hash: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                                                  • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                                  Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                  • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                  • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                                  • closesocket.WS2_32(?), ref: 00404E3A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                                  • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                                  • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                                  • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                                  • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                                  • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                                  • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                  • String ID:
                                                  • API String ID: 3658366068-0
                                                  • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                                  • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                                  • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                                  • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                                  Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 445 445ade-445ae9 LoadLibraryExW 441->445 446 445aeb 441->446 443 445b02-445b03 FreeLibrary 442->443 444 445b09 442->444 443->444 447 445b0b-445b0c 444->447 448 445aed-445aef 445->448 446->448 447->440 448->442 449 445af1-445af8 448->449 449->447
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                                  • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                                  • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                                  • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                                  • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                                  Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 468 445a3c-445a3f 464->468 467 445a51-445a53 465->467 469 445a55-445a63 GetProcAddress 467->469 470 445a7e-445a8c 467->470 471 445a70-445a76 468->471 472 445a41-445a47 468->472 473 445a65-445a6e call 432123 469->473 474 445a78 469->474 470->460 471->467 472->464 475 445a49 472->475 473->462 474->470 475->465
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                  • String ID:
                                                  • API String ID: 2279764990-0
                                                  • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                                  • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                                  • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                                  • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                                  Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 478 40163e-401644 479 401646-401648 478->479 480 401649-401654 478->480 481 401656 480->481 482 40165b-401665 480->482 481->482 483 401667-40166d 482->483 484 401688-401689 call 43229f 482->484 483->484 485 40166f-401674 483->485 488 40168e-40168f 484->488 485->481 487 401676-401686 call 43229f 485->487 490 401691-401693 487->490 488->490
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                                  • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                                  • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                                  • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                                  Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 492 44d2b4-44d2c1 call 443005 494 44d2c6-44d2d1 492->494 495 44d2d7-44d2df 494->495 496 44d2d3-44d2d5 494->496 497 44d31f-44d32d call 443c92 495->497 498 44d2e1-44d2e5 495->498 496->497 500 44d2e7-44d319 call 445fb3 498->500 504 44d31b-44d31e 500->504 504->497
                                                  APIs
                                                    • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                                  • _free.LIBCMT ref: 0044D320
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                                                  • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
                                                  • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                                                  • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
                                                  Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 505 443005-443010 506 443012-44301c 505->506 507 44301e-443024 505->507 506->507 508 443052-44305d call 43ad91 506->508 509 443026-443027 507->509 510 44303d-44304e RtlAllocateHeap 507->510 515 44305f-443061 508->515 509->510 511 443050 510->511 512 443029-443030 call 442a57 510->512 511->515 512->508 518 443032-44303b call 440480 512->518 518->508 518->510
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                                  • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                                                  • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                                  • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                                                  Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 521 443649-443655 522 443687-443692 call 43ad91 521->522 523 443657-443659 521->523 531 443694-443696 522->531 525 443672-443683 RtlAllocateHeap 523->525 526 44365b-44365c 523->526 527 443685 525->527 528 44365e-443665 call 442a57 525->528 526->525 527->531 528->522 533 443667-443670 call 440480 528->533 533->522 533->525
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                                  • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                                  • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                                  • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                                  Non-executed Functions

                                                  Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                                    • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                    • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                    • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                                  • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                                  • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                  • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                                  • API String ID: 3018269243-1736093966
                                                  • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                                  • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                                  • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                                  • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                                  Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                                    • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                    • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                    • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                    • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                    • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                    • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                    • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                                  • DeleteFileA.KERNEL32(?), ref: 0040768E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                  • API String ID: 1385304114-1507758755
                                                  • Opcode ID: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                                                  • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                                  • Opcode Fuzzy Hash: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                                                  • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                                  Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004056C6
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  • __Init_thread_footer.LIBCMT ref: 00405703
                                                  • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                                  • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                                    • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                                  • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                                  • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                                  • CloseHandle.KERNEL32 ref: 00405A03
                                                  • CloseHandle.KERNEL32 ref: 00405A0B
                                                  • CloseHandle.KERNEL32 ref: 00405A1D
                                                  • CloseHandle.KERNEL32 ref: 00405A25
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                  • String ID: SystemDrive$cmd.exe
                                                  • API String ID: 2994406822-3633465311
                                                  • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                                  • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                                  • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                                  • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                                  Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                                  • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                                  • FindClose.KERNEL32(00000000), ref: 0040AC53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                  • API String ID: 1164774033-3681987949
                                                  • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                                  • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                                  • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                                  • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                                  Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                                  • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                                  • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                                  • FindClose.KERNEL32(00000000), ref: 0040AE11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$File$FirstNext
                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 3527384056-432212279
                                                  • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                                  • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                                  • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                                  • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                                  Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 00414EC2
                                                  • EmptyClipboard.USER32 ref: 00414ED0
                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                                  • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                                  • CloseClipboard.USER32 ref: 00414F55
                                                  • OpenClipboard.USER32 ref: 00414F5C
                                                  • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                                  • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                                  • CloseClipboard.USER32 ref: 00414F84
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                  • String ID:
                                                  • API String ID: 3520204547-0
                                                  • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                                  • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                                  • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                                  • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                                  Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                                    • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                  • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID: 05Mw`Mw
                                                  • API String ID: 2341273852-1602716814
                                                  • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                                  • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                                  • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                                  • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                                  Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7
                                                  • API String ID: 0-3177665633
                                                  • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                                  • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                                  • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                                  • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                                  Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                                  • GetLastError.KERNEL32 ref: 00418771
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                                  • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                                  • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                                  • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                                  Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                                  • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                                  • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 1164774033-405221262
                                                  • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                                  • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                                  • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                                  • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                                  Function 00409340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                                  • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                                  • GetLastError.KERNEL32 ref: 00409375
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                                  • TranslateMessage.USER32(?), ref: 004093D2
                                                  • DispatchMessageA.USER32(?), ref: 004093DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error $`Mw
                                                  • API String ID: 3219506041-1277971878
                                                  • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                                  • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                                  • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                                  • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                                  Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                                  • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                                  • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                                    • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                                  • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                                  • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                                    • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                                    • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                  • String ID: $.F
                                                  • API String ID: 3950776272-1421728423
