Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SHROsQyiAd.exe

Overview

General Information

Sample name:SHROsQyiAd.exe
renamed because original name is a hash value
Original sample name:7119698425e2056d404e97b12ed5ca37.exe
Analysis ID:1578616
MD5:7119698425e2056d404e97b12ed5ca37
SHA1:47ebc0744e88fbe12876471b49f4df80195f428a
SHA256:f3646ac33546540137231400c43e90525e2bc6fad1ba2c27cb56466c65bd58b3
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops large PE files
Injects a PE file into a foreign processes
Installs a global keyboard hook
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SHROsQyiAd.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\SHROsQyiAd.exe" MD5: 7119698425E2056D404E97B12ED5CA37)
    • SHROsQyiAd.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\SHROsQyiAd.exe" MD5: 7119698425E2056D404E97B12ED5CA37)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["newstaticfreepoint24.ddns-ip.net:3020:0"], "Assigned name": "ROSAS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kljjbdlcjbavhbiluiewliuwqerlib-DDZVN3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "data", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.SHROsQyiAd.exe.1130000.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          2.2.SHROsQyiAd.exe.1130000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            2.2.SHROsQyiAd.exe.1130000.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              2.2.SHROsQyiAd.exe.1130000.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x69ef8:$a1: Remcos restarted by watchdog!
              • 0x6a470:$a3: %02i:%02i:%02i:%03i
              2.2.SHROsQyiAd.exe.1130000.1.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64204:$str_b2: Executing file:
              • 0x6503c:$str_b3: GetDirectListeningPort
              • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x64b80:$str_b7: \update.vbs
              • 0x6422c:$str_b9: Downloaded file:
              • 0x64218:$str_b10: Downloading file:
              • 0x642bc:$str_b12: Failed to upload file:
              • 0x65004:$str_b13: StartForward
              • 0x65024:$str_b14: StopForward
              • 0x64ad8:$str_b15: fso.DeleteFile "
              • 0x64a6c:$str_b16: On Error Resume Next
              • 0x64b08:$str_b17: fso.DeleteFolder "
              • 0x642ac:$str_b18: Uploaded file:
              • 0x6426c:$str_b19: Unable to delete:
              • 0x64aa0:$str_b20: while fso.FileExists("
              • 0x64749:$str_c0: [Firefox StoredLogins not found]
              Click to see the 31 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Favorites\VS Code\user-data\Code.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SHROsQyiAd.exe, ProcessId: 2308, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSCode

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T23:42:33.005441+010020327761Malware Command and Control Activity Detected192.168.2.649773181.131.217.2443020TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T23:42:34.257170+010020327771Malware Command and Control Activity Detected181.131.217.2443020192.168.2.649773TCP
              2024-12-19T23:44:52.538251+010020327771Malware Command and Control Activity Detected181.131.217.2443020192.168.2.649773TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T23:42:36.056369+010028033043Unknown Traffic192.168.2.649780178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["newstaticfreepoint24.ddns-ip.net:3020:0"], "Assigned name": "ROSAS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kljjbdlcjbavhbiluiewliuwqerlib-DDZVN3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "data", "Keylog file max size": ""}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_00CA293A
              Source: SHROsQyiAd.exe, 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e7140f15-5

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C76764 _wcslen,CoGetObject,6_2_00C76764
              Source: SHROsQyiAd.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: SHROsQyiAd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\Sources\foobar2000-2.24\foobar2000\Release\foobar2000.pdb source: SHROsQyiAd.exe, Code.exe.2.dr
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_00C7B335
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_00C8B42F
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CBD5E9 FindFirstFileExA,6_2_00CBD5E9
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_00C7B53A
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C789A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_00C789A9
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C76AC2 FindFirstFileW,FindNextFileW,6_2_00C76AC2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C77A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00C77A8C
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C88C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00C88C69
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C78DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00C78DA7
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C76F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00C76F06

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49773 -> 181.131.217.244:3020
              Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 181.131.217.244:3020 -> 192.168.2.6:49773
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: newstaticfreepoint24.ddns-ip.net
              Source: global trafficTCP traffic: 192.168.2.6:49773 -> 181.131.217.244:3020
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 181.131.217.244 181.131.217.244
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49780 -> 178.237.33.50:80
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7455B WaitForSingleObject,SetEvent,recv,6_2_00C7455B
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: http://forums.foobar2000.org/
              Source: SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/8
              Source: SHROsQyiAd.exe, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: SHROsQyiAd.exe, 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpH
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpz
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=Replaygain
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://help.foobar2000.org/
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://help.foobar2000.org/~rbvrb
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.foobar2000.org/
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.foobar2000.org/download
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens
              Source: Code.exe.2.drString found in binary or memory: https://www.foobar2000.org/license
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.radio-browser.info/
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.radio-browser.info/CountryLanguageTagNameLoading...No
              Source: SHROsQyiAd.exe, Code.exe.2.drString found in binary or memory: https://www.radio-browser.info/history/

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C799E4 SetWindowsHookExA 0000000D,00C799D0,000000006_2_00C799E4
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SHROsQyiAd.exeJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C859C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_00C859C6
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C859C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_00C859C6
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C859C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_00C859C6
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C79B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_00C79B10
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8BB77 SystemParametersInfoW,6_2_00C8BB77

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Drops large PE files
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeFile dump: Code.exe.2.dr 959567331Jump to dropped file
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C858B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_00C858B9
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CC20D26_2_00CC20D2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CAD0986_2_00CAD098
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8D0716_2_00C8D071
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA61AA6_2_00CA61AA
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA71506_2_00CA7150
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C962546_2_00C96254
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA13776_2_00CA1377
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8E5DF6_2_00C8E5DF
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C967CB6_2_00C967CB
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CBC7396_2_00CBC739
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CAC9DD6_2_00CAC9DD
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA2A496_2_00CA2A49
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CACC0C6_2_00CACC0C
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA4D226_2_00CA4D22
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C96E736_2_00C96E73
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CB0E206_2_00CB0E20
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CACE3B6_2_00CACE3B
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C96FAD6_2_00C96FAD
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C82F456_2_00C82F45
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CC2F006_2_00CC2F00
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: String function: 00CA3FB0 appears 55 times
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: String function: 00C71F66 appears 49 times
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: String function: 00C720E7 appears 42 times
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: String function: 00CA38A5 appears 41 times
              Source: SHROsQyiAd.exeBinary or memory string: OriginalFilename vs SHROsQyiAd.exe
              Source: SHROsQyiAd.exe, 00000002.00000000.2189394833.0000000000B52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefoobar2000.exeN vs SHROsQyiAd.exe
              Source: SHROsQyiAd.exe, 00000002.00000002.2444703943.0000000003236000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefoobar2000.exeN vs SHROsQyiAd.exe
              Source: SHROsQyiAd.exe, 00000006.00000000.2386746274.0000000000B52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefoobar2000.exeN vs SHROsQyiAd.exe
              Source: SHROsQyiAd.exeBinary or memory string: OriginalFilenamefoobar2000.exeN vs SHROsQyiAd.exe
              Source: SHROsQyiAd.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C86AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00C86AB7
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_2_00C7E219
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8A63F FindResourceA,LoadResource,LockResource,SizeofResource,6_2_00C8A63F
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C89BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00C89BC4
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeFile created: C:\Users\user\Favorites\VS CodeJump to behavior
              Source: SHROsQyiAd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SHROsQyiAd.exe, 00000002.00000002.2444703943.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000002.00000002.2442948453.0000000000675000.00000002.00000001.01000000.00000003.sdmp, SHROsQyiAd.exe, 00000002.00000000.2189298046.0000000000675000.00000002.00000001.01000000.00000003.sdmp, SHROsQyiAd.exe, 00000006.00000002.4640929809.0000000000675000.00000002.00000001.01000000.00000003.sdmp, Code.exe.2.drBinary or memory string: SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name=?;
              Source: SHROsQyiAd.exe, 00000002.00000002.2444703943.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000002.00000002.2442948453.0000000000675000.00000002.00000001.01000000.00000003.sdmp, SHROsQyiAd.exe, 00000002.00000000.2189298046.0000000000675000.00000002.00000001.01000000.00000003.sdmp, SHROsQyiAd.exe, 00000006.00000002.4640929809.0000000000675000.00000002.00000001.01000000.00000003.sdmp, Code.exe.2.drBinary or memory string: UPDATE metadb SET lastseen = ? WHERE rowid IN (SELECT rowid FROM temp.gc_present_items);
              Source: SHROsQyiAd.exeString found in binary or memory: /add <list-of-files> - appends the specified files to the current playlist instead of replacing the playlist content and playing them immediately
              Source: SHROsQyiAd.exeString found in binary or memory: /play, /pause, /playpause, /prev, /next, /rand, /stop - playback controls
              Source: SHROsQyiAd.exeString found in binary or memory: /play, /pause, /playpause, /prev, /next, /rand, /stop - playback controls
              Source: SHROsQyiAd.exeString found in binary or memory: " /add "%1"
              Source: SHROsQyiAd.exeString found in binary or memory: @" "addplaynow.icoicons\generic.icoSoftware\Classesfoobar2000.url.foobar2000.SOFTWARE\Classes\CLSID\{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}\InprocServer32/CommandDelegateExecute{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}Directory\shellex\ContextMenuHandlers\Fb2kShellExtPlay in foobar2000PlayerMultiSelectModel" "%1"{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}Enqueue in foobar2000" /add "%1"AudioCD\shell\play\commandbckupAudioCDAudioCDbckupAudioCD(9D
              Source: SHROsQyiAd.exeString found in binary or memory: /install
              Source: SHROsQyiAd.exeString found in binary or memory: /stop
              Source: SHROsQyiAd.exeString found in binary or memory: /stop
              Source: SHROsQyiAd.exeString found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
              Source: SHROsQyiAd.exeString found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
              Source: SHROsQyiAd.exeString found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
              Source: SHROsQyiAd.exeString found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
              Source: SHROsQyiAd.exeString found in binary or memory: /addcomponent
              Source: SHROsQyiAd.exeString found in binary or memory: VersionChecking for Updates UTC)ModuleAbout Install ComponentComponent maintenance failureAnother instance of this component already exists in your foobar2000 application folder; you need to remove it manually before you can update this component automatically.foobar2000 components|foo_*.zip;*.fb2k-componentCould not load component "": Component removal failure(unknown - please apply changes to load)/addcomponentComponentsChecks for updated versions of installed components.Check for updated componentswww.foobar2000.orgInvalid responsechallengecomponent-updatesfingerprint5www.foobar2000.org/update-componentsmax_downloadSignature mismatchx-foobar2000-signature suppressed by user settingsComponent update: .zipComponent update of failed: Download corrupted (updated from Released on
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeFile read: C:\Users\user\Desktop\SHROsQyiAd.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SHROsQyiAd.exe "C:\Users\user\Desktop\SHROsQyiAd.exe"
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeProcess created: C:\Users\user\Desktop\SHROsQyiAd.exe "C:\Users\user\Desktop\SHROsQyiAd.exe"
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeProcess created: C:\Users\user\Desktop\SHROsQyiAd.exe "C:\Users\user\Desktop\SHROsQyiAd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: crowdstrikeceoisextragay.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: sentinelisabadedrtrynexttimemaybe.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: SHROsQyiAd.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: SHROsQyiAd.exeStatic file information: File size 8779776 > 1048576
              Source: SHROsQyiAd.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x273200
              Source: SHROsQyiAd.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x53d400
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: SHROsQyiAd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: SHROsQyiAd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\Sources\foobar2000-2.24\foobar2000\Release\foobar2000.pdb source: SHROsQyiAd.exe, Code.exe.2.dr
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_00C8BCE3
              Source: SHROsQyiAd.exeStatic PE information: section name: _RDATA
              Source: Code.exe.2.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CC67E0 push eax; ret 6_2_00CC67FE
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CCB9DD push esi; ret 6_2_00CCB9E6
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CC5EAF push ecx; ret 6_2_00CC5EC2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA3FF6 push ecx; ret 6_2_00CA4009
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C76128 ShellExecuteW,URLDownloadToFileW,6_2_00C76128
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeFile created: C:\Users\user\Favorites\VS Code\user-data\Code.exeJump to dropped file
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C89BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00C89BC4
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VSCodeJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VSCodeJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_00C8BCE3
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7E54F Sleep,ExitProcess,6_2_00C7E54F
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_00C898C2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeWindow / User API: threadDelayed 925Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeWindow / User API: threadDelayed 8591Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeWindow / User API: foregroundWindowGot 1755Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeDropped PE file which has not been started: C:\Users\user\Favorites\VS Code\user-data\Code.exeJump to dropped file
              Source: C:\Users\user\Desktop\SHROsQyiAd.exe TID: 7104Thread sleep count: 230 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exe TID: 7104Thread sleep time: -115000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exe TID: 3620Thread sleep count: 925 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exe TID: 3620Thread sleep time: -2775000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exe TID: 3620Thread sleep count: 8591 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exe TID: 3620Thread sleep time: -25773000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_00C7B335
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_00C8B42F
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CBD5E9 FindFirstFileExA,6_2_00CBD5E9
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C7B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_00C7B53A
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C789A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_00C789A9
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C76AC2 FindFirstFileW,FindNextFileW,6_2_00C76AC2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C77A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00C77A8C
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C88C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00C88C69
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C78DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00C78DA7
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C76F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00C76F06
              Source: SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F51000.00000004.00000800.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWkm
              Source: SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F51000.00000004.00000800.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeAPI call chain: ExitProcess graph end nodegraph_6-47610
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CAA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00CAA65D
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_00C8BCE3
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CB2554 mov eax, dword ptr fs:[00000030h]6_2_00CB2554
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CBE92E GetProcessHeap,6_2_00CBE92E
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeProcess created: C:\Users\user\Desktop\SHROsQyiAd.exe "C:\Users\user\Desktop\SHROsQyiAd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA4168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00CA4168
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CAA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00CAA65D
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA3B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00CA3B44
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA3CD7 SetUnhandledExceptionFilter,6_2_00CA3CD7

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeMemory written: C:\Users\user\Desktop\SHROsQyiAd.exe base: C70000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_00C80F36
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C88754 mouse_event,6_2_00C88754
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/12/19 17:42:52 Program Manager]
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneer1
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera\data
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerl
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerc300cf
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerU
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera\data8
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/12/19 17:42:32 Program Manager]
              Source: SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/12/19 17:42:45 Program Manager]
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CA3E0A cpuid 6_2_00CA3E0A
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetLocaleInfoA,6_2_00C7E679
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: EnumSystemLocalesW,6_2_00CB70AE
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetLocaleInfoW,6_2_00CC10BA
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00CC11E3
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetLocaleInfoW,6_2_00CC12EA
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00CC13B7
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetLocaleInfoW,6_2_00CB7597
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00CC0A7F
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: EnumSystemLocalesW,6_2_00CC0CF7
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: EnumSystemLocalesW,6_2_00CC0DDD
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: EnumSystemLocalesW,6_2_00CC0D42
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00CC0E6A
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 2_2_00644383 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00644383
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00C8A7A2 GetUserNameW,6_2_00C8A7A2
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: 6_2_00CB800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_00CB800F

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_00C7B21B
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_00C7B335
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: \key3.db6_2_00C7B335

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.11c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.SHROsQyiAd.exe.1130000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SHROsQyiAd.exe.c70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 2308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SHROsQyiAd.exe PID: 3472, type: MEMORYSTR
              Source: C:\Users\user\Desktop\SHROsQyiAd.exeCode function: cmd.exe6_2_00C75042

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		211
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol211
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		1
              DLL Side-Loading              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script112
              Process Injection              		1
              Bypass User Account Control              		LSA Secrets22
              System Information Discovery              		SSHKeylogging12
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials21
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Virtualization/Sandbox Evasion              		DCSync1
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
              Process Injection              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SHROsQyiAd.exe11%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high
                newstaticfreepoint24.ddns-ip.net
                		181.131.217.244
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                    		high
                    newstaticfreepoint24.ddns-ip.nettrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpHSHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.foobar2000.org/http://forums.foobar2000.org/AboutOpensSHROsQyiAd.exe, Code.exe.2.drfalse
                          		unknown
                          http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSHROsQyiAd.exe, Code.exe.2.drfalse
                            		unknown
                            https://www.radio-browser.info/SHROsQyiAd.exe, Code.exe.2.drfalse
                              		unknown
                              http://geoplugin.net/json.gp/CSHROsQyiAd.exe, 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gplSHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://forums.foobar2000.org/SHROsQyiAd.exe, Code.exe.2.drfalse
                                    		unknown
                                    https://www.foobar2000.org/licenseCode.exe.2.drfalse
                                      		unknown
                                      https://help.foobar2000.org/~rbvrbSHROsQyiAd.exe, Code.exe.2.drfalse
                                        		unknown
                                        http://geoplugin.net/8SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://help.foobar2000.org/SHROsQyiAd.exe, Code.exe.2.drfalse
                                            		unknown
                                            https://www.foobar2000.org/downloadSHROsQyiAd.exe, Code.exe.2.drfalse
                                              		unknown
                                              https://www.foobar2000.org/downloadcomponent_manager::on_app_initPreSHROsQyiAd.exe, Code.exe.2.drfalse
                                                		unknown
                                                http://geoplugin.net/json.gpzSHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.radio-browser.info/CountryLanguageTagNameLoading...NoSHROsQyiAd.exe, Code.exe.2.drfalse
                                                    		unknown
                                                    https://www.foobar2000.org/SHROsQyiAd.exe, Code.exe.2.drfalse
                                                      		unknown
                                                      http://geoplugin.net/json.gpSystem32SHROsQyiAd.exe, 00000006.00000002.4642099333.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, SHROsQyiAd.exe, 00000006.00000003.2425767584.0000000000F14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSetSHROsQyiAd.exe, Code.exe.2.drfalse
                                                          		unknown
                                                          https://www.radio-browser.info/history/SHROsQyiAd.exe, Code.exe.2.drfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            181.131.217.244
                                                            		newstaticfreepoint24.ddns-ip.netColombia
                                                            		13489EPMTelecomunicacionesSAESPCOfalse
                                                            178.237.33.50
                                                            		geoplugin.netNetherlands
                                                            		8455ATOM86-ASATOM86NLfalse

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1578616
                                                            Start date and time:2024-12-19 23:41:14 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 10m 1s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:13
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:SHROsQyiAd.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:7119698425e2056d404e97b12ed5ca37.exe
                                                            Detection:MAL
                                                            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 76%
                                                            • Number of executed functions: 37
                                                            • Number of non-executed functions: 180
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 40.126.53.21, 13.107.246.63, 20.223.36.55, 2.16.158.192, 4.175.87.197, 150.171.27.10, 92.122.16.236, 23.218.208.109
                                                            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target SHROsQyiAd.exe, PID 2308 because there are no executed function
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • VT rate limit hit for: SHROsQyiAd.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            17:43:04API Interceptor5990579x Sleep call for process: SHROsQyiAd.exe modified
                                                            23:42:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VSCode C:\Users\user\Favorites\VS Code\user-data\Code.exe
                                                            23:42:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VSCode C:\Users\user\Favorites\VS Code\user-data\Code.exe

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            181.131.217.244nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                              4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                  hoTwj68T1D.exeGet hashmaliciousUnknownBrowse
                                                                    IXCbn4ZcdS.exeGet hashmaliciousRemcosBrowse
                                                                      4JwhvqLe8n.exeGet hashmaliciousUnknownBrowse
                                                                        d7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                                          fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                                              ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                                                178.237.33.50nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                • geoplugin.net/json.gp
                                                                                17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                • geoplugin.net/json.gp
                                                                                LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                • geoplugin.net/json.gp
                                                                                SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                • geoplugin.net/json.gp
                                                                                greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                • geoplugin.net/json.gp
                                                                                RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                • geoplugin.net/json.gp
                                                                                SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                • geoplugin.net/json.gp
                                                                                BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                • geoplugin.net/json.gp
                                                                                Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • geoplugin.net/json.gp
                                                                                Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • geoplugin.net/json.gp

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                newstaticfreepoint24.ddns-ip.net4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                geoplugin.netnikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                • 178.237.33.50
                                                                                greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                • 178.237.33.50
                                                                                RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 178.237.33.50
                                                                                Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 178.237.33.50