                                                  • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                                  • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                                  • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                                  • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                                  Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                  • API String ID: 2127411465-314212984
                                                  • Opcode ID: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                                                  • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                                  • Opcode Fuzzy Hash: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                                                  • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                                  Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00446741
                                                  • _free.LIBCMT ref: 00446765
                                                  • _free.LIBCMT ref: 004468EC
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                                  • _free.LIBCMT ref: 00446AB8
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                                  • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                                                  • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                                  • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                                                  Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                                    • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                                    • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                                  • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                                  • ExitProcess.KERNEL32 ref: 0040E2B4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                                  • API String ID: 2281282204-1386060931
                                                  • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                                  • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                                  • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                                  • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                                  Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                                  • InternetCloseHandle.WININET(00000000), ref: 00419407
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                                  Strings
                                                  • http://geoplugin.net/json.gp, xrefs: 004193A2
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                  • String ID: http://geoplugin.net/json.gp
                                                  • API String ID: 3121278467-91888290
                                                  • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                                  • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                                  • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                                  • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                                  Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                                  • GetLastError.KERNEL32 ref: 0040A999
                                                  Strings
                                                  • UserProfile, xrefs: 0040A95F
                                                  • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                  • API String ID: 2018770650-1062637481
                                                  • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                                  • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                                  • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                                  • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                                  Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                  • GetLastError.KERNEL32 ref: 00415CDB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3534403312-3733053543
                                                  • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                                  • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                                  • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                                  • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                                  Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00408393
                                                    • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                                    • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                    • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                    • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                                  • FindClose.KERNEL32(00000000), ref: 004086F4
                                                    • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                    • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                  • String ID:
                                                  • API String ID: 1824512719-0
                                                  • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                  • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                                  • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                  • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                                  Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 0040949C
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                  • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                  • GetKeyState.USER32(00000010), ref: 004094B8
                                                  • GetKeyboardState.USER32(?), ref: 004094C5
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                  • String ID:
                                                  • API String ID: 3566172867-0
                                                  • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                                  • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                                  • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                                  • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                                  Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                  • String ID:
                                                  • API String ID: 276877138-0
                                                  • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                                  • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                                  • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                                  • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                                  Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                                    • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$CreateFirstNext
                                                  • String ID: H"G$`'G$`'G
                                                  • API String ID: 341183262-2774397156
                                                  • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                                                  • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                                  • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                                                  • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                                  Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                    • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                    • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                    • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                    • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                  • String ID: PowrProf.dll$SetSuspendState
                                                  • API String ID: 1589313981-1420736420
                                                  • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                                  • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                                  • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                                  • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                                  Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                                                  • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                                  • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                                  • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                                  • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                                  Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                  • wsprintfW.USER32 ref: 0040A13F
                                                    • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                  • API String ID: 1497725170-248792730
                                                  • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                                  • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                                  • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                                  • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                                  Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                                  • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                                  • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                                  • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID: SETTINGS
                                                  • API String ID: 3473537107-594951305
                                                  • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                                  • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                                  • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                                  • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                                  Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004087A5
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                                  • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                                  • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                                  • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                                  Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID:
                                                  • API String ID: 745075371-0
                                                  • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                                  • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                                  • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                                  • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                                  Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040784D
                                                  • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                  • String ID:
                                                  • API String ID: 1771804793-0
                                                  • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                                  • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                                  • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                                  • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                                  Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                                    • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                                    • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 1735047541-0
                                                  • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                                  • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                                  • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                                  • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                                  Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: A%E$A%E
                                                  • API String ID: 0-137320553
                                                  • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                                  • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                                  • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                                  • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                                  Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                                    • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                                    • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                                    • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                  • API String ID: 4127273184-3576401099
                                                  • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                                  • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                                  • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                                  • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                                  Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                                                  • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                                  • _wcschr.LIBVCRUNTIME ref: 0044F038
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 4212172061-0
                                                  • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                                  • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                                  • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                                  • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                                  Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadExecuteFileShell
                                                  • String ID: open
                                                  • API String ID: 2825088817-2758837156
                                                  • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                                  • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                                  • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                                  • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                                  Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                  • String ID:
                                                  • API String ID: 2829624132-0
                                                  • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                                  • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                                  • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                                  • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                                  Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                                  • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                                  • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                                  • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                                  Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                                  • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                                  • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                                  • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                                  Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 0040A65D