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                EPMTelecomunicacionesSAESPCOnikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                • 181.131.217.244
                                                                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 190.250.82.196
                                                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 201.233.155.11
                                                                                la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                                                • 201.233.213.88
                                                                                arm5.nn-20241218-1651.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 201.232.1.208
                                                                                la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                • 181.134.107.144
                                                                                loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                                • 181.130.255.187
                                                                                sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 181.140.1.158
                                                                                jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                • 181.135.96.108
                                                                                arm5.elfGet hashmaliciousUnknownBrowse
                                                                                • 191.94.11.254
                                                                                ATOM86-ASATOM86NLnikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                • 178.237.33.50
                                                                                greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                • 178.237.33.50
                                                                                RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                • 178.237.33.50
                                                                                Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 178.237.33.50
                                                                                Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 178.237.33.50

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\data\registros.dat

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):488
                                                                                Entropy (8bit):3.3388163144619414
                                                                                Encrypted:false
                                                                                SSDEEP:12:6lJGkKecmlJGlfIbWFe5UlJGGlJGSbWFe5UlJGelJGRqbW+:6jGkTcmjG+WqUjGGjG2WqUjGejG4W+
                                                                                MD5:87C1EF97411850B115A267CAB2B9E743
                                                                                SHA1:5923EB59F4A1A6719BCDD0DC5CD6D893DB8478A2
                                                                                SHA-256:C59A93D2D4A70B209154C00EA59861702B6384320AF50B3940A76D3BB5FD389D
                                                                                SHA-512:3C0A7B88B0B653FB83BE94077DE9E4FC77734A79A978150D71E9A83BF17A874AF5F466D2058376211604FA49E98010D3F1F68F80BA38145DB0A51A56AF6FC1A0
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:....[.2.0.2.4./.1.2./.1.9. .1.7.:.4.2.:.3.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.2./.1.9. .1.7.:.4.2.:.3.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.9. .1.7.:.4.2.:.4.0. .R.u.n.].........[.2.0.2.4./.1.2./.1.9. .1.7.:.4.2.:.4.5. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.9. .1.7.:.4.2.:.4.8. .R.u.n.].........[.2.0.2.4./.1.2./.1.9. .1.7.:.4.2.:.5.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):963
                                                                                Entropy (8bit):5.018384957371898
                                                                                Encrypted:false
                                                                                SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                                                MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                                                SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                                                SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                                                SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                C:\Users\user\Favorites\VS Code\user-data\Code.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):959567331
                                                                                Entropy (8bit):0.11874123808649341
                                                                                Encrypted:false
                                                                                SSDEEP:
                                                                                MD5:D66446D0DCEFEB7DE2A8C3FE7B6C5201
                                                                                SHA1:474DF7663BDB1A203A387F9F23F079B0C1641DD6
                                                                                SHA-256:540663033BFCEAA7D93AE6D93A4BC58ABFFF2349D1DC0170B391241119048887
                                                                                SHA-512:E01C5CA852D8D7365AE00E98EF476C00C4DF2B8EF364029A3F406EE6C5F1DECE08A188F503E255EA161DABF6FB864D605F9B4638191A1864D8417F8B3BF031DE
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........,...........h........~.............~......~.......~..........'..~...d..~......~......~......~......~......~..........'..~^...'.......l....'..~...Rich...................PE..L.....`g.........."......2'...^......>$......P'...@.......................................@.................................l.........2...S...................5.@...<.*.p.....................*.....0m'.@............P'.....(...@....................text....@'......2'................. ..`.rdata.......P'..v...6'.............@..@.data............L..................@..._RDATA...0....0..,..../.............@..@.rsrc.....S...2...S..$2.............@..@........................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):6.38784602956759
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 98.19%
                                                                                • foobar 2000 generic component (102126/2) 1.00%
                                                                                • foobar 2000 Diskwriter output component (78126/2) 0.77%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                File name:SHROsQyiAd.exe
                                                                                File size:8'779'776 bytes
                                                                                MD5:7119698425e2056d404e97b12ed5ca37
                                                                                SHA1:47ebc0744e88fbe12876471b49f4df80195f428a
                                                                                SHA256:f3646ac33546540137231400c43e90525e2bc6fad1ba2c27cb56466c65bd58b3
                                                                                SHA512:817eb34af541cd6b7b0a67e8d09668014c3fe9e43cb4df355840a2f7529853a8e34ca6d9af3e9b35137c7e13a6de98874dff50b962dc1d10b4e2a3041a9efede
                                                                                SSDEEP:98304:Gnbgpe4NdaEMybVR/XfJca1tzZdBTXuOMehkf9O:WUpe4qiJdxcg/
                                                                                TLSH:BB966A72E102C846D92501BFE829EAFC42196F38CB3795CB56C8FE1E3173AE20575A57
                                                                                File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$..........,..............h........~...............~.......~.......~............'..~....d..~.......~.......~.......~.......~.......~...

                                                                                File Icon

                                                                                Icon Hash:334de0b2926d330e

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x643e93
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x67600E9F [Mon Dec 16 11:27:27 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:6
                                                                                OS Version Minor:0
                                                                                File Version Major:6
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:6
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:d0efa8288bc8fcf1ae384debe93de6ac

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                call 00007FF34487C18Dh
                                                                                jmp 00007FF34487BACFh
                                                                                push 00000010h
                                                                                push 006E65C0h
                                                                                call 00007FF34487C0DCh
                                                                                xor ebx, ebx
                                                                                mov dword ptr [ebp-20h], ebx
                                                                                mov byte ptr [ebp-19h], bl
                                                                                mov dword ptr [ebp-04h], ebx
                                                                                cmp ebx, dword ptr [ebp+14h]
                                                                                je 00007FF34487BC73h
                                                                                push dword ptr [ebp+0Ch]
                                                                                mov ecx, dword ptr [ebp+18h]
                                                                                call dword ptr [00675B18h]
                                                                                mov ecx, dword ptr [ebp+08h]
                                                                                call dword ptr [ebp+18h]
                                                                                mov eax, dword ptr [ebp+10h]
                                                                                add dword ptr [ebp+08h], eax
                                                                                add dword ptr [ebp+0Ch], eax
                                                                                inc ebx
                                                                                mov dword ptr [ebp-20h], ebx
                                                                                jmp 00007FF34487BC2Ch
                                                                                mov al, 01h
                                                                                mov byte ptr [ebp-19h], al
                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                call 00007FF34487BC6Dh
                                                                                mov ecx, dword ptr [ebp-10h]
                                                                                mov dword ptr fs:[00000000h], ecx
                                                                                pop ecx
                                                                                pop edi
                                                                                pop esi
                                                                                pop ebx
                                                                                leave
                                                                                retn 0018h
                                                                                mov ebx, dword ptr [ebp-20h]
                                                                                mov al, byte ptr [ebp-19h]
                                                                                test al, al
                                                                                jne 00007FF34487BC61h
                                                                                push dword ptr [ebp+1Ch]
                                                                                push ebx
                                                                                push dword ptr [ebp+10h]
                                                                                push dword ptr [ebp+08h]
                                                                                call 00007FF34487B6C4h
                                                                                ret
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                sub esp, 0Ch
                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                call 00007FF344644410h
                                                                                push 006E66B4h
                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                push eax
                                                                                call 00007FF34487C35Bh
                                                                                int3
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                sub esp, 0Ch
                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                call 00007FF344643863h
                                                                                push 006E6608h
                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                push eax
                                                                                call 00007FF34487C33Eh
                                                                                int3
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                and dword ptr [00701C04h], 00000000h

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e826c0x294.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x32e0000x53d400.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3500000x2c140.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2a823c0x70.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x2a82c00x18.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x276d300x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2750000xb18.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2e81280x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x2740000x2732004bedbb2e9551e79fae7694bacea5282cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x2750000x780000x776002a4704a587240261914c1de80110ddb1False0.3565792702879581data5.125253402867627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x2ed0000x1e0000x14c000b15f16cdaeb2ade44ddb62497a9e5fbFalse0.22939806099397592DOS executable (block device driver @\273\)5.393205596281875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                _RDATA0x30b0000x230000x22c00241f50e9d164772437fd3eebd88a3edbFalse0.16984459307553956data5.38723924085817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x32e0000x53d4000x53d40061b74e85afa3a3cabfd1c9e29fae61deunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                AFX_DIALOG_LAYOUT0x32faf80x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fafc0x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb000x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb040x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb080x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb0c0x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb100x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb140x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb180x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb1c0x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb200x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb240x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb280x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb2c0x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb300x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb340x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb380x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb3c0x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb400x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb440x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb480x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb4c0x2dataEnglishUnited States5.0
                                                                                AFX_DIALOG_LAYOUT0x32fb500x2dataEnglishUnited States5.0
                                                                                PNG0x32fb540x5366PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004215456674472
                                                                                RT_BITMAP0x334ebc0x72a24Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m0.5298930868509605
                                                                                RT_BITMAP0x3a78e00x72a24Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m0.6542041146654172
                                                                                RT_BITMAP0x41a3040x1d4e8Device independent bitmap graphic, 200 x 200 x 24, image size 120000, resolution 3780 x 3780 px/m0.651882705764745
                                                                                RT_BITMAP0x4377ec0x1d4e8Device independent bitmap graphic, 200 x 200 x 24, image size 120000, resolution 3780 x 3780 px/m0.5804481839386871
                                                                                RT_BITMAP0x454cd40x27a18Device independent bitmap graphic, 966 x 42 x 32, image size 162288, resolution 3582 x 3582 px/m0.20433936227884283
                                                                                RT_BITMAP0x47c6ec0x242aDevice independent bitmap graphic, 48 x 48 x 32, image size 9218, resolution 2834 x 2834 px/m0.3424065672931519
                                                                                RT_BITMAP0x47eb180x242aDevice independent bitmap graphic, 48 x 48 x 32, image size 9218, resolution 2834 x 2834 px/m0.3844242817023115
                                                                                RT_ICON0x480f440xc5c0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8094974715549936
                                                                                RT_ICON0x48d5040x145a0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8880158349328215
                                                                                RT_ICON0x4a1aa40xcce6PC bitmap, Windows 3.x format, 6861 x 2 x 35, image size 53283, cbSize 52454, bits offset 540.5655812712090593
                                                                                RT_ICON0x4ae78c0x44028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.18652178283219897
                                                                                RT_ICON0x4f27b40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.2241696447340761
                                                                                RT_ICON0x4fbc5c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.0825742339997634
                                                                                RT_ICON0x50c4840x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.33630393996247654
                                                                                RT_ICON0x50d52c0x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.29319526627218934
                                                                                RT_ICON0x50ef940x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.258298755186722
                                                                                RT_ICON0x51153c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.20896315540859708
                                                                                RT_ICON0x5157640x5cd2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9988216480094269
                                                                                RT_ICON0x51b4380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5301418439716312
                                                                                RT_ICON0x51b8a00x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.4511627906976744
                                                                                RT_ICON0x51bf580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.41270491803278686
                                                                                RT_MENU0x51c8e00x31adata0.7506297229219143
                                                                                RT_DIALOG0x51cbfc0x35cdataEnglishUnited States0.436046511627907
                                                                                RT_DIALOG0x51cf580x502dataEnglishUnited States0.3962558502340094
                                                                                RT_DIALOG0x51d45c0x248dataEnglishUnited States0.4828767123287671
                                                                                RT_DIALOG0x51d6a40x2c2dataEnglishUnited States0.4730878186968839
                                                                                RT_DIALOG0x51d9680x630dataEnglishUnited States0.4116161616161616
                                                                                RT_DIALOG0x51df980x1e8dataEnglishUnited States0.5368852459016393
                                                                                RT_DIALOG0x51e1800x828dataEnglishUnited States0.4051724137931034
                                                                                RT_DIALOG0x51e9a80x36cdataEnglishUnited States0.45662100456621
                                                                                RT_DIALOG0x51ed140x188dataEnglishUnited States0.5586734693877551
                                                                                RT_DIALOG0x51ee9c0x1e8dataEnglishUnited States0.5430327868852459
                                                                                RT_DIALOG0x51f0840x4a8dataEnglishUnited States0.42533557046979864
                                                                                RT_DIALOG0x51f52c0x278dataEnglishUnited States0.44936708860759494
                                                                                RT_DIALOG0x51f7a40xc8dataEnglishUnited States0.675
                                                                                RT_DIALOG0x51f86c0x634dataEnglishUnited States0.4275818639798489
                                                                                RT_DIALOG0x51fea00x4d2dataEnglishUnited States0.3987034035656402
                                                                                RT_DIALOG0x5203740x2b0dataEnglishUnited States0.4738372093023256
                                                                                RT_DIALOG0x5206240xd0dataEnglishUnited States0.6586538461538461
                                                                                RT_DIALOG0x5206f40x124dataEnglishUnited States0.589041095890411
                                                                                RT_DIALOG0x5208180x30edataEnglishUnited States0.4322250639386189
                                                                                RT_DIALOG0x520b280x174dataEnglishUnited States0.5698924731182796
                                                                                RT_DIALOG0x520c9c0x220dataEnglishUnited States0.48713235294117646
                                                                                RT_DIALOG0x520ebc0x2d2dataEnglishUnited States0.4695290858725762
                                                                                RT_DIALOG0x5211900xecdataEnglishUnited States0.673728813559322
                                                                                RT_DIALOG0x52127c0x1e0dataEnglishUnited States0.5229166666666667
                                                                                RT_DIALOG0x52145c0x1b0dataEnglishUnited States0.5532407407407407
                                                                                RT_DIALOG0x52160c0x1a4dataEnglishUnited States0.5333333333333333
                                                                                RT_DIALOG0x5217b00x100dataEnglishUnited States0.62890625
                                                                                RT_DIALOG0x5218b00x60dataEnglishUnited States0.7291666666666666
                                                                                RT_DIALOG0x5219100x4acdataEnglishUnited States0.3804347826086957
                                                                                RT_DIALOG0x521dbc0x326dataEnglishUnited States0.4640198511166253
                                                                                RT_DIALOG0x5220e40x1f8dataEnglishUnited States0.5515873015873016
                                                                                RT_DIALOG0x5222dc0xe0dataEnglishUnited States0.6607142857142857
                                                                                RT_DIALOG0x5223bc0xe4dataEnglishUnited States0.6798245614035088
                                                                                RT_DIALOG0x5224a00x1c4dataEnglishUnited States0.5575221238938053
                                                                                RT_DIALOG0x5226640x104dataEnglishUnited States0.573076923076923
                                                                                RT_DIALOG0x5227680xaadataEnglishUnited States0.7411764705882353
                                                                                RT_DIALOG0x5228140x1f4dataEnglishUnited States0.492
                                                                                RT_DIALOG0x522a080x12cdataEnglishUnited States0.5966666666666667
                                                                                RT_DIALOG0x522b340x7cdataEnglishUnited States0.7903225806451613
                                                                                RT_DIALOG0x522bb00x40dataEnglishUnited States0.765625
                                                                                RT_DIALOG0x522bf00x228dataEnglishUnited States0.519927536231884
                                                                                RT_DIALOG0x522e180xa4dataEnglishUnited States0.6829268292682927
                                                                                RT_DIALOG0x522ebc0xb8dataEnglishUnited States0.6739130434782609
                                                                                RT_DIALOG0x522f740x228dataEnglishUnited States0.5018115942028986
                                                                                RT_DIALOG0x52319c0xa8dataEnglishUnited States0.6607142857142857
                                                                                RT_DIALOG0x5232440x11cdataEnglishUnited States0.5845070422535211
                                                                                RT_DIALOG0x5233600x1c8dataEnglishUnited States0.4868421052631579
                                                                                RT_DIALOG0x5235280x32cdataEnglishUnited States0.45689655172413796
                                                                                RT_DIALOG0x5238540x90dataEnglishUnited States0.6944444444444444
                                                                                RT_DIALOG0x5238e40xc6dataEnglishUnited States0.6919191919191919
                                                                                RT_DIALOG0x5239ac0x224dataEnglishUnited States0.5547445255474452
                                                                                RT_DIALOG0x523bd00x224dataEnglishUnited States0.5602189781021898
                                                                                RT_DIALOG0x523df40x120dataEnglishUnited States0.5972222222222222
                                                                                RT_DIALOG0x523f140x5d4dataEnglishUnited States0.4175603217158177
                                                                                RT_DIALOG0x5244e80x17edataEnglishUnited States0.5837696335078534
                                                                                RT_DIALOG0x5246680x19edataEnglishUnited States0.5217391304347826
                                                                                RT_DIALOG0x5248080x1e0dataEnglishUnited States0.51875
                                                                                RT_DIALOG0x5249e80x3f8dataEnglishUnited States0.43799212598425197
                                                                                RT_DIALOG0x524de00x6edataEnglishUnited States0.7181818181818181
                                                                                RT_DIALOG0x524e500x7cdataEnglishUnited States0.7338709677419355
                                                                                RT_DIALOG0x524ecc0x3e0dataEnglishUnited States0.4254032258064516
                                                                                RT_DIALOG0x5252ac0x94dataEnglishUnited States0.7905405405405406
                                                                                RT_DIALOG0x5253400x246dataEnglishUnited States0.49140893470790376
                                                                                RT_DIALOG0x5255880x1e8dataEnglishUnited States0.4959016393442623
                                                                                RT_DIALOG0x5257700xfcdataEnglishUnited States0.6626984126984127
                                                                                RT_DIALOG0x52586c0x160dataEnglishUnited States0.6051136363636364
                                                                                RT_DIALOG0x5259cc0x4ecdataEnglishUnited States0.44047619047619047
                                                                                RT_DIALOG0x525eb80x2f0dataEnglishUnited States0.4654255319148936
                                                                                RT_DIALOG0x5261a80x1acdataEnglishUnited States0.5677570093457944
                                                                                RT_DIALOG0x5263540x142dataEnglishUnited States0.5869565217391305
                                                                                RT_DIALOG0x5264980x1aedataEnglishUnited States0.5511627906976744
                                                                                RT_ACCELERATOR0x5266480x20dataEnglishUnited States0.96875
                                                                                RT_ACCELERATOR0x5266680x28dataEnglishUnited States0.95
                                                                                RT_RCDATA0x5266900x4e550Delphi compiled form 'TBaseFrame'0.3885578217723034
                                                                                RT_RCDATA0x574be00x7cf06Delphi compiled form 'TFilePropertiesForm2'0.299847581827064
                                                                                RT_RCDATA0x5f1ae80xf7eceDelphi compiled form 'TfPNGMessage'0.09640946054266757
                                                                                RT_RCDATA0x6e99b80xf7eceDelphi compiled form 'TfPNGMessage'0.16799277598665488
                                                                                RT_RCDATA0x7e18880x1b681Delphi compiled form 'TMsgBoxForm'0.6012988054197066
                                                                                RT_MESSAGETABLE0x7fcf0c0x2840data0.3316187888198758
                                                                                RT_GROUP_ICON0x7ff74c0x76dataEnglishUnited States0.7457627118644068
                                                                                RT_VERSION0x7ff7c40x30cdataEnglishUnited States0.44358974358974357
                                                                                RT_ANIICON0x7ffad00x6b92ePC bitmap, Windows 3.x format, 55213 x 2 x 37, image size 441441, cbSize 440622, bits offset 540.7761573412131033