                                                  • GetClipboardData.USER32(0000000D), ref: 0040A669
                                                  • CloseClipboard.USER32 ref: 0040A671
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseDataOpen
                                                  • String ID:
                                                  • API String ID: 2058664381-0
                                                  • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                                  • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                                  • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                                  • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                                  Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor
                                                  • String ID:
                                                  • API String ID: 2325560087-3916222277
                                                  • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                  • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                                  • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                  • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                                  Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                                                  • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                                                  • Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                                                  • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                                                  Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: GetLocaleInfoEx
                                                  • API String ID: 2299586839-2904428671
                                                  • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                                  • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                                  • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                                  • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                                  Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID:
                                                  • API String ID: 4113138495-0
                                                  • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                                  • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                                  • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                                  • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                                  Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                                  • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                                  • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                                  • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                                  Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                  • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                                  • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                                  • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                                  • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                                  Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                                  • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                                  • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                                  • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                                  Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                  • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                                  • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                                  • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                                  • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                                  Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID:
                                                  • API String ID: 2645101109-0
                                                  • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                                  • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                                  • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                                  • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                                  Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                                  • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                                  • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                                  • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                                  • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                                  Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                  • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                                  • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                                  • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                                  • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                                  Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                                  • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                                  • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                                  • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                                  Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                                  • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                                  • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                                  • Instruction Fuzzy Hash:
                                                  Function 0041642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                                  • ResumeThread.KERNEL32(?), ref: 00416773
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                                  • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                                  • GetLastError.KERNEL32 ref: 004167B8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Mw$ntdll
                                                  • API String ID: 4188446516-1701449367
                                                  • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                                  • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                                  • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                                  • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                                  Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                                    • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                                  • DeleteDC.GDI32(00000000), ref: 00416F32
                                                  • DeleteDC.GDI32(00000000), ref: 00416F35
                                                  • DeleteObject.GDI32(00000000), ref: 00416F38
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                                  • DeleteDC.GDI32(00000000), ref: 00416F6A
                                                  • DeleteDC.GDI32(00000000), ref: 00416F6D
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                                  • GetIconInfo.USER32(?,?), ref: 00416FC5
                                                  • DeleteObject.GDI32(?), ref: 00416FF4
                                                  • DeleteObject.GDI32(?), ref: 00417001
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                                  • DeleteDC.GDI32(?), ref: 0041713C
                                                  • DeleteDC.GDI32(00000000), ref: 0041713F
                                                  • DeleteObject.GDI32(00000000), ref: 00417142
                                                  • GlobalFree.KERNEL32(?), ref: 0041714D
                                                  • DeleteObject.GDI32(00000000), ref: 00417201
                                                  • GlobalFree.KERNEL32(?), ref: 00417208
                                                  • DeleteDC.GDI32(?), ref: 00417218
                                                  • DeleteDC.GDI32(00000000), ref: 00417223
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                  • String ID: DISPLAY
                                                  • API String ID: 479521175-865373369
                                                  • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                                  • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                                  • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                                  • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                                  Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                    • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                                    • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                    • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                    • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                    • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                                  • ExitProcess.KERNEL32 ref: 0040C389
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                                  • API String ID: 1861856835-1953526029
                                                  • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                                  • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                                  • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                                  • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                                  Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                                  • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                                  • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                                  • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                                  • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                                  • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                                    • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                                  • Sleep.KERNEL32(000001F4), ref: 004110E7
                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                                  • GetCurrentProcessId.KERNEL32 ref: 00411114
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                  • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                                  • API String ID: 2649220323-71629269
                                                  • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                                  • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                                  • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                                  • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                                  Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                    • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                                    • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                    • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                    • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                    • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                                  • ExitProcess.KERNEL32 ref: 0040BFD7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: ")$.vbs$05Mw`Mw$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                  • API String ID: 3797177996-3625296328
                                                  • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                                  • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                                  • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                                  • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                                  Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040B882
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                                  • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                                  • _wcslen.LIBCMT ref: 0040B968
                                                  • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                                  • _wcslen.LIBCMT ref: 0040BA25
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                                  • ExitProcess.KERNEL32 ref: 0040BC36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                                  • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                                  • API String ID: 2743683619-2376316431
                                                  • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                                  • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                                  • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                                  • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                                  Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                                  • SetEvent.KERNEL32 ref: 004191CF
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                                  • CloseHandle.KERNEL32 ref: 004191F0
                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                  • API String ID: 738084811-1354618412
                                                  • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                                  • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                                  • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                                  • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                                  Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                                  • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                                  • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                                  • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Write$Create
                                                  • String ID: RIFF$WAVE$data$fmt
                                                  • API String ID: 1602526932-4212202414
                                                  • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                                  • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                                  • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                                  • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                                  Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                                  • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                                  • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                                  • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                                  • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                  • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                                  • API String ID: 2490988753-3443138237
                                                  • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                                  • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                                  • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                                  • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                                  Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                  • String ID:
                                                  • API String ID: 3899193279-0
                                                  • Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                                                  • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                                  • Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                                                  • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                                  Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                                    • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                                  • _free.LIBCMT ref: 0044E4DF
                                                    • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                    • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                  • _free.LIBCMT ref: 0044E501
                                                  • _free.LIBCMT ref: 0044E516
                                                  • _free.LIBCMT ref: 0044E521
                                                  • _free.LIBCMT ref: 0044E543
                                                  • _free.LIBCMT ref: 0044E556
                                                  • _free.LIBCMT ref: 0044E564
                                                  • _free.LIBCMT ref: 0044E56F
                                                  • _free.LIBCMT ref: 0044E5A7
                                                  • _free.LIBCMT ref: 0044E5AE
                                                  • _free.LIBCMT ref: 0044E5CB
                                                  • _free.LIBCMT ref: 0044E5E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID: pF
                                                  • API String ID: 161543041-2973420481
                                                  • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                  • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                                  • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                  • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                                  Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                                    • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                    • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                    • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                  • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                                  • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                                  • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                                  • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                                  • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                                  • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                                  • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                                  • Sleep.KERNEL32(00000064), ref: 00411C63
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: /stext "$$.F$@#G$@#G
                                                  • API String ID: 1223786279-2596709126
                                                  • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                                  • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                                  • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                                  • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                                  Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: pF
                                                  • API String ID: 269201875-2973420481
                                                  • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                                                  • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                                  • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                                                  • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                                  Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                                    • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                                  • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                                  • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                                  • API String ID: 193334293-3226144251
                                                  • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                                  • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                                  • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                                  • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                                  Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumOpen
                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                  • API String ID: 1332880857-3714951968
                                                  • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                                  • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                                                  • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                                  • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                                                  Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                                  • GetCursorPos.USER32(?), ref: 0041B39E
                                                  • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                                  • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                                  • ExitProcess.KERNEL32 ref: 0041B41A
                                                  • CreatePopupMenu.USER32 ref: 0041B420
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                  • String ID: Close
                                                  • API String ID: 1657328048-3535843008
                                                  • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                                  • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                                  • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                                  • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                                  Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                                                  • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                                  • Opcode Fuzzy Hash: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                                                  • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                                  Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                                  • __aulldiv.LIBCMT ref: 00407D89
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                                  • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408038
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                  • API String ID: 3086580692-2596673759
                                                  • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                                  • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                                  • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                                  • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                                  Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                    • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                    • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                    • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                    • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                                  • ExitProcess.KERNEL32 ref: 0040C57D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                                  • API String ID: 1913171305-2600661426
                                                  • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                                  • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                                  • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                                  • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                                  Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • connect.WS2_32(?,?,?), ref: 004048C0
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                                  • WSAGetLastError.WS2_32 ref: 00404A01
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                  • API String ID: 994465650-2151626615
                                                  • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                                  • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                                  • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                                  • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                                  Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                                  • __dosmaperr.LIBCMT ref: 00452ED6
                                                  • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                                  • __dosmaperr.LIBCMT ref: 00452EF5
                                                  • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                                  • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                                  • GetLastError.KERNEL32 ref: 00453091
                                                  • __dosmaperr.LIBCMT ref: 00453098
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                                  • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                                  • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                                  • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                                  Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                                  • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                                  • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                                  • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                                  Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 00409C81
                                                  • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                                  • GetForegroundWindow.USER32 ref: 00409C92
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                                  • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                                    • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                  • API String ID: 911427763-3954389425
                                                  • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                                  • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                                  • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                                  • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                                  Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongNamePath
                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                  • API String ID: 82841172-425784914
                                                  • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                                  • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                                  • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                                  • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                                  Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: pF$tF
                                                  • API String ID: 269201875-2954683558
                                                  • Opcode ID: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                                                  • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                                  • Opcode Fuzzy Hash: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                                                  • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                                  Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 00409738
                                                    • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                    • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                    • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                    • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                                    • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: 05Mw`Mw$H"G$H"G
                                                  • API String ID: 3795512280-1384184782
                                                  • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                                                  • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                                  • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                                                  • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                                  Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 0040549F
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                                  • TranslateMessage.USER32(?), ref: 0040555E
                                                  • DispatchMessageA.USER32(?), ref: 00405569
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                                  • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                                  • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                                  • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                                  Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00416123
                                                  • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@%G$@%G$Temp
                                                  • API String ID: 1704390241-4139030828
                                                  • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                                  • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                                  • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                                  • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                                  Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                                  • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                                  • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                                  • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                                  Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00445645
                                                    • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                    • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                  • _free.LIBCMT ref: 00445651
                                                  • _free.LIBCMT ref: 0044565C
                                                  • _free.LIBCMT ref: 00445667
                                                  • _free.LIBCMT ref: 00445672
                                                  • _free.LIBCMT ref: 0044567D
                                                  • _free.LIBCMT ref: 00445688
                                                  • _free.LIBCMT ref: 00445693
                                                  • _free.LIBCMT ref: 0044569E
                                                  • _free.LIBCMT ref: 004456AC
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                  • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                                  • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                  • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                                  Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00417F6F
                                                  • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                                  • Sleep.KERNEL32(000003E8), ref: 004180B3
                                                  • GetLocalTime.KERNEL32(?), ref: 004180BB
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                  • API String ID: 489098229-3790400642