                                                                                Imports

                                                                                DLLImport
                                                                                COMCTL32.dllImageList_Destroy, ImageList_Create, ImageList_Add
                                                                                WINMM.dlltimeGetTime, timeBeginPeriod, timeEndPeriod
                                                                                SHLWAPI.dllSHAutoComplete, StrCmpLogicalW, SHDeleteKeyW
                                                                                UxTheme.dllIsThemePartDefined, OpenThemeData, GetThemePartSize, SetWindowTheme, DrawThemeBackground, EnableThemeDialogTexture, CloseThemeData
                                                                                KERNEL32.dllGetSystemPowerStatus, VerifyVersionInfoW, VerSetConditionMask, GlobalFree, SystemTimeToFileTime, LocalFileTimeToFileTime, ResumeThread, GetLocaleInfoW, GetNumberFormatW, GlobalSize, DecodePointer, Sleep, SetErrorMode, LoadLibraryW, CreateEventW, FindResourceW, FindResourceExW, LoadResource, LockResource, SizeofResource, SetEndOfFile, GetFileTime, FlushFileBuffers, CreateFileW, GetDiskFreeSpaceExW, FindFirstFileW, DeleteFileW, RemoveDirectoryW, GetFileAttributesW, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, LoadLibraryExA, GetCurrentThreadId, VirtualAlloc, IsProcessorFeaturePresent, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, InitOnceComplete, InitOnceBeginInitialize, SystemTimeToTzSpecificLocalTime, MoveFileExW, NormalizeString, TryEnterCriticalSection, GetVolumeNameForVolumeMountPointW, GetVolumePathNameW, DeviceIoControl, SetFileTime, SetFilePointer, DosDateTimeToFileTime, GetFileSizeEx, FileTimeToSystemTime, GetSystemTimeAsFileTime, ReadDirectoryChangesW, GetThreadPriority, GetThreadId, GetFileInformationByHandle, TerminateProcess, GetCurrentProcess, DuplicateHandle, WriteFile, CancelIo, GetOverlappedResult, ReadFile, WideCharToMultiByte, MultiByteToWideChar, WaitForMultipleObjects, FormatMessageW, GlobalUnlock, GlobalLock, GlobalAlloc, GetCommandLineW, LoadLibraryExW, lstrlenW, GetNativeSystemInfo, GetVersionExW, PowerCreateRequest, PowerClearRequest, PowerSetRequest, SetLastError, EnterCriticalSection, SetThreadPriority, OutputDebugStringW, LeaveCriticalSection, GetTickCount64, DeleteCriticalSection, GetFileAttributesExW, FindNextFileW, FindClose, GetCurrentThread, SetEvent, ResetEvent, GetExitCodeThread, GetCurrentProcessId, VirtualQuery, VirtualProtect, GetSystemInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockShared, CopyFileW, IsDebuggerPresent, FreeLibrary, SetDllDirectoryW, CloseHandle, WaitForSingleObject, GetModuleHandleW, GetProcAddress, GetTickCount, GetProcessHeap, HeapAlloc, CreateMutexW, InitializeCriticalSection, QueryPerformanceCounter, QueryPerformanceFrequency, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, MulDiv, InitializeCriticalSectionEx, GetLastError, RaiseException, VirtualFree
                                                                                USER32.dllSetDlgItemTextW, MapVirtualKeyW, GetDlgItem, SendMessageW, ShowWindow, EnableWindow, SetWindowTextW, DestroyWindow, UnregisterClassW, CreateDialogParamW, SetWindowLongW, SendDlgItemMessageW, GetActiveWindow, GetWindowLongW, GetClientRect, ClientToScreen, GetWindowRect, SetWindowPos, SetLayeredWindowAttributes, CharUpperW, GetComboBoxInfo, GetSystemMetrics, EnumThreadWindows, GetWindowPlacement, IsIconic, AdjustWindowRect, DrawEdge, SetClipboardData, CloseClipboard, OpenClipboard, FillRect, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, NotifyWinEvent, RedrawWindow, IsRectEmpty, DrawTextW, TrackMouseEvent, InflateRect, FrameRect, UnhookWindowsHookEx, SetWindowsHookExW, CallNextHookEx, GetNextDlgTabItem, InvalidateRgn, SystemParametersInfoW, ScrollWindowEx, SetScrollPos, UpdateWindow, SetScrollInfo, SetRectEmpty, SetGestureConfig, CloseGestureInfoHandle, GetGestureInfo, GetScrollInfo, MapDialogRect, IsZoomed, SetMenuItemInfoW, GetMenuItemInfoW, GetMenu, GetWindow, GetDC, BeginPaint, EndPaint, InvalidateRect, IsWindowEnabled, PostMessageW, CreateWindowExW, ScreenToClient, IntersectRect, MonitorFromWindow, LoadIconW, RegisterClipboardFormatW, wsprintfW, AllowSetForegroundWindow, EnumWindows, GetClassNameW, GetWindowThreadProcessId, WindowFromPoint, CheckMenuRadioItem, RegisterShellHookWindow, DeregisterShellHookWindow, RegisterWindowMessageW, RegisterClassW, GetClipboardData, IsCharAlphaW, IsClipboardFormatAvailable, DispatchMessageW, TranslateMessage, LoadImageW, GetDesktopWindow, PostQuitMessage, GetMessageW, MsgWaitForMultipleObjects, OffsetRect, CopyRect, MonitorFromRect, CharLowerW, EndDeferWindowPos, BeginDeferWindowPos, DeferWindowPos, EmptyClipboard, IsWindowVisible, MoveWindow, IsChild, PeekMessageW, SetTimer, DrawTextExW, SetForegroundWindow, PtInRect, DefWindowProcW, GetCursorPos, SetFocus, KillTimer, SetCapture, SetCursor, LoadCursorW, IsDialogMessageW, RegisterClassExW, GetClassInfoExW, CallWindowProcW, GetWindowDC, ReleaseDC, DrawFrameControl, GetParent, GetKeyState, GetMessagePos, AppendMenuW, TrackPopupMenu, CreatePopupMenu, MonitorFromPoint, GetMonitorInfoW, DestroyMenu, MessageBoxW, EndDialog, DialogBoxParamW, MessageBeep, SetActiveWindow, EnumChildWindows, MapWindowPoints, SetMenuDefaultItem, TrackPopupMenuEx, GetDlgCtrlID, GetSysColor, GetFocus, TranslateAcceleratorW, LoadAcceleratorsW, DestroyAcceleratorTable, RegisterHotKey, UnregisterHotKey
                                                                                GDI32.dllGetStockObject, SelectObject, CreateCompatibleDC, CreateCompatibleBitmap, ExtTextOutW, SetBkColor, SetTextColor, DeleteDC, DeleteObject, GetObjectW, CreateFontIndirectW, SetBkMode, CreateRectRgnIndirect, CreateRectRgn, GetTextExtentPoint32W, GetTextColor, GetBkColor, GetCurrentObject, SetDCBrushColor, CreatePen, GetDeviceCaps, GetTextMetricsW, LPtoDP, SaveDC, RestoreDC, OffsetWindowOrgEx, SetWindowOrgEx, IntersectClipRect, CreatePolygonRgn, FrameRgn, FillRgn, SetViewportOrgEx, BitBlt, CombineRgn, SetDCPenColor, LineTo, MoveToEx, OffsetRgn
                                                                                ADVAPI32.dllCryptImportKey, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegOpenKeyW, RegCreateKeyW, RegDeleteValueW, CryptGetHashParam, CryptVerifySignatureW, CryptHashData, CryptCreateHash, RegGetValueW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, RegEnumValueW, CryptAcquireContextW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW
                                                                                SHELL32.dllSHOpenFolderAndSelectItems, SHGetFolderPathW, SHCreateItemFromIDList, DragAcceptFiles, ShellExecuteExW, SHGetDesktopFolder, DragFinish
                                                                                ole32.dllCoCreateInstance, OleSetClipboard, OleGetClipboard, CoTaskMemFree, PropVariantClear, CLSIDFromString, CoTaskMemAlloc, ReleaseStgMedium, CoCreateGuid, DoDragDrop, CoUninitialize, RegisterDragDrop, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, RevokeDragDrop
                                                                                OLEAUT32.dllVariantClear, VariantInit, SysAllocString
                                                                                OLEACC.dllAccessibleObjectFromWindow, LresultFromObject
                                                                                CRYPT32.dllCertVerifyRevocation, CertVerifyCertificateChainPolicy, CertGetCertificateChain, CertVerifyTimeValidity, CertCloseStore, CertFreeCertificateChain, CertFreeCertificateContext

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-12-19T23:42:33.005441+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649773181.131.217.2443020TCP
                                                                                2024-12-19T23:42:34.257170+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1181.131.217.2443020192.168.2.649773TCP
                                                                                2024-12-19T23:42:36.056369+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649780178.237.33.5080TCP
                                                                                2024-12-19T23:44:52.538251+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1181.131.217.2443020192.168.2.649773TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 19, 2024 23:42:32.861991882 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:32.981590986 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:32.982827902 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:33.005440950 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:33.125046968 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:34.257169962 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:34.303256989 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:34.425097942 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:34.492746115 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:34.612951994 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:34.692225933 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:42:34.811904907 CET8049780178.237.33.50192.168.2.6
                                                                                Dec 19, 2024 23:42:34.812011003 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:42:34.812305927 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:42:34.933470964 CET8049780178.237.33.50192.168.2.6
                                                                                Dec 19, 2024 23:42:36.056298018 CET8049780178.237.33.50192.168.2.6
                                                                                Dec 19, 2024 23:42:36.056369066 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:42:36.174133062 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:36.293732882 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:37.055639029 CET8049780178.237.33.50192.168.2.6
                                                                                Dec 19, 2024 23:42:37.055702925 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:42:52.276170969 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:42:52.277363062 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:42:52.397197008 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:43:22.367377043 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:43:22.368509054 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:43:22.488035917 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:43:52.398148060 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:43:52.402360916 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:43:52.522624016 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:44:22.447581053 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:44:22.453505039 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:44:22.573074102 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:44:24.535968065 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:24.975891113 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:25.660010099 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:26.972548962 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:29.472493887 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:34.472512007 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:44.175939083 CET4978080192.168.2.6178.237.33.50
                                                                                Dec 19, 2024 23:44:52.538250923 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:44:52.547180891 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:44:52.666826963 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:45:22.585927010 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:45:22.592022896 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:45:22.711642027 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:45:52.686440945 CET302049773181.131.217.244192.168.2.6
                                                                                Dec 19, 2024 23:45:52.688266039 CET497733020192.168.2.6181.131.217.244
                                                                                Dec 19, 2024 23:45:52.807832003 CET302049773181.131.217.244192.168.2.6

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 19, 2024 23:42:32.372544050 CET5663753192.168.2.61.1.1.1
                                                                                Dec 19, 2024 23:42:32.779983997 CET53566371.1.1.1192.168.2.6
                                                                                Dec 19, 2024 23:42:34.546252966 CET5587953192.168.2.61.1.1.1
                                                                                Dec 19, 2024 23:42:34.685386896 CET53558791.1.1.1192.168.2.6

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 19, 2024 23:42:32.372544050 CET192.168.2.61.1.1.10xfcf5Standard query (0)newstaticfreepoint24.ddns-ip.netA (IP address)IN (0x0001)false
                                                                                Dec 19, 2024 23:42:34.546252966 CET192.168.2.61.1.1.10x8321Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 19, 2024 23:42:32.779983997 CET1.1.1.1192.168.2.60xfcf5No error (0)newstaticfreepoint24.ddns-ip.net181.131.217.244A (IP address)IN (0x0001)false
                                                                                Dec 19, 2024 23:42:34.685386896 CET1.1.1.1192.168.2.60x8321No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • geoplugin.net