                                                  • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                                  • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                                  • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                                  • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                                  Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DecodePointer
                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                  • API String ID: 3527080286-3064271455
                                                  • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                                  • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                                  • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                                  • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                                  Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                                    • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                  • Sleep.KERNEL32(00000064), ref: 00415A46
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                  • API String ID: 1462127192-2001430897
                                                  • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                                  • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                                  • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                                  • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                                  Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                                  • ExitProcess.KERNEL32 ref: 00406782
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteExitProcessShell
                                                  • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                                  • API String ID: 1124553745-1488154373
                                                  • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                                  • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                                  • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                                  • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                                  Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocConsoleShowWindow
                                                  • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                                  • API String ID: 4118500197-4025029772
                                                  • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                                  • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                                  • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                                  • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                                  Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                                    • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                                    • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                    • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                                  • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                                  • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                                  • TranslateMessage.USER32(?), ref: 0041B29E
                                                  • DispatchMessageA.USER32(?), ref: 0041B2A8
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID: Remcos
                                                  • API String ID: 1970332568-165870891
                                                  • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                                  • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                                  • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                                  • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                                  Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                                  • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                                  • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                                  • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                                  Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                                                  • __alloca_probe_16.LIBCMT ref: 004510CA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                                                  • __alloca_probe_16.LIBCMT ref: 00451174
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                                    • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                                                  • __freea.LIBCMT ref: 004511E3
                                                  • __freea.LIBCMT ref: 004511EF
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 201697637-0
                                                  • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                                  • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                                  • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                                  • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                                  Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                    • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                    • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                    • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                  • _memcmp.LIBVCRUNTIME ref: 00442935
                                                  • _free.LIBCMT ref: 004429A6
                                                  • _free.LIBCMT ref: 004429BF
                                                  • _free.LIBCMT ref: 004429F1
                                                  • _free.LIBCMT ref: 004429FA
                                                  • _free.LIBCMT ref: 00442A06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                                  • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                                  • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                                  • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                                  Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tcp$udp
                                                  • API String ID: 0-3725065008
                                                  • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                                  • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                                  • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                                  • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                                  Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                  • API String ID: 3578746661-168337528
                                                  • Opcode ID: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                                                  • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                                  • Opcode Fuzzy Hash: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                                                  • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                                  Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                                    • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                                    • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID: .part
                                                  • API String ID: 1303771098-3499674018
                                                  • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                                  • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                                  • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                                  • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                                  Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                                  • __alloca_probe_16.LIBCMT ref: 00447056
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                                  • __alloca_probe_16.LIBCMT ref: 0044713B
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                                  • __freea.LIBCMT ref: 004471AB
                                                    • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                  • __freea.LIBCMT ref: 004471B4
                                                  • __freea.LIBCMT ref: 004471D9
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                                  • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                                  • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                                  • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                                  Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                                  • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InputSend
                                                  • String ID:
                                                  • API String ID: 3431551938-0
                                                  • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                                  • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                                  • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                                  • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                                  Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 00414F41
                                                  • EmptyClipboard.USER32 ref: 00414F4F
                                                  • CloseClipboard.USER32 ref: 00414F55
                                                  • OpenClipboard.USER32 ref: 00414F5C
                                                  • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                                  • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                                  • CloseClipboard.USER32 ref: 00414F84
                                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                  • String ID:
                                                  • API String ID: 2172192267-0
                                                  • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                                  • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                                  • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                                  • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                                  Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                                  • __fassign.LIBCMT ref: 00447814
                                                  • __fassign.LIBCMT ref: 0044782F
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                                  • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                                  • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                                  • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                                  • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                                  • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                                  Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: $-E$$-E
                                                  • API String ID: 269201875-3140958853
                                                  • Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                                                  • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                                  • Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                                                  • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                                  Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 00401D30
                                                    • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                                  • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                                  • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                                  • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: %Y-%m-%d %H.%M$.wav
                                                  • API String ID: 3809562944-3597965672
                                                  • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                                  • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                                  • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                                  • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                                  Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                    • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                    • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                  • API String ID: 1133728706-4073444585
                                                  • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                                  • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                                  • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                                  • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                                  Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                                  • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                                  • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                                  • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                                  Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                                  • _free.LIBCMT ref: 0044E128
                                                    • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                    • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                  • _free.LIBCMT ref: 0044E133
                                                  • _free.LIBCMT ref: 0044E13E
                                                  • _free.LIBCMT ref: 0044E192
                                                  • _free.LIBCMT ref: 0044E19D
                                                  • _free.LIBCMT ref: 0044E1A8
                                                  • _free.LIBCMT ref: 0044E1B3
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                  • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                                  • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                  • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                                  Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                    • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                    • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                    • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                                  • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCurrentOpenProcessQueryValue
                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 1866151309-2070987746
                                                  • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                                  • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                                  • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                                  • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                                  Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                                  • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                                                  • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                                  • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                                                  • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                                  Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                                  • GetLastError.KERNEL32 ref: 0040AA28
                                                  Strings
                                                  • UserProfile, xrefs: 0040A9EE
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                                  • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                                  • [Chrome Cookies not found], xrefs: 0040AA42
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                  • API String ID: 2018770650-304995407
                                                  • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                                  • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                                  • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                                  • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                                  Function 00418D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                                  • Sleep.KERNEL32(00002710), ref: 00418DBD
                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                  • String ID: Alarm triggered$`Mw
                                                  • API String ID: 614609389-968373943
                                                  • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                                  • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                                  • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                                  • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                                  Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 00438A09
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                                  • __allrem.LIBCMT ref: 00438A3C
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                                  • __allrem.LIBCMT ref: 00438A71
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                                  • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                                  • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                                  • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                                  Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                                                  • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                                  • Opcode Fuzzy Hash: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                                                  • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                                  Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16_free
                                                  • String ID: a/p$am/pm
                                                  • API String ID: 2936374016-3206640213
                                                  • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                                  • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                                  • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                                  • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                                  Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                                  • int.LIBCPMT ref: 0040F8D7
                                                    • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                    • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                                  • std::_Facet_Register.LIBCPMT ref: 0040F917
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                                  • __Init_thread_footer.LIBCMT ref: 0040F97F
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                  • String ID:
                                                  • API String ID: 3815856325-0
                                                  • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                  • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                                  • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                  • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                                  Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                  • String ID:
                                                  • API String ID: 493672254-0
                                                  • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                                  • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                                  • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                                  • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                                  Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                  • _free.LIBCMT ref: 0044575C
                                                  • _free.LIBCMT ref: 00445784
                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                  • _abort.LIBCMT ref: 004457A3
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                                                  • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                                  • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                                                  • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                                  Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                                  • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                                  • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                                  • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                                  Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                                  • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                                  • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                                  • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                                  Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                                  • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                                  • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                                  • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                                  Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                  • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: h G
                                                  • API String ID: 1958988193-3300504347
                                                  • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                                  • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                                  • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                                  • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                                  Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(00000030), ref: 0041B310
                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                  • GetLastError.KERNEL32 ref: 0041B335
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                                  • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                                  • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                                  • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                                  Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                                    • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                                  • _UnwindNestedFrames.LIBCMT ref: 00437631
                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                  • String ID: /zC
                                                  • API String ID: 2633735394-4132788633
                                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                  • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                  • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                                  Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                                  • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                                  • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                                  • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MetricsSystem
                                                  • String ID: ]tA
                                                  • API String ID: 4116985748-3517819141
                                                  • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                                  • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                                  • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                                  • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                                  Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                                  Strings
                                                  • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreateProcess
                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                  • API String ID: 2922976086-4183131282
                                                  • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                                  • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                                  • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                                  • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                                  Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                                  • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                                  • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                                  • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                                  Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                                  • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                                  • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  Strings
                                                  • Connection KeepAlive | Disabled, xrefs: 004050D9
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID: Connection KeepAlive | Disabled
                                                  • API String ID: 2993684571-3818284553
                                                  • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                                  • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                                  • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                                  • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                                  Function 004013F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetCursorInfo$User32.dll$`Mw
                                                  • API String ID: 1646373207-2986171508
                                                  • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                                  • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                                  • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                                  • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                                  Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                                  • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                                  • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                                  • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                                  Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                                    • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                  • API String ID: 3469354165-3547787478
                                                  • Opcode ID: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                                                  • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                                  • Opcode Fuzzy Hash: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                                                  • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                                  Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                  • _free.LIBCMT ref: 00442318
                                                  • _free.LIBCMT ref: 0044232F
                                                  • _free.LIBCMT ref: 0044234E
                                                  • _free.LIBCMT ref: 00442369
                                                  • _free.LIBCMT ref: 00442380
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3033488037-0
                                                  • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                  • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                                  • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                  • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                                  Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                                  • _free.LIBCMT ref: 004468EC
                                                    • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                    • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                  • _free.LIBCMT ref: 00446AB8
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                                  • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                                                  • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                                  • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                                                  Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                  • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                                  • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                  • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                                  Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                                  • __alloca_probe_16.LIBCMT ref: 0044E391
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                                  • __freea.LIBCMT ref: 0044E3FD
                                                    • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                                  • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                                  • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                                  • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                                  Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                                  • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                                  • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                                  • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                                  • waveInStart.WINMM ref: 00401CDE
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID:
                                                  • API String ID: 1356121797-0
                                                  • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                                  • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                                  • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                                  • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                                  Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                                    • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                                  • _free.LIBCMT ref: 0044C59F
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                                  • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                                  • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                                  • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                                  Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerWrite
                                                  • String ID:
                                                  • API String ID: 1852769593-0