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.649780178.237.33.50803472C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 19, 2024 23:42:34.812305927 CET71OUTGET /json.gp HTTP/1.1
                                                                                Host: geoplugin.net
                                                                                Cache-Control: no-cache
                                                                                Dec 19, 2024 23:42:36.056298018 CET1171INHTTP/1.1 200 OK
                                                                                date: Thu, 19 Dec 2024 22:42:35 GMT
                                                                                server: Apache
                                                                                content-length: 963
                                                                                content-type: application/json; charset=utf-8
                                                                                cache-control: public, max-age=300
                                                                                access-control-allow-origin: *
                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:2
                                                                                Start time:17:42:11
                                                                                Start date:19/12/2024
                                                                                Path:C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\SHROsQyiAd.exe"
                                                                                Imagebase:0x400000
                                                                                File size:8'779'776 bytes
                                                                                MD5 hash:7119698425E2056D404E97B12ED5CA37
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.2444408397.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.2444502567.00000000011C0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:17:42:31
                                                                                Start date:19/12/2024
                                                                                Path:C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\SHROsQyiAd.exe"
                                                                                Imagebase:0x400000
                                                                                File size:8'779'776 bytes
                                                                                MD5 hash:7119698425E2056D404E97B12ED5CA37
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:4.2%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:5.8%
                                                                                  Total number of Nodes:1321
                                                                                  Total number of Limit Nodes:51
                                                                                  execution_graph 46092 caa998 46094 caa9a4 _swprintf ___BuildCatchObject 46092->46094 46093 caa9b2 46108 cb5354 20 API calls _Atexit 46093->46108 46094->46093 46096 caa9dc 46094->46096 46103 cb4acc EnterCriticalSection 46096->46103 46098 caa9e7 46104 caaa88 46098->46104 46099 caa9b7 __cftof std::_Locinfo::_Locinfo_ctor 46103->46098 46106 caaa96 46104->46106 46105 caa9f2 46109 caaa0f LeaveCriticalSection std::_Lockit::~_Lockit 46105->46109 46106->46105 46110 cb8416 36 API calls 2 library calls 46106->46110 46108->46099 46109->46099 46110->46106 46111 c84dba 46126 c8a51b 46111->46126 46113 c84dc3 46136 c71fbd 46113->46136 46118 c861f2 46159 c71d8c 46118->46159 46121 c861fb 46122 c71eea 11 API calls 46121->46122 46123 c86207 46122->46123 46124 c71eea 11 API calls 46123->46124 46125 c86213 46124->46125 46127 c8a529 46126->46127 46165 caa88c 46127->46165 46130 c8a55c InternetReadFile 46131 c8a57f 46130->46131 46131->46130 46133 c8a5ac InternetCloseHandle InternetCloseHandle 46131->46133 46135 c71eea 11 API calls 46131->46135 46172 c71f86 46131->46172 46134 c8a5be 46133->46134 46134->46113 46135->46131 46137 c71fcc 46136->46137 46183 c72501 46137->46183 46139 c71fea 46140 c74468 46139->46140 46141 c7447b 46140->46141 46188 c74be8 46141->46188 46143 c74490 ctype 46144 c74507 WaitForSingleObject 46143->46144 46145 c744e7 46143->46145 46147 c7451d 46144->46147 46146 c744f9 send 46145->46146 46148 c74542 46146->46148 46192 c9051a 53 API calls 46147->46192 46151 c71eea 11 API calls 46148->46151 46150 c74530 SetEvent 46150->46148 46152 c7454a 46151->46152 46153 c71eea 11 API calls 46152->46153 46154 c74552 46153->46154 46154->46118 46155 c71eea 46154->46155 46157 c721b9 46155->46157 46156 c721e8 46156->46118 46157->46156 46198 c7262e 11 API calls _Deallocate 46157->46198 46160 c7200a 46159->46160 46164 c7203a 46160->46164 46199 c72654 11 API calls 46160->46199 46162 c7202b 46200 c726ba 11 API calls _Deallocate 46162->46200 46164->46121 46171 cb6aff _strftime 46165->46171 46166 cb6b3d 46177 cb5354 20 API calls _Atexit 46166->46177 46168 cb6b28 HeapAlloc 46169 c8a533 InternetOpenW InternetOpenUrlW 46168->46169 46168->46171 46169->46130 46171->46166 46171->46168 46176 cb2200 7 API calls 2 library calls 46171->46176 46173 c71f8e 46172->46173 46178 c72325 46173->46178 46175 c71fa4 46175->46131 46176->46171 46177->46169 46179 c7232f 46178->46179 46181 c7233a 46179->46181 46182 c7294a 28 API calls 46179->46182 46181->46175 46182->46181 46184 c7250d 46183->46184 46186 c7252b 46184->46186 46187 c7261a 28 API calls 46184->46187 46186->46139 46187->46186 46189 c74bf0 46188->46189 46193 c74c0c 46189->46193 46191 c74c06 46191->46143 46192->46150 46194 c74c16 46193->46194 46196 c74c21 46194->46196 46197 c74d07 28 API calls 46194->46197 46196->46191 46197->46196 46198->46156 46199->46162 46200->46164 46201 ca39be 46202 ca39ca ___BuildCatchObject 46201->46202 46233 ca36b3 46202->46233 46204 ca39d1 46205 ca3b24 46204->46205 46208 ca39fb 46204->46208 46533 ca3b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46205->46533 46207 ca3b2b 46534 cb26be 28 API calls _Atexit 46207->46534 46217 ca3a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46208->46217 46527 cb34d1 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46208->46527 46210 ca3b31 46535 cb2670 28 API calls _Atexit 46210->46535 46213 ca3a14 46215 ca3a1a 46213->46215 46528 cb3475 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46213->46528 46214 ca3b39 46223 ca3a9b 46217->46223 46529 caedf4 35 API calls 4 library calls 46217->46529 46244 ca3c5e 46223->46244 46227 ca3abd 46227->46207 46228 ca3ac1 46227->46228 46229 ca3aca 46228->46229 46531 cb2661 28 API calls _Atexit 46228->46531 46532 ca3842 13 API calls 2 library calls 46229->46532 46232 ca3ad2 46232->46215 46234 ca36bc 46233->46234 46536 ca3e0a IsProcessorFeaturePresent 46234->46536 46236 ca36c8 46537 ca79ee 10 API calls 3 library calls 46236->46537 46238 ca36cd 46239 ca36d1 46238->46239 46538 cb335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46238->46538 46239->46204 46241 ca36da 46242 ca36e8 46241->46242 46539 ca7a17 8 API calls 3 library calls 46241->46539 46242->46204 46540 ca6050 46244->46540 46247 ca3aa1 46248 cb3422 46247->46248 46542 cbddc9 46248->46542 46250 cb342b 46251 ca3aaa 46250->46251 46546 cbe0d3 35 API calls 46250->46546 46253 c7d767 46251->46253 46548 c8bce3 LoadLibraryA GetProcAddress 46253->46548 46255 c7d783 GetModuleFileNameW 46553 c7e168 46255->46553 46257 c7d79f 46258 c71fbd 28 API calls 46257->46258 46259 c7d7ae 46258->46259 46260 c71fbd 28 API calls 46259->46260 46261 c7d7bd 46260->46261 46568 c8afc3 46261->46568 46265 c7d7cf 46266 c71d8c 11 API calls 46265->46266 46267 c7d7d8 46266->46267 46268 c7d835 46267->46268 46269 c7d7eb 46267->46269 46593 c71d64 46268->46593 46842 c7e986 111 API calls 46269->46842 46272 c7d845 46275 c71d64 22 API calls 46272->46275 46273 c7d7fd 46274 c71d64 22 API calls 46273->46274 46278 c7d809 46274->46278 46276 c7d864 46275->46276 46598 c74cbf 46276->46598 46843 c7e937 65 API calls 46278->46843 46279 c7d873 46602 c75ce6 46279->46602 46282 c7d87f 46605 c71eef 46282->46605 46283 c7d824 46844 c7e155 65 API calls 46283->46844 46286 c7d88b 46287 c71eea 11 API calls 46286->46287 46288 c7d894 46287->46288 46290 c71eea 11 API calls 46288->46290 46289 c71eea 11 API calls 46291 c7dc9f 46289->46291 46292 c7d89d 46290->46292 46530 ca3c94 GetModuleHandleW 46291->46530 46293 c71d64 22 API calls 46292->46293 46294 c7d8a6 46293->46294 46609 c71ebd 46294->46609 46296 c7d8b1 46297 c71d64 22 API calls 46296->46297 46298 c7d8ca 46297->46298 46299 c71d64 22 API calls 46298->46299 46301 c7d8e5 46299->46301 46300 c7d946 46302 c71d64 22 API calls 46300->46302 46317 c7e134 46300->46317 46301->46300 46845 c785b4 46301->46845 46308 c7d95d 46302->46308 46304 c7d912 46305 c71eef 11 API calls 46304->46305 46306 c7d91e 46305->46306 46309 c71eea 11 API calls 46306->46309 46307 c7d9a4 46613 c7bed7 46307->46613 46308->46307 46314 c824b7 3 API calls 46308->46314 46311 c7d927 46309->46311 46849 c824b7 RegOpenKeyExA 46311->46849 46312 c7d9aa 46313 c7d82d 46312->46313 46616 c8a463 46312->46616 46313->46289 46319 c7d988 46314->46319 46927 c82902 30 API calls 46317->46927 46318 c7d9c5 46320 c7da18 46318->46320 46633 c7697b 46318->46633 46319->46307 46852 c82902 30 API calls 46319->46852 46323 c71d64 22 API calls 46320->46323 46326 c7da21 46323->46326 46335 c7da32 46326->46335 46336 c7da2d 46326->46336 46327 c7e14a 46928 c812b5 64 API calls ___scrt_fastfail 46327->46928 46328 c7d9e4 46853 c7699d 30 API calls 46328->46853 46329 c7d9ee 46333 c71d64 22 API calls 46329->46333 46342 c7d9f7 46333->46342 46334 c7d9e9 46854 c764d0 97 API calls 46334->46854 46339 c71d64 22 API calls 46335->46339 46856 c769ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46336->46856 46340 c7da3b 46339->46340 46637 c8ae08 46340->46637 46342->46320 46345 c7da13 46342->46345 46343 c7da46 46641 c71e18 46343->46641 46855 c764d0 97 API calls 46345->46855 46346 c7da51 46645 c71e13 46346->46645 46349 c7da5a 46350 c71d64 22 API calls 46349->46350 46351 c7da63 46350->46351 46352 c71d64 22 API calls 46351->46352 46353 c7da7d 46352->46353 46354 c71d64 22 API calls 46353->46354 46355 c7da97 46354->46355 46356 c71d64 22 API calls 46355->46356 46358 c7dab0 46356->46358 46357 c7db1d 46360 c7db2c 46357->46360 46365 c7dcaa ___scrt_fastfail 46357->46365 46358->46357 46359 c71d64 22 API calls 46358->46359 46364 c7dac5 _wcslen 46359->46364 46361 c7db35 46360->46361 46389 c7dbb1 ___scrt_fastfail 46360->46389 46362 c71d64 22 API calls 46361->46362 46363 c7db3e 46362->46363 46366 c71d64 22 API calls 46363->46366 46364->46357 46367 c71d64 22 API calls 46364->46367 46916 c8265d RegOpenKeyExA 46365->46916 46368 c7db50 46366->46368 46369 c7dae0 46367->46369 46371 c71d64 22 API calls 46368->46371 46373 c71d64 22 API calls 46369->46373 46372 c7db62 46371->46372 46376 c71d64 22 API calls 46372->46376 46374 c7daf5 46373->46374 46857 c7c89e 46374->46857 46375 c7dcef 46377 c71d64 22 API calls 46375->46377 46379 c7db8b 46376->46379 46380 c7dd16 46377->46380 46384 c71d64 22 API calls 46379->46384 46659 c71f66 46380->46659 46382 c71e18 11 API calls 46383 c7db14 46382->46383 46386 c71e13 11 API calls 46383->46386 46387 c7db9c 46384->46387 46386->46357 46914 c7bc67 45 API calls _wcslen 46387->46914 46388 c7dd25 46663 c826d2 RegCreateKeyA 46388->46663 46649 c828a2 46389->46649 46394 c7dc45 ctype 46398 c71d64 22 API calls 46394->46398 46395 c7dbac 46395->46389 46396 c71d64 22 API calls 46397 c7dd47 46396->46397 46669 caa5e7 46397->46669 46399 c7dc5c 46398->46399 46399->46375 46403 c7dc70 46399->46403 46402 c7dd5e 46919 c8beb0 86 API calls ___scrt_fastfail 46402->46919 46404 c71d64 22 API calls 46403->46404 46406 c7dc7e 46404->46406 46405 c7dd81 46408 c71f66 28 API calls 46405->46408 46409 c8ae08 28 API calls 46406->46409 46411 c7dd96 46408->46411 46412 c7dc87 46409->46412 46410 c7dd65 CreateThread 46410->46405 47614 c8c96f 10 API calls 46410->47614 46413 c71f66 28 API calls 46411->46413 46915 c7e219 109 API calls 46412->46915 46415 c7dda5 46413->46415 46673 c8a686 46415->46673 46416 c7dc8c 46416->46375 46418 c7dc93 46416->46418 46418->46313 46420 c71d64 22 API calls 46421 c7ddb6 46420->46421 46422 c71d64 22 API calls 46421->46422 46423 c7ddcb 46422->46423 46424 c71d64 22 API calls 46423->46424 46425 c7ddeb 46424->46425 46426 caa5e7 _strftime 39 API calls 46425->46426 46427 c7ddf8 46426->46427 46428 c71d64 22 API calls 46427->46428 46429 c7de03 46428->46429 46430 c71d64 22 API calls 46429->46430 46431 c7de14 46430->46431 46432 c71d64 22 API calls 46431->46432 46433 c7de29 46432->46433 46434 c71d64 22 API calls 46433->46434 46435 c7de3a 46434->46435 46436 c7de41 StrToIntA 46435->46436 46697 c79517 46436->46697 46439 c71d64 22 API calls 46440 c7de5c 46439->46440 46441 c7dea1 46440->46441 46442 c7de68 46440->46442 46444 c71d64 22 API calls 46441->46444 46920 ca360d 22 API calls 3 library calls 46442->46920 46446 c7deb1 46444->46446 46445 c7de71 46447 c71d64 22 API calls 46445->46447 46450 c7debd 46446->46450 46451 c7def9 46446->46451 46448 c7de84 46447->46448 46449 c7de8b CreateThread 46448->46449 46449->46441 47611 c89128 102 API calls 2 library calls 46449->47611 46921 ca360d 22 API calls 3 library calls 46450->46921 46452 c71d64 22 API calls 46451->46452 46454 c7df02 46452->46454 46458 c7df0e 46454->46458 46459 c7df6c 46454->46459 46455 c7dec6 46456 c71d64 22 API calls 46455->46456 46457 c7ded8 46456->46457 46462 c7dedf CreateThread 46457->46462 46461 c71d64 22 API calls 46458->46461 46460 c71d64 22 API calls 46459->46460 46463 c7df75 46460->46463 46464 c7df1e 46461->46464 46462->46451 47616 c89128 102 API calls 2 library calls 46462->47616 46465 c7df81 46463->46465 46466 c7dfba 46463->46466 46467 c71d64 22 API calls 46464->46467 46469 c71d64 22 API calls 46465->46469 46722 c8a7a2 46466->46722 46470 c7df33 46467->46470 46472 c7df8a 46469->46472 46922 c7c854 31 API calls 46470->46922 46477 c71d64 22 API calls 46472->46477 46473 c71e18 11 API calls 46474 c7dfce 46473->46474 46476 c71e13 11 API calls 46474->46476 46479 c7dfd7 46476->46479 46480 c7df9f 46477->46480 46478 c7df46 46481 c71e18 11 API calls 46478->46481 46483 c7dfe3 CreateThread 46479->46483 46484 c7dfe0 SetProcessDEPPolicy 46479->46484 46488 caa5e7 _strftime 39 API calls 46480->46488 46482 c7df52 46481->46482 46485 c71e13 11 API calls 46482->46485 46486 c7e004 46483->46486 46487 c7dff8 CreateThread 46483->46487 47584 c7e54f 46483->47584 46484->46483 46489 c7df5b CreateThread 46485->46489 46490 c7e00d CreateThread 46486->46490 46491 c7e019 46486->46491 46487->46486 47612 c80f36 137 API calls 46487->47612 46492 c7dfac 46488->46492 46489->46459 47613 c7196b 49 API calls _strftime 46489->47613 46490->46491 47615 c81524 38 API calls ___scrt_fastfail 46490->47615 46493 c7e073 46491->46493 46495 c71f66 28 API calls 46491->46495 46923 c7b95c 7 API calls 46492->46923 46734 c8246e RegOpenKeyExA 46493->46734 46496 c7e046 46495->46496 46924 c74c9e 28 API calls 46496->46924 46500 c7e053 46502 c71f66 28 API calls 46500->46502 46501 c7e12a 46746 c7cbac 46501->46746 46504 c7e062 46502->46504 46503 c8ae08 28 API calls 46506 c7e0a4 46503->46506 46507 c8a686 79 API calls 46504->46507 46737 c82584 RegOpenKeyExW 46506->46737 46509 c7e067 46507->46509 46511 c71eea 11 API calls 46509->46511 46511->46493 46514 c71e13 11 API calls 46516 c7e0c5 46514->46516 46515 c7e0ed DeleteFileW 46515->46516 46517 c7e0f4 46515->46517 46516->46515 46516->46517 46519 c7e0db Sleep 46516->46519 46518 c8ae08 28 API calls 46517->46518 46521 c7e104 46518->46521 46925 c71e07 46519->46925 46742 c8297a RegOpenKeyExW 46521->46742 46523 c7e117 46524 c71e13 11 API calls 46523->46524 46525 c7e121 46524->46525 46526 c71e13 11 API calls 46525->46526 46526->46501 46527->46213 46528->46217 46529->46223 46530->46227 46531->46229 46532->46232 46533->46207 46534->46210 46535->46214 46536->46236 46537->46238 46538->46241 46539->46239 46541 ca3c71 GetStartupInfoW 46540->46541 46541->46247 46543 cbddd2 46542->46543 46544 cbdddb 46542->46544 46547 cbdcc8 48 API calls 5 library calls 46543->46547 46544->46250 46546->46250 46547->46544 46549 c8bd22 LoadLibraryA GetProcAddress 46548->46549 46550 c8bd12 GetModuleHandleA GetProcAddress 46548->46550 46551 c8bd4b 32 API calls 46549->46551 46552 c8bd3b LoadLibraryA GetProcAddress 46549->46552 46550->46549 46551->46255 46552->46551 46929 c8a63f FindResourceA 46553->46929 46556 caa88c ___crtLCMapStringA 21 API calls 46557 c7e192 ctype 46556->46557 46558 c71f86 28 API calls 46557->46558 46559 c7e1ad 46558->46559 46560 c71eef 11 API calls 46559->46560 46561 c7e1b8 46560->46561 46562 c71eea 11 API calls 46561->46562 46563 c7e1c1 46562->46563 