                                                  • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                                  • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                                  • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                                  • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                                  Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                                  • int.LIBCPMT ref: 0040FBE8
                                                    • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                    • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                                  • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID:
                                                  • API String ID: 2536120697-0
                                                  • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                  • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                                  • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                  • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                                  Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                                  • _free.LIBCMT ref: 004457E3
                                                  • _free.LIBCMT ref: 0044580A
                                                  • SetLastError.KERNEL32(00000000), ref: 00445817
                                                  • SetLastError.KERNEL32(00000000), ref: 00445820
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                                                  • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                                  • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                                                  • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                                  Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0044DBB4
                                                    • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                    • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                  • _free.LIBCMT ref: 0044DBC6
                                                  • _free.LIBCMT ref: 0044DBD8
                                                  • _free.LIBCMT ref: 0044DBEA
                                                  • _free.LIBCMT ref: 0044DBFC
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                  • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                                  • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                  • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                                  Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00441566
                                                    • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                    • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                  • _free.LIBCMT ref: 00441578
                                                  • _free.LIBCMT ref: 0044158B
                                                  • _free.LIBCMT ref: 0044159C
                                                  • _free.LIBCMT ref: 004415AD
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                                  • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                                  • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                                  • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                                  Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: [regsplt]
                                                  • API String ID: 3554306468-4262303796
                                                  • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                                  • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                                  • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                                  • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                                  Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 0044B918
                                                  • _free.LIBCMT ref: 0044BA35
                                                    • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                                    • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                                    • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                                  • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                                                  • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                                  • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                                                  Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alloca_probe_16__freea
                                                  • String ID: H"G$H"GH"G
                                                  • API String ID: 1635606685-3036711414
                                                  • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                                  • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                                  • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                                  • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                                  Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040189E
                                                  • ExitThread.KERNEL32 ref: 004018D6
                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                                    • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                  • String ID: 8:G
                                                  • API String ID: 1649129571-405301104
                                                  • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                                  • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                                  • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                                  • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                                  Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\njEnUdtKgG.exe,00000104), ref: 00440975
                                                  • _free.LIBCMT ref: 00440A40
                                                  • _free.LIBCMT ref: 00440A4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\AppData\Roaming\njEnUdtKgG.exe
                                                  • API String ID: 2506810119-3109199087
                                                  • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                                  • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                                  • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                                  • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                                  Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                    • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                    • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                    • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                  • _wcslen.LIBCMT ref: 00419744
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                  • String ID: .exe$program files (x86)\$program files\
                                                  • API String ID: 37874593-1203593143
                                                  • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                                  • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                                  • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                                  • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                                  Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                                  • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                                  • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                                    • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                    • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTimewsprintf
                                                  • String ID: Offline Keylogger Started
                                                  • API String ID: 465354869-4114347211
                                                  • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                                  • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                                  • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                                  • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                                  Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                    • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                                  • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                                  • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                  • String ID: Online Keylogger Started
                                                  • API String ID: 112202259-1258561607
                                                  • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                                  • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                                  • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                                  • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                                  Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00404F61
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                                  • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                                  Strings
                                                  • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: Connection KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-507513762
                                                  • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                                  • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                                  • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                                  • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                                  Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CryptUnprotectData$crypt32
                                                  • API String ID: 2574300362-2380590389
                                                  • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                                  • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                                  • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                                  • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                                  Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                                  • CloseHandle.KERNEL32(?), ref: 004051AA
                                                  • SetEvent.KERNEL32(?), ref: 004051B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandleObjectSingleWait
                                                  • String ID: Connection Timeout
                                                  • API String ID: 2055531096-499159329
                                                  • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                                  • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                                  • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                                  • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                                  Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throw
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 2005118841-1866435925
                                                  • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                                  • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                                  • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                                  • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                                  Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: origmsc
                                                  • API String ID: 3677997916-68016026
                                                  • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                                  • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                                  • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                                  • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                                  Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: /C $cmd.exe$open
                                                  • API String ID: 587946157-3896048727
                                                  • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                                  • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                                  • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                                  • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                                  Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                  Strings
                                                  • http\shell\open\command, xrefs: 00412026
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: http\shell\open\command
                                                  • API String ID: 3677997916-1487954565
                                                  • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                                  • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                                  • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                                  • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                                  Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                                  • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                                  • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                                  Strings
                                                  • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Software\Classes\mscfile\shell\open\command
                                                  • API String ID: 1818849710-505396733
                                                  • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                                  • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                                  • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                                  • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                                  Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                                    • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                                    • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                  • String ID: bad locale name
                                                  • API String ID: 3628047217-1405518554
                                                  • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                                  • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                                  • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                                  • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                                  Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                  • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: P0F
                                                  • API String ID: 1818849710-3540264436
                                                  • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                                  • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                                  • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                                  • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                                  Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetLastInputInfo$User32.dll
                                                  • API String ID: 2574300362-1519888992
                                                  • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                                  • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                                  • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                                  • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                                  Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                                  • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                                  • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                                  • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                                  Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                  • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                                  • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                  • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                                  Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                                  • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                                  • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                                  • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                                  • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                                  • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                                  Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                                  • Cleared browsers logins and cookies., xrefs: 0040B036
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                  • API String ID: 3472027048-1236744412
                                                  • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                                  • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                                  • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                                  • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                                  Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                    • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                    • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                  • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQuerySleepValue
                                                  • String ID: H"G$exepath$!G
                                                  • API String ID: 4119054056-2148977334
                                                  • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                                  • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                                  • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                                  • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                                  Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                                    • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                                    • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                                  • Sleep.KERNEL32(000001F4), ref: 0040955A
                                                  • Sleep.KERNEL32(00000064), ref: 004095F5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$ForegroundLength
                                                  • String ID: [ $ ]
                                                  • API String ID: 3309952895-93608704
                                                  • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                                  • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                                  • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                                  • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                                  Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                                                  • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                                  • Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                                                  • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                                  Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                                                  • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                                  • Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                                                  • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                                  Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                                  • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                                  • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                                  • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                                  Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                                    • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                  • String ID:
                                                  • API String ID: 1761009282-0
                                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                  • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                  • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                                  Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                                  • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                                  • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                                  • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                                  Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                                    • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                    • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                    • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                    • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                  • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                                  Strings
                                                  • /sort "Visit Time" /stext ", xrefs: 00404092
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: /sort "Visit Time" /stext "
                                                  • API String ID: 368326130-1573945896
                                                  • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                                  • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                                  • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                                  • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                                  Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                  • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Init_thread_footer__onexit
                                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                                  • API String ID: 1881088180-3686566968
                                                  • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                                  • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                                  • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                                  • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                                  Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                                  • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                                  • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                                  • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                                  Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                                  • IsWindowVisible.USER32(?), ref: 00415B37
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$TextVisible
                                                  • String ID: (%G
                                                  • API String ID: 1670992164-3377777310
                                                  • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                                  • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                                  • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                                  • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                                  Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                                  Strings
                                                  • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: Connection KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-507513762
                                                  • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                                  • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                                  • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                                  • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                                  Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                                  • ___raise_securityfailure.LIBCMT ref: 00432E76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                  • String ID: (F
                                                  • API String ID: 3761405300-3109638091
                                                  • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                                  • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                                  • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                                  • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                                  Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                  • API String ID: 481472006-2430845779
                                                  • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                                  • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                                  • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                                  • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                                  Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: alarm.wav$x(G
                                                  • API String ID: 1174141254-2413638199
                                                  • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                                  • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                                  • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                                  • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                                  Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                    • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                    • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                  • CloseHandle.KERNEL32(?), ref: 00409FFD
                                                  • UnhookWindowsHookEx.USER32 ref: 0040A010
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                                  • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                                  • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                                  • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                                  Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                  • API String ID: 1174141254-2800177040
                                                  • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                                  • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                                  • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                                  • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                                  Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                  • API String ID: 1174141254-4188645398
                                                  • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                                  • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                                  • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                                  • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                                  Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: AppData$\Opera Software\Opera Stable\
                                                  • API String ID: 1174141254-1629609700
                                                  • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                                  • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                                  • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                                  • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                                  Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000011), ref: 0040A597
                                                    • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                                    • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                    • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                    • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                                    • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                                    • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                    • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                                  • String ID: [AltL]$[AltR]
                                                  • API String ID: 3195419117-2658077756
                                                  • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                                  • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                                  • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                                  • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                                  Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000012), ref: 0040A5F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State
                                                  • String ID: [CtrlL]$[CtrlR]
                                                  • API String ID: 1649606143-2446555240
                                                  • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                                  • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                                  • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                                  • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                                  Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                                  • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: 6h@
                                                  • API String ID: 2654517830-73392143
                                                  • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                                  • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                                  • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                                  • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                                  Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                                  • GetLastError.KERNEL32 ref: 0043B4E9
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                                  • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                                  • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                                  • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                                  Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                                  • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                                  • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.1351040252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_400000_njEnUdtKgG.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastRead
                                                  • String ID:
                                                  • API String ID: 4100373531-0
                                                  • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                                  • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                                  • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                                  • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19