46564 caa88c ___crtLCMapStringA 21 API calls 46563->46564 46565 c7e1d2 ctype 46564->46565 46932 c76052 46565->46932 46567 c7e205 46567->46257 46588 c8afd6 46568->46588 46569 c8b046 46570 c71eea 11 API calls 46569->46570 46571 c8b078 46570->46571 46572 c71eea 11 API calls 46571->46572 46574 c8b080 46572->46574 46573 c8b048 46575 c73b60 28 API calls 46573->46575 46577 c71eea 11 API calls 46574->46577 46578 c8b054 46575->46578 46579 c7d7c6 46577->46579 46580 c71eef 11 API calls 46578->46580 46589 c7e8bd 46579->46589 46582 c8b05d 46580->46582 46581 c71eef 11 API calls 46581->46588 46583 c71eea 11 API calls 46582->46583 46585 c8b065 46583->46585 46584 c71eea 11 API calls 46584->46588 46939 c8bfa9 28 API calls 46585->46939 46588->46569 46588->46573 46588->46581 46588->46584 46935 c73b60 46588->46935 46938 c8bfa9 28 API calls 46588->46938 46590 c7e8ca 46589->46590 46592 c7e8da 46590->46592 46956 c7200a 11 API calls 46590->46956 46592->46265 46594 c71d6c 46593->46594 46595 c71d74 46594->46595 46957 c71fff 22 API calls 46594->46957 46595->46272 46599 c74ccb 46598->46599 46958 c72e78 46599->46958 46601 c74cee 46601->46279 46967 c74bc4 46602->46967 46604 c75cf4 46604->46282 46606 c71efe 46605->46606 46608 c71f0a 46606->46608 46976 c721b9 11 API calls 46606->46976 46608->46286 46611 c71ec9 46609->46611 46610 c71ee4 46610->46296 46611->46610 46612 c72325 28 API calls 46611->46612 46612->46610 46977 c71e8f 46613->46977 46615 c7bee1 CreateMutexA GetLastError 46615->46312 46979 c8b15b 46616->46979 46621 c71eef 11 API calls 46622 c8a49f 46621->46622 46623 c71eea 11 API calls 46622->46623 46624 c8a4a7 46623->46624 46625 c8a4fa 46624->46625 46626 c82513 31 API calls 46624->46626 46625->46318 46627 c8a4cd 46626->46627 46628 c8a4d8 StrToIntA 46627->46628 46629 c8a4ef 46628->46629 46630 c8a4e6 46628->46630 46632 c71eea 11 API calls 46629->46632 46987 c8c102 22 API calls 46630->46987 46632->46625 46634 c7698f 46633->46634 46635 c824b7 3 API calls 46634->46635 46636 c76996 46635->46636 46636->46328 46636->46329 46638 c8ae1c 46637->46638 46988 c7b027 46638->46988 46640 c8ae24 46640->46343 46642 c71e27 46641->46642 46644 c71e33 46642->46644 46997 c72121 11 API calls 46642->46997 46644->46346 46647 c72121 46645->46647 46646 c72150 46646->46349 46647->46646 46998 c72718 11 API calls _Deallocate 46647->46998 46650 c828c0 46649->46650 46651 c76052 28 API calls 46650->46651 46652 c828d5 46651->46652 46653 c71fbd 28 API calls 46652->46653 46654 c828e5 46653->46654 46655 c826d2 14 API calls 46654->46655 46656 c828ef 46655->46656 46657 c71eea 11 API calls 46656->46657 46658 c828fc 46657->46658 46658->46394 46660 c71f6e 46659->46660 46999 c72301 46660->46999 46664 c82722 46663->46664 46667 c826eb 46663->46667 46665 c71eea 11 API calls 46664->46665 46666 c7dd3b 46665->46666 46666->46396 46668 c826fd RegSetValueExA RegCloseKey 46667->46668 46668->46664 46670 caa600 _strftime 46669->46670 47003 ca993e 46670->47003 46672 c7dd54 46672->46402 46672->46405 46674 c8a69c GetLocalTime 46673->46674 46675 c8a737 46673->46675 46676 c74cbf 28 API calls 46674->46676 46677 c71eea 11 API calls 46675->46677 46678 c8a6de 46676->46678 46679 c8a73f 46677->46679 46680 c75ce6 28 API calls 46678->46680 46681 c71eea 11 API calls 46679->46681 46683 c8a6ea 46680->46683 46682 c7ddaa 46681->46682 46682->46420 47031 c727cb 46683->47031 46685 c8a6f6 46686 c75ce6 28 API calls 46685->46686 46687 c8a702 46686->46687 47034 c76478 76 API calls 46687->47034 46689 c8a710 46690 c71eea 11 API calls 46689->46690 46691 c8a71c 46690->46691 46692 c71eea 11 API calls 46691->46692 46693 c8a725 46692->46693 46694 c71eea 11 API calls 46693->46694 46695 c8a72e 46694->46695 46696 c71eea 11 API calls 46695->46696 46696->46675 46698 c79536 _wcslen 46697->46698 46699 c79541 46698->46699 46700 c79558 46698->46700 46701 c7c89e 31 API calls 46699->46701 46702 c7c89e 31 API calls 46700->46702 46703 c79549 46701->46703 46704 c79560 46702->46704 46705 c71e18 11 API calls 46703->46705 46706 c71e18 11 API calls 46704->46706 46707 c79553 46705->46707 46708 c7956e 46706->46708 46710 c71e13 11 API calls 46707->46710 46709 c71e13 11 API calls 46708->46709 46711 c79576 46709->46711 46713 c795ad 46710->46713 47054 c7856b 28 API calls 46711->47054 47039 c79837 46713->47039 46714 c79588 47055 c728cf 46714->47055 46718 c79593 46719 c71e18 11 API calls 46718->46719 46720 c7959d 46719->46720 46721 c71e13 11 API calls 46720->46721 46721->46707 46723 c8a7c5 GetUserNameW 46722->46723 47232 c73b40 46723->47232 46727 c8a7fd 46728 c728cf 28 API calls 46727->46728 46729 c8a807 46728->46729 46730 c71e13 11 API calls 46729->46730 46731 c8a810 46730->46731 46732 c71e13 11 API calls 46731->46732 46733 c7dfc3 46732->46733 46733->46473 46735 c8248f RegQueryValueExA RegCloseKey 46734->46735 46736 c7e08b 46734->46736 46735->46736 46736->46501 46736->46503 46738 c825dd 46737->46738 46739 c825b0 RegQueryValueExW RegCloseKey 46737->46739 46740 c73b40 28 API calls 46738->46740 46739->46738 46741 c7e0ba 46740->46741 46741->46514 46743 c82992 RegDeleteValueW 46742->46743 46744 c829a6 46742->46744 46743->46744 46745 c829a2 46743->46745 46744->46523 46745->46523 46747 c7cbc5 46746->46747 46748 c8246e 3 API calls 46747->46748 46749 c7cbcc 46748->46749 46750 c7cbeb 46749->46750 47254 c71602 46749->47254 46754 c83fd4 46750->46754 46752 c7cbd9 47257 c827d5 RegCreateKeyA 46752->47257 46755 c83feb 46754->46755 47271 c8aa73 46755->47271 46757 c83ff6 46758 c71d64 22 API calls 46757->46758 46759 c8400f 46758->46759 46760 caa5e7 _strftime 39 API calls 46759->46760 46761 c8401c 46760->46761 46762 c8402e 46761->46762 46763 c84021 Sleep 46761->46763 46764 c71f66 28 API calls 46762->46764 46763->46762 46765 c8403d 46764->46765 46766 c71d64 22 API calls 46765->46766 46767 c8404b 46766->46767 46768 c71fbd 28 API calls 46767->46768 46769 c84053 46768->46769 46770 c8afc3 28 API calls 46769->46770 46771 c8405b 46770->46771 47275 c74262 WSAStartup 46771->47275 46773 c84065 46774 c71d64 22 API calls 46773->46774 46775 c8406e 46774->46775 46776 c71d64 22 API calls 46775->46776 46836 c840ed 46775->46836 46778 c84087 46776->46778 46777 c71f66 28 API calls 46777->46836 46780 c71d64 22 API calls 46778->46780 46779 c71fbd 28 API calls 46779->46836 46781 c84098 46780->46781 46783 c71d64 22 API calls 46781->46783 46782 c8afc3 28 API calls 46782->46836 46784 c840a9 46783->46784 46785 c71d64 22 API calls 46784->46785 46787 c840ba 46785->46787 46786 c785b4 28 API calls 46786->46836 46788 c71d64 22 API calls 46787->46788 46790 c840cb 46788->46790 46789 c71eef 11 API calls 46789->46836 46791 c71d64 22 API calls 46790->46791 46792 c840dd 46791->46792 47407 c74101 87 API calls 46792->47407 46794 c8a686 79 API calls 46794->46836 46796 c84244 WSAGetLastError 47408 c8bc76 30 API calls 46796->47408 46801 c84259 46803 c8a686 79 API calls 46801->46803 46807 c71d8c 11 API calls 46801->46807 46808 c71d64 22 API calls 46801->46808 46809 caa5e7 _strftime 39 API calls 46801->46809 46801->46836 46838 c71f66 28 API calls 46801->46838 46839 c84b22 CreateThread 46801->46839 46840 c71eea 11 API calls 46801->46840 46841 c71e13 11 API calls 46801->46841 47409 c74c9e 28 API calls 46801->47409 47410 c7a767 84 API calls 46801->47410 47411 c747eb 98 API calls 46801->47411 46803->46801 46805 c71d64 22 API calls 46805->46836 46806 c74cbf 28 API calls 46806->46836 46807->46801 46808->46801 46810 c84b80 Sleep 46809->46810 46810->46801 46811 c75ce6 28 API calls 46811->46836 46814 c782dc 28 API calls 46814->46836 46815 cb0c51 20 API calls 46815->46836 46816 c8265d 3 API calls 46816->46836 46817 c82513 31 API calls 46817->46836 46818 c73b40 28 API calls 46818->46836 46821 c71d64 22 API calls 46822 c844ed GetTickCount 46821->46822 46823 c8ad46 28 API calls 46822->46823 46823->46836 46825 c8ad46 28 API calls 46825->46836 46827 c8aec8 28 API calls 46827->46836 46830 c727cb 28 API calls 46830->46836 46831 c7275c 28 API calls 46831->46836 46832 c74468 60 API calls 46832->46836 46833 c71eea 11 API calls 46833->46836 46834 c71e13 11 API calls 46834->46836 46836->46777 46836->46779 46836->46782 46836->46786 46836->46789 46836->46794 46836->46796 46836->46801 46836->46805 46836->46806 46836->46811 46836->46814 46836->46815 46836->46816 46836->46817 46836->46818 46836->46821 46836->46825 46836->46827 46836->46830 46836->46831 46836->46832 46836->46833 46836->46834 47276 c83f9a 46836->47276 47281 c741f1 46836->47281 47288 c74915 46836->47288 47303 c7428c connect 46836->47303 47363 c8a96d 46836->47363 47366 c83683 46836->47366 47369 c7cbf1 46836->47369 47375 c8adee 46836->47375 47378 c8aca0 46836->47378 47380 c8ac52 46836->47380 47385 c7e679 GetLocaleInfoA 46836->47385 47388 c727ec 46836->47388 47392 c745d5 46836->47392 46838->46801 46839->46801 47577 c89e89 102 API calls 46839->47577 46840->46801 46841->46801 46842->46273 46843->46283 46846 c785c0 46845->46846 46847 c72e78 28 API calls 46846->46847 46848 c785e4 46847->46848 46848->46304 46850 c8250b 46849->46850 46851 c824e1 RegQueryValueExA RegCloseKey 46849->46851 46850->46300 46851->46850 46852->46307 46853->46334 46854->46329 46855->46320 46856->46335 46858 c7c8ba 46857->46858 46859 c7c90f 46858->46859 46860 c7c8da 46858->46860 46863 c7c8d0 46858->46863 46862 c8b15b GetCurrentProcess 46859->46862 47578 c8a74b 29 API calls 46860->47578 46861 c7ca03 GetLongPathNameW 46865 c73b40 28 API calls 46861->46865 46866 c7c914 46862->46866 46863->46861 46868 c7ca18 46865->46868 46869 c7c96a 46866->46869 46870 c7c918 46866->46870 46867 c7c8e3 46871 c71e18 11 API calls 46867->46871 46872 c73b40 28 API calls 46868->46872 46873 c73b40 28 API calls 46869->46873 46874 c73b40 28 API calls 46870->46874 46875 c7c8ed 46871->46875 46876 c7ca27 46872->46876 46877 c7c978 46873->46877 46878 c7c926 46874->46878 46879 c71e13 11 API calls 46875->46879 47581 c7cc37 28 API calls 46876->47581 46883 c73b40 28 API calls 46877->46883 46884 c73b40 28 API calls 46878->46884 46879->46863 46881 c7ca3a 47582 c72860 28 API calls 46881->47582 46886 c7c98e 46883->46886 46887 c7c93c 46884->46887 46885 c7ca45 47583 c72860 28 API calls 46885->47583 47580 c72860 28 API calls 46886->47580 47579 c72860 28 API calls 46887->47579 46891 c7ca4f 46895 c71e13 11 API calls 46891->46895 46892 c7c999 46896 c71e18 11 API calls 46892->46896 46893 c7c947 46894 c71e18 11 API calls 46893->46894 46898 c7c952 46894->46898 46899 c7ca59 46895->46899 46897 c7c9a4 46896->46897 46900 c71e13 11 API calls 46897->46900 46901 c71e13 11 API calls 46898->46901 46902 c71e13 11 API calls 46899->46902 46904 c7c9ad 46900->46904 46905 c7c95b 46901->46905 46903 c7ca62 46902->46903 46906 c71e13 11 API calls 46903->46906 46907 c71e13 11 API calls 46904->46907 46908 c71e13 11 API calls 46905->46908 46909 c7ca6b 46906->46909 46907->46875 46908->46875 46910 c71e13 11 API calls 46909->46910 46911 c7ca74 46910->46911 46912 c71e13 11 API calls 46911->46912 46913 c7ca7d 46912->46913 46913->46382 46914->46395 46915->46416 46917 c82683 RegQueryValueExA RegCloseKey 46916->46917 46918 c826a7 46916->46918 46917->46918 46918->46375 46919->46410 46920->46445 46921->46455 46922->46478 46923->46466 46924->46500 46926 c71e0c 46925->46926 46927->46327 46930 c8a65c LoadResource LockResource SizeofResource 46929->46930 46931 c7e183 46929->46931 46930->46931 46931->46556 46933 c71f86 28 API calls 46932->46933 46934 c76066 46933->46934 46934->46567 46940 c73c30 46935->46940 46938->46588 46939->46569 46941 c73c39 46940->46941 46944 c73c59 46941->46944 46945 c73c68 46944->46945 46950 c732a4 46945->46950 46947 c73c74 46948 c72325 28 API calls 46947->46948 46949 c73b73 46948->46949 46949->46588 46951 c732b0 46950->46951 46952 c732ad 46950->46952 46955 c732b6 22 API calls 46951->46955 46952->46947 46956->46592 46960 c72e85 46958->46960 46959 c72ea9 46959->46601 46960->46959 46961 c72e98 46960->46961 46963 c72eae 46960->46963 46965 c73445 28 API calls 46961->46965 46963->46959 46966 c7225b 11 API calls 46963->46966 46965->46959 46966->46959 46968 c74bd0 46967->46968 46971 c7245c 46968->46971 46970 c74be4 46970->46604 46972 c72469 46971->46972 46974 c72478 46972->46974 46975 c72ad3 28 API calls 46972->46975 46974->46970 46975->46974 46976->46608 46978 c71e94 46977->46978 46978->46615 46980 c8b168 GetCurrentProcess 46979->46980 46981 c8a471 46979->46981 46980->46981 46982 c82513 RegOpenKeyExA 46981->46982 46983 c82541 RegQueryValueExA RegCloseKey 46982->46983 46984 c82569 46982->46984 46983->46984 46985 c71f66 28 API calls 46984->46985 46986 c8257e 46985->46986 46986->46621 46987->46629 46989 c7b02f 46988->46989 46992 c7b04b 46989->46992 46991 c7b045 46991->46640 46993 c7b055 46992->46993 46995 c7b060 46993->46995 46996 c7b138 28 API calls 46993->46996 46995->46991 46996->46995 46997->46644 46998->46646 47000 c7230d 46999->47000 47001 c72325 28 API calls 47000->47001 47002 c71f80 47001->47002 47002->46388 47019 caa545 47003->47019 47005 ca998b 47025 ca92de 35 API calls 2 library calls 47005->47025 47007 ca9950 47007->47005 47008 ca9965 47007->47008 47010 ca996a __cftof 47007->47010 47024 cb5354 20 API calls _Atexit 47008->47024 47010->46672 47012 ca9997 47014 ca99c6 47012->47014 47026 caa58a 39 API calls __Tolower 47012->47026 47016 ca9a32 47014->47016 47027 caa4f1 20 API calls 2 library calls 47014->47027 47028 caa4f1 20 API calls 2 library calls 47016->47028 47017 ca9af9 _strftime 47017->47010 47029 cb5354 20 API calls _Atexit 47017->47029 47020 caa54a 47019->47020 47021 caa55d 47019->47021 47030 cb5354 20 API calls _Atexit 47020->47030 47021->47007 47023 caa54f __cftof 47023->47007 47024->47010 47025->47012 47026->47012 47027->47016 47028->47017 47029->47010 47030->47023 47035 c71e9b 47031->47035 47033 c727d9 47033->46685 47034->46689 47036 c71ea7 47035->47036 47037 c7245c 28 API calls 47036->47037 47038 c71eb9 47037->47038 47038->47033 47040 c79855 47039->47040 47041 c824b7 3 API calls 47040->47041 47042 c7985c 47041->47042 47043 c79870 47042->47043 47044 c7988a 47042->47044 47045 c79875 47043->47045 47046 c795cf 47043->47046 47058 c782dc 47044->47058 47049 c782dc 28 API calls 47045->47049 47046->46439 47051 c79883 47049->47051 47084 c79959 29 API calls 47051->47084 47053 c79888 47053->47046 47054->46714 47223 c72d8b 47055->47223 47057 c728dd 47057->46718 47059 c782eb 47058->47059 47085 c78431 47059->47085 47061 c78309 47062 c798a5 47061->47062 47090 c7affa 47062->47090 47065 c798f6 47067 c71f66 28 API calls 47065->47067 47066 c798ce 47068 c71f66 28 API calls 47066->47068 47069 c79901 47067->47069 47070 c798d8 47068->47070 47071 c71f66 28 API calls 47069->47071 47072 c8ae08 28 API calls 47070->47072 47074 c79910 47071->47074 47073 c798e6 47072->47073 47094 c7a876 31 API calls ___crtLCMapStringA 47073->47094 47076 c8a686 79 API calls 47074->47076 47078 c79915 CreateThread 47076->47078 47077 c798ed 47079 c71eea 11 API calls 47077->47079 47080 c79930 CreateThread 47078->47080 47081 c7993c CreateThread 47078->47081 47106 c799a9 47078->47106 47079->47065 47080->47081 47103 c79993 47080->47103 47082 c71e13 11 API calls 47081->47082 47100 c799b5 47081->47100 47083 c79950 47082->47083 47083->47046 47084->47053 47222 c7999f 134 API calls 47084->47222 47086 c7843d 47085->47086 47088 c7845b 47086->47088 47089 c72f0d 28 API calls 47086->47089 47088->47061 47089->47088 47092 c7b006 47090->47092 47091 c798c3 47091->47065 47091->47066 47092->47091 47095 c73b9e 47092->47095 47094->47077 47096 c73ba8 47095->47096 47098 c73bb3 47096->47098 47099 c73cfd 28 API calls 47096->47099 47098->47091 47099->47098 47109 c7a3f4 47100->47109 47155 c799e4 47103->47155 47177 c79e48 47106->47177 47137 c7a402 47109->47137 47110 c799be 47111 c7a45c Sleep GetForegroundWindow GetWindowTextLengthW 47112 c7b027 28 API calls 47111->47112 47112->47137 47115 c8aca0 GetTickCount 47115->47137 47117 c7a4a2 GetWindowTextW 47117->47137 47119 c71e13 11 API calls 47119->47137 47120 c7a5ff 47122 c71e13 11 API calls 47120->47122 47121 c7affa 28 API calls 47121->47137 47122->47110 47123 c7a569 Sleep 47123->47137 47126 c71f66 28 API calls 47126->47137 47127 c7a4f1 47129 c782dc 28 API calls 47127->47129 47127->47137 47142 c7a876 31 API calls ___crtLCMapStringA 47127->47142 47129->47127 47131 c75ce6 28 API calls 47131->47137 47133 c728cf 28 API calls 47133->47137 47134 c8ae08 28 API calls 47134->47137 47135 c79d58 12 API calls 47135->47137 47136 c71eea 11 API calls 47136->47137 47137->47110 47137->47111 47137->47115 47137->47117 47137->47119 47137->47120 47137->47121 47137->47123 47137->47126 47137->47127 47137->47131 47137->47133 47137->47134 47137->47135 47137->47136 47138 ca3519 5 API calls __Init_thread_wait 47137->47138 47139 ca38a5 23 API calls __onexit 47137->47139 47140 ca34cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47137->47140 47141 c782a8 28 API calls 47137->47141 47143 c7b0dd 28 API calls 47137->47143 47144 c7ae58 44 API calls 2 library calls 47137->47144 47145 cb0c51 47137->47145 47149 c74c9e 28 API calls 47137->47149 47138->47137 47139->47137 47140->47137 47141->47137 47142->47127 47143->47137 47144->47137 47146 cb0c5d 47145->47146 47150 cb0a4d 47146->47150 47148 cb0c7e 47148->47137 47149->47137 47151 cb0a64 47150->47151 47153 cb0a9b __cftof 47151->47153 47154 cb5354 20 API calls _Atexit 47151->47154 47153->47148 47154->47153 47156 c79a63 GetMessageA 47155->47156 47157 c799ff SetWindowsHookExA 47155->47157 47158 c79a75 TranslateMessage DispatchMessageA 47156->47158 47170 c7999c 47156->47170 47157->47156 47160 c79a1b GetLastError 47157->47160 47158->47156 47158->47170 47171 c8ad46 47160->47171 47164 c79a3e 47165 c71f66 28 API calls 47164->47165 47166 c79a4d 47165->47166 47167 c8a686 79 API calls 47166->47167 47168 c79a52 47167->47168 47169 c71eea 11 API calls 47168->47169 47169->47170 47172 cb0c51 20 API calls 47171->47172 47173 c8ad67 47172->47173 47174 c71f66 28 API calls 47173->47174 47175 c79a31 47174->47175 47176 c74c9e 28 API calls 47175->47176 47176->47164 47178 c79e5d Sleep 47177->47178 47197 c79d97 47178->47197 47180 c799b2 47181 c79e9d CreateDirectoryW 47183 c79e6f 47181->47183 47182 c79eae GetFileAttributesW 47182->47183 47183->47178 47183->47180 47183->47181 47183->47182 47184 c79ec5 SetFileAttributesW 47183->47184 47187 c71d64 22 API calls 47183->47187 47194 c79f10 47183->47194 47210 c8b58f 47183->47210 47184->47183 47186 c79f3f PathFileExistsW 47186->47194 47187->47183 47189 c71f86 28 API calls 47189->47194 47190 c7a048 SetFileAttributesW 47190->47183 47191 c76052 28 API calls 47191->47194 47192 c71eef 11 API calls 47192->47194 47194->47186 47194->47189 47194->47190 47194->47191 47194->47192 47195 c71eea 11 API calls 47194->47195 47196 c71eea 11 API calls 47194->47196 47219 c8b61a 32 API calls 47194->47219 47220 c8b687 CreateFileW SetFilePointer WriteFile CloseHandle 47194->47220 47195->47194 47196->47183 47198 c79e44 47197->47198 47201 c79dad 47197->47201 47198->47183 47199 c79dcc CreateFileW 47200 c79dda GetFileSize 47199->47200 47199->47201 47200->47201 47202 c79e0f CloseHandle 47200->47202 47201->47199 47201->47202 47203 c79e04 Sleep 47201->47203 47204 c79dfd 47201->47204 47206 c79e21 47201->47206 47202->47201 47203->47202 47221 c7a7f0 83 API calls 47204->47221 47206->47198 47207 c782dc 28 API calls 47206->47207 47208 c79e3d 47207->47208 47209 c798a5 125 API calls 47208->47209 47209->47198 47211 c8b5a2 CreateFileW 47210->47211 47213 c8b5db 47211->47213 47214 c8b5df 47211->47214 47213->47183 47215 c8b5f6 WriteFile 47214->47215 47216 c8b5e6 SetFilePointer 47214->47216 47217 c8b60b CloseHandle 47215->47217 47218 c8b609 47215->47218 47216->47215 47216->47217 47217->47213 47218->47217 47219->47194 47220->47194 47221->47203 47224 c72d97 47223->47224 47227 c730f7 47224->47227 47226 c72dab 47226->47057 47228 c73101 47227->47228 47230 c73115 47228->47230 47231 c736c2 28 API calls 47228->47231 47230->47226 47231->47230 47233 c73b48 47232->47233 47239 c73b7a 47233->47239 47236 c73cbb 47243 c73dc2 47236->47243 47238 c73cc9 47238->46727 47240 c73b86 47239->47240 47241 c73b9e 28 API calls 47240->47241 47242 c73b5a 47241->47242 47242->47236 47244 c73dce 47243->47244 47247 c72ffd 47244->47247 47246 c73de3 47246->47238 47248 c7300e 47247->47248 47249 c732a4 22 API calls 47248->47249 47250 c7301a 47249->47250 47252 c7302e 47250->47252 47253 c735e8 28 API calls 47250->47253 47252->47246 47253->47252 47260 ca95ba 47254->47260 47258 c827ed RegSetValueExA RegCloseKey 47257->47258 47259 c82814 47257->47259 47258->47259 47259->46750 47263 ca953b 47260->47263 47262 c71608 47262->46752 47264 ca954a 47263->47264 47265 ca955e 47263->47265 47269 cb5354 20 API calls _Atexit 47264->47269 47268 ca954f __alldvrm __cftof 47265->47268 47270 cb7601 11 API calls 2 library calls 47265->47270 47268->47262 47269->47268 47270->47268 47274 c8aab9 ctype ___scrt_fastfail 47271->47274 47272 c71f66 28 API calls 47273 c8ab2e 47272->47273 47273->46757 47274->47272 47275->46773 47277 c83fa9 47276->47277 47278 c83fb3 getaddrinfo WSASetLastError 47276->47278 47412 c83e37 29 API calls ___std_exception_copy 47277->47412 47278->46836 47280 c83fae 47280->47278 47282 c74206 socket 47281->47282 47283 c741fd 47281->47283 47285 c74224 CreateEventW 47282->47285 47286 c74220 47282->47286 47413 c74262 WSAStartup 47283->47413 47285->46836 47286->46836 47287 c74202 47287->47282 47287->47286 47290 c7492a 47288->47290 47291 c749b1 47288->47291 47289 c74933 47292 c74987 CreateEventA CreateThread 47289->47292 47290->47289 47290->47292 47293 c74942 GetLocalTime 47290->47293 47291->46836 47292->47291 47415 c74b1d 47292->47415 47294 c8ad46 28 API calls 47293->47294 47295 c7495b 47294->47295 47414 c74c9e 28 API calls 47295->47414 47297 c74968 47298 c71f66 28 API calls 47297->47298 47299 c74977 47298->47299 47300 c8a686 79 API calls 47299->47300 47301 c7497c 47300->47301 47302 c71eea 11 API calls 47301->47302 47302->47292 47304 c742b3 47303->47304 47305 c743e1 47303->47305 47306 c74343 47304->47306 47308 c742e8 47304->47308 47311 c74cbf 28 API calls 47304->47311 47305->47306 47307 c743e7 WSAGetLastError 47305->47307 47306->46836 47307->47306 47309 c743f7 47307->47309 47419 c90151 27 API calls 47308->47419 47312 c743fc 47309->47312 47313 c742f7 47309->47313 47315 c742d4 47311->47315 47424 c8bc76 30 API calls 47312->47424 47319 c71f66 28 API calls 47313->47319 47314 c742f0 47314->47313 47318 c74306 47314->47318 47320 c71f66 28 API calls 47315->47320 47317 c7440b 47425 c74c9e 28 API calls 47317->47425 47328 c74315 47318->47328 47329 c7434c 47318->47329 47322 c74448 47319->47322 47323 c742e3 47320->47323 47326 c71f66 28 API calls 47322->47326 47324 c8a686 79 API calls 47323->47324 47324->47308 47325 c74418 47327 c71f66 28 API calls 47325->47327 47330 c74457 47326->47330 47331 c74427 47327->47331 47333 c71f66 28 API calls 47328->47333 47421 c90f34 53 API calls 47329->47421 47334 c8a686 79 API calls 47330->47334 47335 c8a686 79 API calls 47331->47335 47337 c74324 47333->47337 47334->47306 47338 c7442c 47335->47338 47336 c74354 47339 c74389 47336->47339 47340 c74359 47336->47340 47341 c71f66 28 API calls 47337->47341 47343 c71eea 11 API calls 47338->47343 47423 c902ea 28 API calls 47339->47423 47344 c71f66 28 API calls 47340->47344 47345 c74333 47341->47345 47343->47306 47347 c74368 47344->47347 47348 c8a686 79 API calls 47345->47348 47346 c74391 47349 c743be CreateEventW CreateEventW 47346->47349 47352 c71f66 28 API calls 47346->47352 47350 c71f66 28 API calls 47347->47350 47351 c74338 47348->47351 47349->47306 47353 c74377 47350->47353 47420 c8dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47351->47420 47355 c743a7 47352->47355 47356 c8a686 79 API calls 47353->47356 47357 c71f66 28 API calls 47355->47357 47358 c7437c 47356->47358 47359 c743b6 47357->47359 47422 c90592 51 API calls 47358->47422 47361 c8a686 79 API calls 47359->47361 47362 c743bb 47361->47362 47362->47349 47426 c8a945 GlobalMemoryStatusEx 47363->47426 47365 c8a982 47365->46836 47427 c83646 47366->47427 47370 c7cc0d 47369->47370 47371 c8246e 3 API calls 47370->47371 47373 c7cc14 47371->47373 47372 c7cc2c 47372->46836 47373->47372 47374 c824b7 3 API calls 47373->47374 47374->47372 47376 c71f86 28 API calls 47375->47376 47377 c8ae03 47376->47377 47377->46836 47379 c8acb6 GetTickCount 47378->47379 47379->46836 47381 ca6050 ___scrt_fastfail 47380->47381 47382 c8ac71 GetForegroundWindow GetWindowTextW 47381->47382 47383 c73b40 28 API calls 47382->47383 47384 c8ac9b 47383->47384 47384->46836 47386 c71f66 28 API calls 47385->47386 47387 c7e69e 47386->47387 47387->46836 47389 c727f8 47388->47389 47390 c72e78 28 API calls 47389->47390 47391 c72814 47390->47391 47391->46836 47393 c745ec 47392->47393 47394 caa88c ___crtLCMapStringA 21 API calls 47393->47394 47396 c71f86 28 API calls 47393->47396 47397 c74666 47393->47397 47398 c71eef 11 API calls 47393->47398 47401 c71eea 11 API calls 47393->47401 47465 c7455b 47393->47465 47471 c74688 47393->47471 47394->47393 47396->47393 47482 c747eb 98 API calls 47397->47482 47398->47393 47400 c7466d 47402 c71eea 11 API calls 47400->47402 47401->47393 47403 c74676 47402->47403 47404 c71eea 11 API calls 47403->47404 47405 c7467f 47404->47405 47405->46836 47407->46836 47408->46801 47409->46801 47410->46801 47411->46801 47412->47280 47413->47287 47414->47297 47418 c74b29 101 API calls 47415->47418 47417 c74b26 47418->47417 47419->47314 47420->47306 47421->47336 47422->47351 47423->47346 47424->47317 47425->47325 47426->47365 47430 c83619 47427->47430 47431 c8362e ___scrt_initialize_default_local_stdio_options 47430->47431 47434 cae2dd 47431->47434 47437 cab030 47434->47437 47438 cab058 47437->47438 47439 cab070 47437->47439 47459 cb5354 20 API calls _Atexit 47438->47459 47439->47438 47441 cab078 47439->47441 47460 ca92de 35 API calls 2 library calls 47441->47460 47443 cab088 47461 cab7b6 20 API calls 2 library calls 47443->47461 47446 cab100 47462 cabe24 50 API calls 3 library calls 47446->47462 47447 c8363c 47447->46836 47450 cab05d __cftof 47452 ca3d2c 47450->47452 47451 cab10b 47463 cab820 20 API calls _free 47451->47463 47453 ca3d37 IsProcessorFeaturePresent 47452->47453 47454 ca3d35 47452->47454 47456 ca41a4 47453->47456 47454->47447 47464 ca4168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47456->47464 47458 ca4287 47458->47447 47459->47450 47460->47443 47461->47446 47462->47451 47463->47450 47464->47458 47466 c74565 WaitForSingleObject 47465->47466 47467 c74592 recv 47465->47467 47483 c90556 53 API calls 47466->47483 47469 c745a5 47467->47469 47469->47393 47470 c74581 SetEvent 47470->47469 47481 c746a3 47471->47481 47472 c747d8 47473 c71eea 11 API calls 47472->47473 47474 c747e1 47473->47474 47474->47393 47475 c73b60 28 API calls 47475->47481 47476 c71eef 11 API calls 47476->47481 47477 c71eea 11 API calls 47477->47481 47478 c71fbd 28 API calls 47478->47481 47479 c71ebd 28 API calls 47480 c74772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47479->47480 47480->47481 47484 c84b9b 47480->47484 47481->47472 47481->47475 47481->47476 47481->47477 47481->47478 47481->47479 47482->47400 47483->47470 47485 c71fbd 28 API calls 47484->47485 47486 c84bbd SetEvent 47485->47486 47487 c84bd2 47486->47487 47488 c73b60 28 API calls 47487->47488 47489 c84bec 47488->47489 47490 c71fbd 28 API calls 47489->47490 47491 c84bfc 47490->47491 47492 c71fbd 28 API calls 47491->47492 47493 c84c0e 47492->47493 47494 c8afc3 28 API calls 47493->47494 47495 c84c17 47494->47495 47496 c84d8a 47495->47496 47498 c84c37 GetTickCount 47495->47498 47558 c84d99 47495->47558 47497 c71d8c 11 API calls 47496->47497 47499 c861fb 47497->47499 47500 c8ad46 28 API calls 47498->47500 47502 c71eea 11 API calls 47499->47502 47503 c84c4d 47500->47503 47501 c84dad 47575 c74ab1 83 API calls 47501->47575 47505 c86207 47502->47505 47506 c8aca0 GetTickCount 47503->47506 47508 c71eea 11 API calls 47505->47508 47509 c84c54 47506->47509 47507 c84d7d 47507->47496 47510 c86213 47508->47510 47511 c8ad46 28 API calls 47509->47511 47512 c84c5f 47511->47512 47513 c8ac52 30 API calls 47512->47513 47514 c84c6d 47513->47514 47563 c8aec8 47514->47563 47517 c71d64 22 API calls 47518 c84c89 47517->47518 47519 c727ec 28 API calls 47518->47519 47520 c84c97 47519->47520 47567 c7275c 47520->47567 47522 c84ca6 47523 c727cb 28 API calls 47522->47523 47524 c84cb5 47523->47524 47525 c7275c 28 API calls 47524->47525 47526 c84cc4 47525->47526 47527 c727cb 28 API calls 47526->47527 47528 c84cd0 47527->47528 47529 c7275c 28 API calls 47528->47529 47530 c84cda 47529->47530 47531 c74468 60 API calls 47530->47531 47532 c84ce9 47531->47532 47533 c71eea 11 API calls 47532->47533 47534 c84cf2 47533->47534 47535 c71eea 11 API calls 47534->47535 47536 c84cfe 47535->47536 47537 c71eea 11 API calls 47536->47537 47538 c84d0a 47537->47538 47539 c71eea 11 API calls 47538->47539 47540 c84d16 47539->47540 47541 c71eea 11 API calls 47540->47541 47542 c84d22 47541->47542 47543 c71eea 11 API calls 47542->47543 47544 c84d2e 47543->47544 47545 c71e13 11 API calls 47544->47545 47546 c84d3a 47545->47546 47547 c71eea 11 API calls 47546->47547 47548 c84d43 47547->47548 47549 c71eea 11 API calls 47548->47549 47550 c84d4c 47549->47550 47551 c71d64 22 API calls 47550->47551 47552 c84d57 47551->47552 47553 caa5e7 _strftime 39 API calls 47552->47553 47554 c84d64 47553->47554 47555 c84d69 47554->47555 47556 c84d8f 47554->47556 47559 c84d82 47555->47559 47560 c84d77 47555->47560 47557 c71d64 22 API calls 47556->47557 47557->47558 47558->47496 47558->47501 47562 c74915 104 API calls 47559->47562 47574 c749ba 81 API calls 47560->47574 47562->47496 47564 c8aed5 47563->47564 47565 c71f86 28 API calls 47564->47565 47566 c84c7b 47565->47566 47566->47517 47568 c7276b 47567->47568 47569 c727ad 47568->47569 47572 c727a2 47568->47572 47570 c71e9b 28 API calls 47569->47570 47571 c727ab 47570->47571 47571->47522 47576 c72ee5 28 API calls 47572->47576 47574->47507 47575->47507 47576->47571 47578->46867 47579->46893 47580->46892 47581->46881 47582->46885 47583->46891 47586 c7e56a 47584->47586 47585 c824b7 3 API calls 47585->47586 47586->47585 47588 c7e60e 47586->47588 47590 c7e5fe Sleep 47586->47590 47606 c7e59c 47586->47606 47587 c782dc 28 API calls 47587->47606 47589 c782dc 28 API calls 47588->47589 47593 c7e619 47589->47593 47590->47586 47592 c8ae08 28 API calls 47592->47606 47594 c8ae08 28 API calls 47593->47594 47595 c7e625 47594->47595 47619 c82774 14 API calls 47595->47619 47598 c71e13 11 API calls 47598->47606 47599 c7e638 47600 c71e13 11 API calls 47599->47600 47602 c7e644 47600->47602 47601 c71f66 28 API calls 47601->47606 47603 c71f66 28 API calls 47602->47603 47604 c7e655 47603->47604 47607 c826d2 14 API calls 47604->47607 47605 c826d2 14 API calls 47605->47606 47606->47587 47606->47590 47606->47592 47606->47598 47606->47601 47606->47605 47617 c7bf04 73 API calls ___scrt_fastfail 47606->47617 47618 c82774 14 API calls 47606->47618 47608 c7e668 47607->47608 47620 c81699 TerminateProcess WaitForSingleObject 47608->47620 47610 c7e670 ExitProcess 47621 c81637 61 API calls 47612->47621 47618->47606 47619->47599 47620->47610 47622 c799d0 47625 c79a97 47622->47625 47624 c799e1 47626 c79af7 CallNextHookEx 47625->47626 47627 c79ab4 47625->47627 47626->47624 47628 c79ae0 47627->47628 47629 c79abf 47627->47629 47638 c7a931 47628->47638 47630 c79ac4 47629->47630 47631 c79ad2 47629->47631 47630->47626 47695 c7ad56 38 API calls 47630->47695 47696 c7adb0 30 API calls 47631->47696 47634 c79ad0 47634->47626 47639 c7a940 47638->47639 47640 c71f66 28 API calls 47639->47640 47641 c79aec 47639->47641 47642 c7abcd 47640->47642 47641->47626 47644 c7abfd 47641->47644 47697 c79d33 29 API calls 47642->47697 47645 c7ac17 47644->47645 47646 c7ad40 47644->47646 47647 c7ac1d 47645->47647 47648 c7ac9b 47645->47648 47698 c79b10 47646->47698 47655 c71f66 28 API calls 47647->47655 47690 c7ad3e 47647->47690 47651 c71f66 28 API calls 47648->47651 47652 c7aca9 47651->47652 47654 c71f66 28 API calls 47652->47654 47656 c7acb7 47654->47656 47657 c7ac4a 47655->47657 47659 c8ae08 28 API calls 47656->47659 47708 cae7eb 43 API calls 47657->47708 47661 c7accc 47659->47661 47660 c7ac53 47662 c71f66 28 API calls 47660->47662 47711 c7ae1e 31 API calls 47661->47711 47664 c7ac63 47662->47664 47709 c785fd 28 API calls 47664->47709 47665 c7acda 47667 c8ae08 28 API calls 47665->47667 47669 c7ace8 47667->47669 47668 c7ac6e 47670 c7275c 28 API calls 47668->47670 47712 c72860 28 API calls 47669->47712 47672 c7ac78 47670->47672 47710 c79d33 29 API calls 47672->47710 47673 c7acf3 47713 c72860 28 API calls 47673->47713 47676 c7ac80 47678 c71eea 11 API calls 47676->47678 47677 c7acfd 47714 c79d58 12 API calls 47677->47714 47680 c7ac89 47678->47680 47682 c71eea 11 API calls 47680->47682 47681 c7ad05 47683 c71e13 11 API calls 47681->47683 47685 c7ac92 47682->47685 47684 c7ad0e 47683->47684 47686 c71e13 11 API calls 47684->47686 47688 c71eea 11 API calls 47685->47688 47687 c7ad17 47686->47687 47689 c71e13 11 API calls 47687->47689 47688->47690 47691 c7ad20 47689->47691 47690->47626 47692 c71e13 11 API calls 47691->47692 47693 c7ad2c 47692->47693 47694 c71eea 11 API calls 47693->47694 47694->47685 47695->47634 47696->47634 47697->47641 47699 ca6050 ___scrt_fastfail 47698->47699 47700 c79b31 6 API calls 47699->47700 47701 c79bf8 47700->47701 47704 c79b91 ___scrt_fastfail 47700->47704 47702 c79c08 ToUnicodeEx 47701->47702 47702->47702 47703 c79bef 47702->47703 47705 c73b40 28 API calls 47703->47705 47704->47703 47706 c79bc6 ToUnicodeEx 47704->47706 47707 c79c37 47705->47707 47706->47703 47715 c79d58 12 API calls 47707->47715 47708->47660 47709->47668 47710->47676 47711->47665 47712->47673 47713->47677 47714->47681 47715->47690 47716 cb6ac5 47717 cb6ad0 HeapFree 47716->47717 47721 cb6af9 __dosmaperr 47716->47721 47718 cb6ae5 47717->47718 47717->47721 47722 cb5354 20 API calls _Atexit 47718->47722 47720 cb6aeb GetLastError 47720->47721 47722->47720

                                                                                  Executed Functions

                                                                                  Function 00C8BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,00C7D783), ref: 00C8BCF8
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD01
                                                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,00C7D783), ref: 00C8BD18
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD1B
                                                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,00C7D783), ref: 00C8BD2D
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD30
                                                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,00C7D783), ref: 00C8BD41
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD44
                                                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,00C7D783), ref: 00C8BD55
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD58
                                                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,00C7D783), ref: 00C8BD65
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD68
                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,00C7D783), ref: 00C8BD75
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD78
                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,00C7D783), ref: 00C8BD85
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD88
                                                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,00C7D783), ref: 00C8BD99
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BD9C
                                                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,00C7D783), ref: 00C8BDA9
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BDAC
                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,00C7D783), ref: 00C8BDBD
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BDC0
                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,00C7D783), ref: 00C8BDD1
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BDD4
                                                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,00C7D783), ref: 00C8BDE5
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BDE8
                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,00C7D783), ref: 00C8BDF5
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BDF8
                                                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,00C7D783), ref: 00C8BE06
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BE09
                                                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,00C7D783), ref: 00C8BE16
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BE19
                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,00C7D783), ref: 00C8BE2B
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BE2E
                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,00C7D783), ref: 00C8BE3B
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BE3E
                                                                                  • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,00C7D783), ref: 00C8BE50
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BE53
                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,00C7D783), ref: 00C8BE60
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8BE63
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleLibraryLoadModule
                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                  • API String ID: 384173800-625181639
                                                                                  • Opcode ID: 40ce0173f7360088a4dfb35494d116b9900633fa9f8a5060d8385cc8d0183216
                                                                                  • Instruction ID: f0dc4e311d2beedeb72904c771e7a71706122ab6b214ca74e1ce2362208890a6
                                                                                  • Opcode Fuzzy Hash: 40ce0173f7360088a4dfb35494d116b9900633fa9f8a5060d8385cc8d0183216
                                                                                  • Instruction Fuzzy Hash: FE31BDA4E4039CFADA107BF65C8DF5F7E9CD944B943020927B6059B751DFB8AD008EA8
                                                                                  Function 00C799E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1161 c799e4-c799fd 1162 c79a63-c79a73 GetMessageA 1161->1162 1163 c799ff-c79a19 SetWindowsHookExA 1161->1163 1164 c79a75-c79a8d TranslateMessage DispatchMessageA 1162->1164 1165 c79a8f 1162->1165 1163->1162 1168 c79a1b-c79a61 GetLastError call c8ad46 call c74c9e call c71f66 call c8a686 call c71eea 1163->1168 1164->1162 1164->1165 1166 c79a91-c79a96 1165->1166 1168->1166
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00C79A01
                                                                                  • SetWindowsHookExA.USER32(0000000D,00C799D0,00000000), ref: 00C79A0F
                                                                                  • GetLastError.KERNEL32 ref: 00C79A1B
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00C79A6B
                                                                                  • TranslateMessage.USER32(?), ref: 00C79A7A
                                                                                  • DispatchMessageA.USER32(?), ref: 00C79A85
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                  • String ID: Keylogger initialization failure: error $`#v
                                                                                  • API String ID: 3219506041-3226811161
                                                                                  • Opcode ID: 9b93a82d5725e5acb79b900fff90500f7a7bfc923e3dd6f85c44a952260512a9
                                                                                  • Instruction ID: 3cc81d99ecdb011be53e16356296da574efae269d0c0793c2e97b6aeca6a8eee
                                                                                  • Opcode Fuzzy Hash: 9b93a82d5725e5acb79b900fff90500f7a7bfc923e3dd6f85c44a952260512a9
                                                                                  • Instruction Fuzzy Hash: AC119471904201AFD710BB7ADC4AE6B77ECEB94725B04462EFC59C2150EB30DA01DBA2
                                                                                  Function 00C79B10 Relevance: 12.1, APIs: 8, Instructions: 108keyboardthreadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32(?,?,00CE40F8), ref: 00C79B3F
                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00C79B4B
                                                                                  • GetKeyboardLayout.USER32(00000000), ref: 00C79B52
                                                                                  • GetKeyState.USER32(00000010), ref: 00C79B5C
                                                                                  • GetKeyboardState.USER32(?,?,00CE40F8), ref: 00C79B67
                                                                                  • ToUnicodeEx.USER32(00CE414C,?,?,?,00000010,00000000,00000000), ref: 00C79B8A
                                                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00C79BE3
                                                                                  • ToUnicodeEx.USER32(00CE414C,?,?,?,00000010,00000000,00000000), ref: 00C79C1C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 1888522110-0
                                                                                  • Opcode ID: 24c1aebe355dc68eb237c55c2c6eca8d1a167fdf86853835c42a67bc3f5474c9
                                                                                  • Instruction ID: 8395e89756b2a8f05cff5284cdfab233a2d976922947698a0a201c2f5e6e17a8
                                                                                  • Opcode Fuzzy Hash: 24c1aebe355dc68eb237c55c2c6eca8d1a167fdf86853835c42a67bc3f5474c9
                                                                                  • Instruction Fuzzy Hash: 1431CF72104348AFD710DB90DC85FDFBBECEB88714F00492AF645D61A0D7B1A9489BA2
                                                                                  Function 00C7E54F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00C824B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00C824D7
                                                                                    • Part of subcall function 00C824B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00CE42F8), ref: 00C824F5
                                                                                    • Part of subcall function 00C824B7: RegCloseKey.KERNELBASE(?), ref: 00C82500
                                                                                  • Sleep.KERNELBASE(00000BB8), ref: 00C7E603
                                                                                  • ExitProcess.KERNEL32 ref: 00C7E672
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                  • String ID: 5.3.0 Pro$override$pth_unenc
                                                                                  • API String ID: 2281282204-531312966
                                                                                  • Opcode ID: 45ddc12b185f28f616192a291eb3973e2c2620a52a93d15bbb97285e805fe409
                                                                                  • Instruction ID: 11ad480718e75f937955652b1199304e3cd169a4cf32132f2d7cb178f4526852
                                                                                  • Opcode Fuzzy Hash: 45ddc12b185f28f616192a291eb3973e2c2620a52a93d15bbb97285e805fe409
                                                                                  • Instruction Fuzzy Hash: B5210A72F002046BD60876B98C1FA3F359A9B95728F84802DFD19573C7EE258E0093E7
                                                                                  Function 00C7455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00C7460E,00000000,?,?), ref: 00C7456A
                                                                                  • SetEvent.KERNEL32(?,?,?,00C7460E,00000000,?,?), ref: 00C74588
                                                                                  • recv.WS2_32(?,?,?,00000000), ref: 00C7459F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EventObjectSingleWaitrecv
                                                                                  • String ID:
                                                                                  • API String ID: 311754179-0
                                                                                  • Opcode ID: 8c7fa08e6bd9a99e1dbdc9ec8faa9b230f3f846875420b6173f4da3b003047c4
                                                                                  • Instruction ID: 9d363bb1dd062edfb934de5e61eefc2ea67418888b40bd0561348768308cbd8c
                                                                                  • Opcode Fuzzy Hash: 8c7fa08e6bd9a99e1dbdc9ec8faa9b230f3f846875420b6173f4da3b003047c4
                                                                                  • Instruction Fuzzy Hash: 5DF08236108212FFD7058B14EC08F0AFF62FB88720F21C61AF514522A08771AC20DF51
                                                                                  Function 00C8A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(?,00C7DFC3), ref: 00C8A7D7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: 7659614b6bbdda5a7733c08e161de1e4b02512f661d0e34b4c3a10e1a3f48f32
                                                                                  • Instruction ID: d48d29047c88c9886b4c90b18c769a483d0f704c5698fa9eba6bd4d74141374d
                                                                                  • Opcode Fuzzy Hash: 7659614b6bbdda5a7733c08e161de1e4b02512f661d0e34b4c3a10e1a3f48f32
                                                                                  • Instruction Fuzzy Hash: 92014B7290011CABDB00EB90DC49EDDB7BCEF44310F004166B806B3191EFB0AB89AB98
                                                                                  Function 00C7E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,00C845AD,00CE3EE8,00CE4A10,00CE3EE8,00000000,00CE3EE8,?,00CE3EE8,5.3.0 Pro), ref: 00C7E68D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: e63f35031c09b9cc87b33bc9367de3adeadc0ffbb690981aad141828956cfdb2
                                                                                  • Instruction ID: 3a0f9a59ca8ce5a7626d185af8b4f12b4836182841b829bb4a34a25a090a3387
                                                                                  • Opcode Fuzzy Hash: e63f35031c09b9cc87b33bc9367de3adeadc0ffbb690981aad141828956cfdb2
                                                                                  • Instruction Fuzzy Hash: DFD05E607002187BEA109285CC0AF9A7AACE700B61F000151FA01D72C0E9A0AF008BE1
                                                                                  Function 00C7D767 Relevance: 46.3, APIs: 13, Strings: 13, Instructions: 799COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 5 c7d767-c7d7e9 call c8bce3 GetModuleFileNameW call c7e168 call c71fbd * 2 call c8afc3 call c7e8bd call c71d8c call cae820 22 c7d835-c7d8fd call c71d64 call c71e8f call c71d64 call c74cbf call c75ce6 call c71eef call c71eea * 2 call c71d64 call c71ebd call c7541d call c71d64 call c74bb1 call c71d64 call c74bb1 5->22 23 c7d7eb-c7d830 call c7e986 call c71d64 call c71e8f call c7fcba call c7e937 call c7e155 5->23 69 c7d950-c7d96b call c71d64 call c7b125 22->69 70 c7d8ff-c7d94a call c785b4 call c71eef call c71eea call c71e8f call c824b7 22->70 49 c7dc96-c7dca7 call c71eea 23->49 79 c7d9a5-c7d9ac call c7bed7 69->79 80 c7d96d-c7d98c call c71e8f call c824b7 69->80 70->69 100 c7e134-c7e154 call c71e8f call c82902 call c812b5 70->100 89 c7d9b5-c7d9bc 79->89 90 c7d9ae-c7d9b0 79->90 80->79 99 c7d98e-c7d9a4 call c71e8f call c82902 80->99 94 c7d9c0-c7d9cc call c8a463 89->94 95 c7d9be 89->95 93 c7dc95 90->93 93->49 104 c7d9d5-c7d9d9 94->104 105 c7d9ce-c7d9d0 94->105 95->94 99->79 107 c7d9db call c7697b 104->107 108 c7da18-c7da2b call c71d64 call c71e8f 104->108 105->104 116 c7d9e0-c7d9e2 107->116 128 c7da32-c7daba call c71d64 call c8ae08 call c71e18 call c71e13 call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f 108->128 129 c7da2d call c769ba 108->129 119 c7d9e4-c7d9e9 call c7699d call c764d0 116->119 120 c7d9ee-c7da01 call c71d64 call c71e8f 116->120 119->120 120->108 138 c7da03-c7da09 120->138 163 c7db22-c7db26 128->163 164 c7dabc-c7dad5 call c71d64 call c71e8f call caa611 128->164 129->128 138->108 140 c7da0b-c7da11 138->140 140->108 142 c7da13 call c764d0 140->142 142->108 166 c7db2c-c7db33 163->166 167 c7dcaa-c7dd01 call ca6050 call c722f8 call c71e8f * 2 call c8265d call c782d7 163->167 164->163 190 c7dad7-c7db1d call c71d64 call c71e8f call c71d64 call c71e8f call c7c89e call c71e18 call c71e13 164->190 169 c7db35-c7dbaf call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f call c7bc67 166->169 170 c7dbb1-c7dbbb call c782d7 166->170 220 c7dd06-c7dd5c call c71d64 call c71e8f call c71f66 call c71e8f call c826d2 call c71d64 call c71e8f call caa5e7 167->220 176 c7dbc0-c7dbe4 call c722f8 call ca38c8 169->176 170->176 197 c7dbe6-c7dbf1 call ca6050 176->197 198 c7dbf3 176->198 190->163 204 c7dbf5-c7dc40 call c71e07 call cae349 call c722f8 call c71e8f call c722f8 call c71e8f call c828a2 197->204 198->204 258 c7dc45-c7dc6a call ca38d1 call c71d64 call c7b125 204->258 272 c7dd5e 220->272 273 c7dd79-c7dd7b 220->273 258->220 274 c7dc70-c7dc91 call c71d64 call c8ae08 call c7e219 258->274 276 c7dd60-c7dd77 call c8beb0 CreateThread 272->276 277 c7dd81 273->277 278 c7dd7d-c7dd7f 273->278 274->220 292 c7dc93 274->292 279 c7dd87-c7de66 call c71f66 * 2 call c8a686 call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f call caa5e7 call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f call c71d64 call c71e8f StrToIntA call c79517 call c71d64 call c71e8f 276->279 277->279 278->276 330 c7dea1 279->330 331 c7de68-c7de9f call ca360d call c71d64 call c71e8f CreateThread 279->331 292->93 332 c7dea3-c7debb call c71d64 call c71e8f 330->332 331->332 343 c7debd-c7def4 call ca360d call c71d64 call c71e8f CreateThread 332->343 344 c7def9-c7df0c call c71d64 call c71e8f 332->344 343->344 353 c7df0e-c7df67 call c71d64 call c71e8f call c71d64 call c71e8f call c7c854 call c71e18 call c71e13 CreateThread 344->353 354 c7df6c-c7df7f call c71d64 call c71e8f 344->354 353->354 365 c7df81-c7dfb5 call c71d64 call c71e8f call c71d64 call c71e8f call caa5e7 call c7b95c 354->365 366 c7dfba-c7dfde call c8a7a2 call c71e18 call c71e13 354->366 365->366 387 c7dfe3-c7dff6 CreateThread 366->387 388 c7dfe0-c7dfe1 SetProcessDEPPolicy 366->388 392 c7e004-c7e00b 387->392 393 c7dff8-c7e002 CreateThread 387->393 388->387 396 c7e00d-c7e017 CreateThread 392->396 397 c7e019-c7e020 392->397 393->392 396->397 398 c7e033-c7e038 397->398 399 c7e022-c7e025 397->399 404 c7e03d-c7e06e call c71f66 call c74c9e call c71f66 call c8a686 call c71eea 398->404 401 c7e027-c7e031 399->401 402 c7e073-c7e08e call c71e8f call c8246e 399->402 401->404 413 c7e094-c7e0d4 call c8ae08 call c71e07 call c82584 call c71e13 call c71e07 402->413 414 c7e12a-c7e12f call c7cbac call c83fd4 402->414 404->402 433 c7e0ed-c7e0f2 DeleteFileW 413->433 414->100 434 c7e0d6-c7e0d9 433->434 435 c7e0f4-c7e125 call c8ae08 call c71e07 call c8297a call c71e13 * 2 433->435 434->435 437 c7e0db-c7e0e8 Sleep call c71e07 434->437 435->414 437->433
                                                                                  APIs
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,00C7D783), ref: 00C8BCF8
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD01
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,00C7D783), ref: 00C8BD18
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD1B
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,00C7D783), ref: 00C8BD2D
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD30
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,00C7D783), ref: 00C8BD41
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD44
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,00C7D783), ref: 00C8BD55
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD58
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,00C7D783), ref: 00C8BD65
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD68
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,00C7D783), ref: 00C8BD75
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD78
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,00C7D783), ref: 00C8BD85
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD88
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,00C7D783), ref: 00C8BD99
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BD9C
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,00C7D783), ref: 00C8BDA9
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BDAC
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,00C7D783), ref: 00C8BDBD
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BDC0
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,00C7D783), ref: 00C8BDD1
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BDD4
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,00C7D783), ref: 00C8BDE5
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BDE8
                                                                                    • Part of subcall function 00C8BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,00C7D783), ref: 00C8BDF5
                                                                                    • Part of subcall function 00C8BCE3: GetProcAddress.KERNEL32(00000000), ref: 00C8BDF8
                                                                                    • Part of subcall function 00C8BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,00C7D783), ref: 00C8BE06
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SHROsQyiAd.exe,00000104), ref: 00C7D790
                                                                                    • Part of subcall function 00C7FCBA: __EH_prolog.LIBCMT ref: 00C7FCBF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                  • String ID: Access Level: $Administrator$C:\Users\user\Desktop\SHROsQyiAd.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                                                                  • API String ID: 2830904901-2389145350
                                                                                  • Opcode ID: 6baeb9621b0d91450cc278836759fcfb5bbad96f5f13d1ad2dd62f3f6c805c1b
                                                                                  • Instruction ID: 1d641b2aee19c6877b5df9900b288e45b09319a1f5400ac1f8960d05ac50eedd
                                                                                  • Opcode Fuzzy Hash: 6baeb9621b0d91450cc278836759fcfb5bbad96f5f13d1ad2dd62f3f6c805c1b
                                                                                  • Instruction Fuzzy Hash: 2C320661B043806BDF29B7799C5BB7E269A8F91740F08C42DFD4A5B2C3DE648D04E362
                                                                                  Function 00C83FD4 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 813sleepnetworkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 447 c83fd4-c8401f call c71faa call c8aa73 call c71faa call c71d64 call c71e8f call caa5e7 460 c8402e-c8407c call c71f66 call c71d64 call c71fbd call c8afc3 call c74262 call c71d64 call c7b125 447->460 461 c84021-c84028 Sleep 447->461 476 c8407e-c840ed call c71d64 call c722f8 call c71d64 call c71e8f call c71d64 call c722f8 call c71d64 call c71e8f call c71d64 call c722f8 call c71d64 call c71e8f call c74101 460->476 477 c840f0-c8418a call c71f66 call c71d64 call c71fbd call c8afc3 call c71d64 * 2 call c785b4 call c727cb call c71eef call c71eea * 2 call c71d64 call c75422 460->477 461->460 476->477 530 c8419a-c841a1 477->530 531 c8418c-c84198 477->531 532 c841a6-c84242 call c7541d call c74cbf call c75ce6 call c727cb call c71f66 call c8a686 call c71eea * 2 call c71d64 call c71e8f call c71d64 call c71e8f call c83f9a 530->532 531->532 559 c8428f-c8429d call c741f1 532->559 560 c84244-c8428a WSAGetLastError call c8bc76 call c74c9e call c71f66 call c8a686 call c71eea 532->560 565 c842ca-c842df call c74915 call c7428c 559->565 566 c8429f-c842c5 call c71f66 * 2 call c8a686 559->566 580 c84b54-c84b66 call c747eb call c720b4 560->580 565->580 581 c842e5-c84432 call c71d64 * 2 call c74cbf call c75ce6 call c727cb call c75ce6 call c727cb call c71f66 call c8a686 call c71eea * 4 call c8a96d call c83683 call c782dc call cb0c51 call c71d64 call c71fbd call c722f8 call c71e8f * 2 call c8265d 565->581 566->580 596 c84b68-c84b88 call c71d64 call c71e8f call caa5e7 Sleep 580->596 597 c84b8e-c84b96 call c71d8c 580->597 647 c84434-c84441 call c7541d 581->647 648 c84446-c8446d call c71e8f call c82513 581->648 596->597 597->477 647->648 654 c8446f-c84471 648->654 655 c84474-c84abb call c73b40 call c7cbf1 call c8adee call c8aec8 call c8ad46 call c71d64 GetTickCount call c8ad46 call c8aca0 call c8ad46 * 2 call c8ac52 call c8aec8 * 5 call c7e679 call c8aec8 call c727ec call c7275c call c727cb call c7275c call c727cb * 3 call c7275c call c727cb call c75ce6 call c727cb call c75ce6 call c727cb call c7275c call c727cb call c7275c call c727cb call c7275c call c727cb call c7275c call c727cb call c7275c call c727cb call c7275c call c727cb call c7275c call c727cb call c75ce6 call c727cb * 5 call c7275c call c727cb call c7275c call c727cb * 7 call c7275c call c74468 call c71eea * 50 call c71e13 call c71eea * 6 call c71e13 call c745d5 648->655 654->655 900 c84ac0-c84ac7 655->900 901 c84ac9-c84ad0 900->901 902 c84adb-c84ae2 900->902 901->902 905 c84ad2-c84ad4 901->905 903 c84aee-c84b20 call c75415 call c71f66 * 2 call c8a686 902->903 904 c84ae4-c84ae9 call c7a767 902->904 916 c84b22-c84b2e CreateThread 903->916 917 c84b34-c84b4f call c71eea * 2 call c71e13 903->917 904->903 905->902 916->917 917->580
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000000,00000029,00CE42F8,?,00000000), ref: 00C84028
                                                                                  • WSAGetLastError.WS2_32 ref: 00C84249
                                                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00C84B88
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep$ErrorLastLocalTime
                                                                                  • String ID: | $%I64u$5.3.0 Pro$C:\Users\user\Desktop\SHROsQyiAd.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                                                  • API String ID: 524882891-3736032578
                                                                                  • Opcode ID: 7c119fdf251e611ca00355e7855cfc916629c232bc6760d75e70c640b778902c
                                                                                  • Instruction ID: 3f11a79d875a9249b358635f477331c8c84f7b234c0579e22302ca94689b987b
                                                                                  • Opcode Fuzzy Hash: 7c119fdf251e611ca00355e7855cfc916629c232bc6760d75e70c640b778902c
                                                                                  • Instruction Fuzzy Hash: 8852B032A001145BDB19F774DDA6AEE73799FA0700F1480ADF80EA7192EF305F89EA55
                                                                                  Function 00C7428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • connect.WS2_32(?,?,?), ref: 00C742A5
                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,00C7192B), ref: 00C743CB
                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,00C7192B), ref: 00C743D5
                                                                                  • WSAGetLastError.WS2_32(?,?,?,00C7192B), ref: 00C743E7
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                  • API String ID: 994465650-2151626615
                                                                                  • Opcode ID: 0df28570756f5d2f3d3594519b72959e423aa3e1e7e16915eaba29d72f941aa1
                                                                                  • Instruction ID: bea87b25dbeb33e229b9c51d59a6c687cfc619c0961289b6aa32169c2478ff55
                                                                                  • Opcode Fuzzy Hash: 0df28570756f5d2f3d3594519b72959e423aa3e1e7e16915eaba29d72f941aa1
                                                                                  • Instruction Fuzzy Hash: 2D416C61F00601BBDB0CB7BD8D4B93D7A69AB41320B44811AF91947793EF51AE20E7E3
                                                                                  Function 00C7A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • __Init_thread_footer.LIBCMT ref: 00C7A456
                                                                                  • Sleep.KERNELBASE(000001F4), ref: 00C7A461
                                                                                  • GetForegroundWindow.USER32 ref: 00C7A467
                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00C7A470
                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00C7A4A4
                                                                                  • Sleep.KERNEL32(000003E8), ref: 00C7A574
                                                                                    • Part of subcall function 00C79D58: SetEvent.KERNEL32(?,?,00000000,00C7A91C,00000000), ref: 00C79D84
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                                                  • API String ID: 911427763-3954389425
                                                                                  • Opcode ID: 23bcba198cffa4712b46400de6aa84a91fd9ab81498308c9d794641c9c3580b3
                                                                                  • Instruction ID: 39516bbfdc970acfabc32ca0e605bb263e22a6bbc0b0e0913c105f8e70a4ec49
                                                                                  • Opcode Fuzzy Hash: 23bcba198cffa4712b46400de6aa84a91fd9ab81498308c9d794641c9c3580b3
                                                                                  • Instruction Fuzzy Hash: 9A5110726086805BC724FB34CC5AB6EB794AFC4314F44892EF84A862D2DF709E44E793
                                                                                  Function 00C7C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1079 c7c89e-c7c8c3 call c71e52 1082 c7c9ed-c7ca13 call c71e07 GetLongPathNameW call c73b40 1079->1082 1083 c7c8c9 1079->1083 1104 c7ca18-c7ca85 call c73b40 call c7cc37 call c72860 * 2 call c71e13 * 5 1082->1104 1085 c7c905-c7c90a 1083->1085 1086 c7c9c2-c7c9c7 1083->1086 1087 c7c8d0-c7c8d5 1083->1087 1088 c7c90f-c7c916 call c8b15b 1083->1088 1089 c7c8fb-c7c900 1083->1089 1090 c7c9bb-c7c9c0 1083->1090 1091 c7c8da-c7c8e8 call c8a74b call c71e18 1083->1091 1092 c7c9c9-c7c9ce call caac0f 1083->1092 1093 c7c9d8 1083->1093 1095 c7c9dd-c7c9e2 call caac0f 1085->1095 1086->1095 1087->1095 1105 c7c96a-c7c9b6 call c73b40 call caac0f call c73b40 call c72860 call c71e18 call c71e13 * 2 1088->1105 1106 c7c918-c7c968 call c73b40 call caac0f call c73b40 call c72860 call c71e18 call c71e13 * 2 1088->1106 1089->1095 1090->1095 1113 c7c8ed 1091->1113 1101 c7c9d3-c7c9d6 1092->1101 1093->1095 1107 c7c9e3-c7c9e8 call c782d7 1095->1107 1101->1093 1101->1107 1105->1113 1118 c7c8f1-c7c8f6 call c71e13 1106->1118 1107->1082 1113->1118 1118->1082
                                                                                  APIs
                                                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 00C7CA04
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LongNamePath
                                                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                  • API String ID: 82841172-425784914
                                                                                  • Opcode ID: 9b4e8215a3d4674bcb61481f1c4782c6bf946ba461720cd1f37d41becb3e8d48
                                                                                  • Instruction ID: 693d138afb294cf17cce3a20fae97a783f9b97ae9348c511bcd5cc62efcad285
                                                                                  • Opcode Fuzzy Hash: 9b4e8215a3d4674bcb61481f1c4782c6bf946ba461720cd1f37d41becb3e8d48
                                                                                  • Instruction Fuzzy Hash: 184186321042019BC314FB25DC97CAFB7A8AF50764F14853EF95E921E2EF609A49F653
                                                                                  Function 00C8A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C8A53E
                                                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00C8A554
                                                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00C8A56D
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00C8A5B3
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00C8A5B6
                                                                                  Strings
                                                                                  • http://geoplugin.net/json.gp, xrefs: 00C8A54E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                                                  • String ID: http://geoplugin.net/json.gp
                                                                                  • API String ID: 3121278467-91888290
                                                                                  • Opcode ID: 9d5e6feffc20ac6c4b5f255e1c2ca4d04c3540e731003bf42cb336df2c72f0d9
                                                                                  • Instruction ID: 3baa3473f390cd182aa108ed596734a36c58fc383c46b1cbac49f9e9ce1ae1b6
                                                                                  • Opcode Fuzzy Hash: 9d5e6feffc20ac6c4b5f255e1c2ca4d04c3540e731003bf42cb336df2c72f0d9
                                                                                  • Instruction Fuzzy Hash: 5B1191312092126BD228EA65DC59EAF7FECEF86765F00053DF90992181DB649D48CAB2
                                                                                  Function 00C8A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00C8B15B: GetCurrentProcess.KERNEL32(?,?,?,00C7C914,WinDir,00000000,00000000), ref: 00C8B16C
                                                                                    • Part of subcall function 00C82513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00C82537
                                                                                    • Part of subcall function 00C82513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00C82554
                                                                                    • Part of subcall function 00C82513: RegCloseKey.KERNELBASE(?), ref: 00C8255F
                                                                                  • StrToIntA.SHLWAPI(00000000,00CDBC48,?,00000000,00000000,00CE4358,00000003,Exe,00000000,0000000E,00000000,00CD556C,00000003,00000000), ref: 00C8A4D9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentOpenProcessQueryValue
                                                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                  • API String ID: 1866151309-2070987746
                                                                                  • Opcode ID: 3fb6c931e57c1dc2e160d72f1c77fb190a7091271dee5f3f15970d3f19787a3d
                                                                                  • Instruction ID: e771f7c7cd329b77c359d060a2f58726a62f0ab993bbdaaf589c5f5f3b6017e3
                                                                                  • Opcode Fuzzy Hash: 3fb6c931e57c1dc2e160d72f1c77fb190a7091271dee5f3f15970d3f19787a3d
                                                                                  • Instruction Fuzzy Hash: 65116FA0A001415BDB05B3A8DC5FE7F765DABD0300F444439F916973D2EF609E46A3A1
                                                                                  Function 00C79E48 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • Sleep.KERNELBASE(00001388), ref: 00C79E62
                                                                                    • Part of subcall function 00C79D97: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C79E6F), ref: 00C79DCD
                                                                                    • Part of subcall function 00C79D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00C79E6F), ref: 00C79DDC
                                                                                    • Part of subcall function 00C79D97: Sleep.KERNEL32(00002710,?,?,?,00C79E6F), ref: 00C79E09
                                                                                    • Part of subcall function 00C79D97: CloseHandle.KERNELBASE(00000000,?,?,?,00C79E6F), ref: 00C79E10
                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00C79E9E
                                                                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 00C79EAF
                                                                                  • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 00C79EC6
                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00C79F40
                                                                                    • Part of subcall function 00C8B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00C79F65), ref: 00C8B633
                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00CD5900,?,00000000,00000000,00000000,00000000,00000000), ref: 00C7A049
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                  • String ID:
                                                                                  • API String ID: 3795512280-0
                                                                                  • Opcode ID: a091cece9f9d8556fa4d7a592cc43c281f72884ff18e1d14c0897e503b5c5b90
                                                                                  • Instruction ID: 642291e83c15a2091e51ddd4298706405df468efc13eb7c7bb87206961ec2449
                                                                                  • Opcode Fuzzy Hash: a091cece9f9d8556fa4d7a592cc43c281f72884ff18e1d14c0897e503b5c5b90
                                                                                  • Instruction Fuzzy Hash: 4B51D4716043405BCB18FB78C86AABF7799AFD1700F08852CFD9A971D2DF259E08A652
                                                                                  Function 00C798A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00C799A9,?,00000000,00000000), ref: 00C7992A
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00C79993,?,00000000,00000000), ref: 00C7993A
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00C799B5,?,00000000,00000000), ref: 00C79946
                                                                                    • Part of subcall function 00C7A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00C7A884
                                                                                    • Part of subcall function 00C7A876: wsprintfW.USER32 ref: 00C7A905
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread$LocalTimewsprintf
                                                                                  • String ID: Offline Keylogger Started
                                                                                  • API String ID: 465354869-4114347211
                                                                                  • Opcode ID: 533524b1a947aefe7642d41eea873161e69c63c313a15ac615da86a2506f05fe
                                                                                  • Instruction ID: e7247ee264cd00be0065073db6bf51843683929dc6c89469105f0f17037f9899
                                                                                  • Opcode Fuzzy Hash: 533524b1a947aefe7642d41eea873161e69c63c313a15ac615da86a2506f05fe
                                                                                  • Instruction Fuzzy Hash: AA11CAB15002087EE624BA79CC87CBF7A6CDA813A4B44452DFD4D02182EA605E14D6F3
                                                                                  Function 00C74915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1405 c74915-c74924 1406 c749b1 1405->1406 1407 c7492a-c74931 1405->1407 1410 c749b3-c749b7 1406->1410 1408 c74933-c74937 1407->1408 1409 c74939-c74940 1407->1409 1411 c74987-c749af CreateEventA CreateThread 1408->1411 1409->1411 1412 c74942-c74982 GetLocalTime call c8ad46 call c74c9e call c71f66 call c8a686 call c71eea 1409->1412 1411->1410 1412->1411
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(00000001,00CE3EE8,00CE45A8,00000000,?,?,?,?,?,00C84D8A,?,00000001), ref: 00C74946
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00CE3EE8,00CE45A8,00000000,?,?,?,?,?,00C84D8A,?,00000001), ref: 00C74994
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00C74B1D,?,00000000,00000000), ref: 00C749A7
                                                                                  Strings
                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00C7495C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$EventLocalThreadTime
                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                  • API String ID: 2532271599-1507639952
                                                                                  • Opcode ID: fcde041fa15d1873a815995bfbff31b2d21523fcbfb9a8643cc97e8f338d1f7e
                                                                                  • Instruction ID: 9b7b4c4d343549c442ee29f96cea087e82d2fcb07678a184e59d59fbd7a74613
                                                                                  • Opcode Fuzzy Hash: fcde041fa15d1873a815995bfbff31b2d21523fcbfb9a8643cc97e8f338d1f7e
                                                                                  • Instruction Fuzzy Hash: 941106319042647BCB15B77A8C49FDF7FAC9F16364F04801AF51942141C7749444CBF2
                                                                                  Function 00C826D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1422 c826d2-c826e9 RegCreateKeyA 1423 c826eb-c82720 call c722f8 call c71e8f RegSetValueExA RegCloseKey 1422->1423 1424 c82722 1422->1424 1426 c82724-c82730 call c71eea 1423->1426 1424->1426
                                                                                  APIs
                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00C826E1
                                                                                  • RegSetValueExA.KERNELBASE(?,00CD6748,00000000,?,00000000,00000000,00CE42F8,?,?,00C7E5FB,00CD6748,5.3.0 Pro), ref: 00C82709
                                                                                  • RegCloseKey.KERNELBASE(?,?,?,00C7E5FB,00CD6748,5.3.0 Pro), ref: 00C82714
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateValue
                                                                                  • String ID: pth_unenc
                                                                                  • API String ID: 1818849710-4028850238
                                                                                  • Opcode ID: 9ce92f0e5d53af3ab1d9ffa71dd48e0640ffd30fc47ec475e0409e95e8dd34af
                                                                                  • Instruction ID: bc3677c979219fcbaa55ef8cd9ec8fd005d1eaedd2a93557f4b6f5eab5e01bf3
                                                                                  • Opcode Fuzzy Hash: 9ce92f0e5d53af3ab1d9ffa71dd48e0640ffd30fc47ec475e0409e95e8dd34af
                                                                                  • Instruction Fuzzy Hash: 68F03A72540118FBDB01AFA1DC59FEE376CEF14790F108219FD16A6161EB319E04EB60
                                                                                  Function 00C74688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00C74778
                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00C7478C
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00C74797
                                                                                  • CloseHandle.KERNELBASE(?,?,00000000,00000000,?,?,00000000), ref: 00C747A0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                  • String ID:
                                                                                  • API String ID: 3360349984-0
                                                                                  • Opcode ID: 16e2bbf31bada6de7799290fa26876171aed1b89f8c949698d6315c0b765c47f
                                                                                  • Instruction ID: c1cb9c8e5913fad0b2cc93aa276d7c280f6da32349c5bd66f215d55c4fcbe3d9
                                                                                  • Opcode Fuzzy Hash: 16e2bbf31bada6de7799290fa26876171aed1b89f8c949698d6315c0b765c47f
                                                                                  • Instruction Fuzzy Hash: 84418271608340ABC714FB64CC55E7FB7EDEF95710F048A1DF89A92191DB20DA08EB62
                                                                                  Function 00C8B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00CD5900,00000000,00000000,00C7C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 00C8B5CE
                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00C8B5EB
                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00C8B5FF
                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 00C8B60C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3604237281-0
                                                                                  • Opcode ID: 197e135489d09e46cdb9c51c53480e7ba6f7a824cc8779d54cd48a7acc184ff6
                                                                                  • Instruction ID: 80ffd0ce6f630dfff9d381a976cf245e36db904025efc47579b6e29d9107ca8f
                                                                                  • Opcode Fuzzy Hash: 197e135489d09e46cdb9c51c53480e7ba6f7a824cc8779d54cd48a7acc184ff6
                                                                                  • Instruction Fuzzy Hash: 3801D2B12086157FE6146E29DC89F7B739CEB42368F180729F571D21D0D7319E068B38
                                                                                  Function 00C79D97 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C79E6F), ref: 00C79DCD
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00C79E6F), ref: 00C79DDC
                                                                                  • Sleep.KERNEL32(00002710,?,?,?,00C79E6F), ref: 00C79E09
                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,00C79E6F), ref: 00C79E10
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                                                  • String ID:
                                                                                  • API String ID: 1958988193-0
                                                                                  • Opcode ID: af5e35119c30276a2a80c0b70aefcf31094f2ca48f70867c971484c429742403
                                                                                  • Instruction ID: 7bcb65e592366840571d3c1b12d4b319eebc110747e4a404b66b0eade70b027f
                                                                                  • Opcode Fuzzy Hash: af5e35119c30276a2a80c0b70aefcf31094f2ca48f70867c971484c429742403
                                                                                  • Instruction Fuzzy Hash: 2E115531640680AEEB34E728D8CDB2E7BAAEB92311F04850CF29A475A2D6306D919365
                                                                                  Function 00C74468 Relevance: 4.6, APIs: 3, Instructions: 92synchronizationnetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  • WaitForSingleObject.KERNEL32(?,00000000,00C84CE9,?,?,00000004,?,?,00000004,00CE3EE8,00CE45A8,00000000), ref: 00C7450E
                                                                                  • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00CE3EE8,00CE45A8,00000000,?,?,?,?,?,00C84CE9), ref: 00C7453C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EventObjectSingleWaitsend
                                                                                  • String ID:
                                                                                  • API String ID: 3963590051-0
                                                                                  • Opcode ID: 7dd39a439565d8761961796f58a239d9fa382c56c88908cebd6999f565fa6748
                                                                                  • Instruction ID: dba69ab820c20dc419626f7e1e0946dcd1ba625643f33fccf977ae2f99827bf7
                                                                                  • Opcode Fuzzy Hash: 7dd39a439565d8761961796f58a239d9fa382c56c88908cebd6999f565fa6748
                                                                                  • Instruction Fuzzy Hash: DB213472900519ABDF05FBA4DC86DEE777CFF54354B048115F91AA2191EF34A908E6A0
                                                                                  Function 00C82513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00C82537
                                                                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00C82554
                                                                                  • RegCloseKey.KERNELBASE(?), ref: 00C8255F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3677997916-0
                                                                                  • Opcode ID: 935a9b53fbaaf84c4e837db6e149fd516150756b6fc2ad6c03fb7ee9c4dbc605
                                                                                  • Instruction ID: 5e04f03782be8cd2ed71ab1d7ab47370891536477e36fc22834597498088bd4f
                                                                                  • Opcode Fuzzy Hash: 935a9b53fbaaf84c4e837db6e149fd516150756b6fc2ad6c03fb7ee9c4dbc605
                                                                                  • Instruction Fuzzy Hash: 61F08C76A40128BBCB21ABA5DC48EEF7FBDEB44754F004165FA46E2100EB309F05DBA4
                                                                                  Function 00C8265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00CE42F8), ref: 00C82679
                                                                                  • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00C82692
                                                                                  • RegCloseKey.KERNELBASE(00000000), ref: 00C8269D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3677997916-0
                                                                                  • Opcode ID: bc7cb64cb2adbff22a98ccc5cdbf6594dbbd38153eace35e175d97a730790495
                                                                                  • Instruction ID: 942d030ae4af0ad49553ab06988b1e864921ad1ae6f676176b889c2ab25e71b7
                                                                                  • Opcode Fuzzy Hash: bc7cb64cb2adbff22a98ccc5cdbf6594dbbd38153eace35e175d97a730790495
                                                                                  • Instruction Fuzzy Hash: 48011436805129BBDF21AFA1DC49EEF7F39EF05354F008150FA1962160E7718AA5EBA4
                                                                                  Function 00C824B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00C824D7
                                                                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00CE42F8), ref: 00C824F5
                                                                                  • RegCloseKey.KERNELBASE(?), ref: 00C82500
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3677997916-0
                                                                                  • Opcode ID: d9514d225f29bc076fa5791b4a36694d225d75e6032267d2a8865b8662051cef
                                                                                  • Instruction ID: 2d7305b55c13ba6e7db37e1611922c7fe9a198fbcbdcb501246d63564eaf03ea
                                                                                  • Opcode Fuzzy Hash: d9514d225f29bc076fa5791b4a36694d225d75e6032267d2a8865b8662051cef
                                                                                  • Instruction Fuzzy Hash: 4DF03A76940208BFDF11AFA0DC05FDEBBB8EB04748F1041A1FA05E6190D6709B14AF94
                                                                                  Function 00C8246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,00C7B996,00CD60E0), ref: 00C82485
                                                                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,00C7B996,00CD60E0), ref: 00C82499
                                                                                  • RegCloseKey.KERNELBASE(?,?,?,00C7B996,00CD60E0), ref: 00C824A4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3677997916-0
                                                                                  • Opcode ID: 9b540aff5a7e0cfde7b5c954ee8d42faf76e7b8a03f8e4914295e905b0b7db65
                                                                                  • Instruction ID: 3a68f38b948307d783b91e0553e5cc58f5421c886ca464e8976751b63053b988
                                                                                  • Opcode Fuzzy Hash: 9b540aff5a7e0cfde7b5c954ee8d42faf76e7b8a03f8e4914295e905b0b7db65
                                                                                  • Instruction Fuzzy Hash: AEE03931805124BA9B215BA2DC0DFDF7F6CEF567A4B004140FC09A2211D2218E40EBF4
                                                                                  Function 00C827D5 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,00CD5554), ref: 00C827E3
                                                                                  • RegSetValueExA.KERNELBASE(00CD5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C827FE
                                                                                  • RegCloseKey.ADVAPI32(00CD5554,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C82809
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateValue
                                                                                  • String ID:
                                                                                  • API String ID: 1818849710-0
                                                                                  • Opcode ID: b4c70dbf56898de6eada8083d82187f0babf813ad53e833b2315fe772fdc6c1a
                                                                                  • Instruction ID: 73d45eec7486a8120e6bf264aca25b81e78d046bdc0ead5448683d1321666a5f
                                                                                  • Opcode Fuzzy Hash: b4c70dbf56898de6eada8083d82187f0babf813ad53e833b2315fe772fdc6c1a
                                                                                  • Instruction Fuzzy Hash: 85E06D72600208BBEF119FA1DC0AFDE3BA8EB04B98F004150FB15E6190D271CE14EBA4
                                                                                  Function 00C8A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNELBASE(?), ref: 00C8A959
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID: @
                                                                                  • API String ID: 1890195054-2766056989
                                                                                  • Opcode ID: 92d14effb3ce719d5df97bdb11c8a8af3c91c6b051a905659db2e2b19c33786a
                                                                                  • Instruction ID: 2b145e9432105fdc5e59e5351cb7434ca7bdef59bfc379ce4fb8fcd78228a0c1
                                                                                  • Opcode Fuzzy Hash: 92d14effb3ce719d5df97bdb11c8a8af3c91c6b051a905659db2e2b19c33786a
                                                                                  • Instruction Fuzzy Hash: E8D067B99013189FCB20DFA8E945A8DBBF8FB48214F004569E946E3344E774E9058B94
                                                                                  Function 00C84B9B Relevance: 3.2, APIs: 2, Instructions: 163COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountEventTick
                                                                                  • String ID:
                                                                                  • API String ID: 180926312-0
                                                                                  • Opcode ID: f263359c04baa644565313b207577263d7c8b911e2623af56b186e440eecd2f6
                                                                                  • Instruction ID: 4e03d39bbe78aace4d313bcc65f1f9da05080620381d1007f8eba0c1587ec5e8
                                                                                  • Opcode Fuzzy Hash: f263359c04baa644565313b207577263d7c8b911e2623af56b186e440eecd2f6
                                                                                  • Instruction Fuzzy Hash: 5E51B3315042409BD328F774D8A6AFF73A96F91710F44892EF94E47192EF309E09E756
                                                                                  Function 00C741F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • socket.WS2_32(?,00000001,00000006), ref: 00C74212
                                                                                    • Part of subcall function 00C74262: WSAStartup.WS2_32(00000202,00000000), ref: 00C74277
                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00C74252
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateEventStartupsocket
                                                                                  • String ID:
                                                                                  • API String ID: 1953588214-0
                                                                                  • Opcode ID: 51be26dd85bc39b111d125ea36dfedcc839e201112e2ebffe5960ee10db64533
                                                                                  • Instruction ID: a996adcbb368dd9ae210d1386e053744b778787ab3ef467c8cf0a42fbabf14e1
                                                                                  • Opcode Fuzzy Hash: 51be26dd85bc39b111d125ea36dfedcc839e201112e2ebffe5960ee10db64533
                                                                                  • Instruction Fuzzy Hash: 9E015E714087809FD7398F38B84579A7FE0AB19314F048A5DF1DA87BA2C3B1A440DF10
                                                                                  Function 00C8AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32 ref: 00C8AC74
                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C8AC87
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$ForegroundText
                                                                                  • String ID:
                                                                                  • API String ID: 29597999-0
                                                                                  • Opcode ID: 5ef20d1d39ccc4c0d20e59db75d8bdf7f92f404eb3f7c1656075e96cac6aceae
                                                                                  • Instruction ID: f4b8bf18aa7a2adbeff79eb93fd0100f6012e717b8294dd175bac7e7b37b3b16
                                                                                  • Opcode Fuzzy Hash: 5ef20d1d39ccc4c0d20e59db75d8bdf7f92f404eb3f7c1656075e96cac6aceae
                                                                                  • Instruction Fuzzy Hash: 96E08075A0031467FB20A764DC4EFDE776CD704704F040195F529D21C2E9B0DA44DBE5
                                                                                  Function 00C83F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getaddrinfo.WS2_32(00000000,00000000,00000000,00CE1B28,00CE4358,00000000,00C84240,00000000,00000001), ref: 00C83FBC
                                                                                  • WSASetLastError.WS2_32(00000000), ref: 00C83FC1
                                                                                    • Part of subcall function 00C83E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00C83E86
                                                                                    • Part of subcall function 00C83E37: LoadLibraryA.KERNEL32(?), ref: 00C83EC8
                                                                                    • Part of subcall function 00C83E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C83EE8
                                                                                    • Part of subcall function 00C83E37: FreeLibrary.KERNEL32(00000000), ref: 00C83EEF
                                                                                    • Part of subcall function 00C83E37: LoadLibraryA.KERNEL32(?), ref: 00C83F27
                                                                                    • Part of subcall function 00C83E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C83F39
                                                                                    • Part of subcall function 00C83E37: FreeLibrary.KERNEL32(00000000), ref: 00C83F40
                                                                                    • Part of subcall function 00C83E37: GetProcAddress.KERNEL32(00000000,?), ref: 00C83F4F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                  • String ID:
                                                                                  • API String ID: 1170566393-0
                                                                                  • Opcode ID: 1ff209a406c23c14df6a5f8e1b4d2bb3729282957db1ad7643acd3e23663dc9c
                                                                                  • Instruction ID: 6d2948127f06784d63f51ee80bd1076db53d8fff5452e29ad5cdc875045f621a
                                                                                  • Opcode Fuzzy Hash: 1ff209a406c23c14df6a5f8e1b4d2bb3729282957db1ad7643acd3e23663dc9c
                                                                                  • Instruction Fuzzy Hash: 8FD02B322000A12FA310735D9C40FBEB5DCCFA5B387050023F400D7150D6904D42C7A4
                                                                                  Function 00C7BED7 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00C7D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,00CD556C,00000003,00000000), ref: 00C7BEE6
                                                                                  • GetLastError.KERNEL32 ref: 00C7BEF1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateErrorLastMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1925916568-0
                                                                                  • Opcode ID: 0acd17a0667a7227804d286cefdd64241e1781ff3e07b79208edbaf74ba28ae9
                                                                                  • Instruction ID: 3c950800c824438ee059afc89640ca4181f957095c96f40cab5bd61d74e27f0d
                                                                                  • Opcode Fuzzy Hash: 0acd17a0667a7227804d286cefdd64241e1781ff3e07b79208edbaf74ba28ae9
                                                                                  • Instruction Fuzzy Hash: 94D012B0608201DBDB081774AC8EB2D3555E784702F040229F907C55D0CB6488505911
                                                                                  Function 00C79517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 176396367-0
                                                                                  • Opcode ID: e1491f8c5662bf51a92df618e6a5cc151834577157611f92b1b83a7da00b338d
                                                                                  • Instruction ID: beaf8b739f6134235589f29f9146e8dd6d54bbdbd76120e86c21aa45b57240be
                                                                                  • Opcode Fuzzy Hash: e1491f8c5662bf51a92df618e6a5cc151834577157611f92b1b83a7da00b338d
                                                                                  • Instruction Fuzzy Hash: 22119A329002459FCB05EF68D8969EF7BB4EF25310B10842EFC56572D2EF30A955EB51
                                                                                  Function 00C79A97 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CallNextHookEx.USER32(00CE40F8,?,?,?), ref: 00C79B02
                                                                                    • Part of subcall function 00C7AD56: GetKeyState.USER32(00000011), ref: 00C7AD5B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CallHookNextState
                                                                                  • String ID:
                                                                                  • API String ID: 3280314413-0
                                                                                  • Opcode ID: 534070d158f96ce642393120ed06b14f635033d1547f3ebbd02106f0675255e8
                                                                                  • Instruction ID: eeb2171de42a4a3ebf9aae78df7383215e0c27a0206e3e903bf7cccc12d33a54
                                                                                  • Opcode Fuzzy Hash: 534070d158f96ce642393120ed06b14f635033d1547f3ebbd02106f0675255e8
                                                                                  • Instruction Fuzzy Hash: 33F0F4322052854BCB14AEBC9CD5D2F775AEBD5325F04C02DF50B46A62CAB5C818F722
                                                                                  Function 00C74262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 00C74277
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Startup
                                                                                  • String ID:
                                                                                  • API String ID: 724789610-0
                                                                                  • Opcode ID: 65d301aacf19d5b66d9103a6e390e0509e05ce4ef146f21550ed4d4726256b01
                                                                                  • Instruction ID: e84493ec40608cb8c9e4454f1609d1b661a1027bafaace6d0ea9cd63fa865a0d
                                                                                  • Opcode Fuzzy Hash: 65d301aacf19d5b66d9103a6e390e0509e05ce4ef146f21550ed4d4726256b01
                                                                                  • Instruction Fuzzy Hash: 33D012325596484ED610ABB4AC0FEB87B5CD317611F0403BAACB5866D2E650662CC6B7
                                                                                  Function 00CB6AFF Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • HeapAlloc.KERNEL32(00000000,00C7E5AC,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8,?,?,00CE42E0), ref: 00CB6B31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocHeap
                                                                                  • String ID:
                                                                                  • API String ID: 4292702814-0
                                                                                  • Opcode ID: 562ee12cae557b3c405398a893e165f2fe6ddc3d3cc209720635d45c1fc8f51f
                                                                                  • Instruction ID: aaeb119b45eddb4dd4292321c99653c6fcc8afd53b50593612b9031e233f434d
                                                                                  • Opcode Fuzzy Hash: 562ee12cae557b3c405398a893e165f2fe6ddc3d3cc209720635d45c1fc8f51f
                                                                                  • Instruction Fuzzy Hash: 4FE09B3160516557E6212B66DC01FEF7BA89F417B0F150120EC25D71D1DB68CD00B1E1

                                                                                  Non-executed Functions

                                                                                  Function 00C76F06 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 849filesleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEvent.KERNEL32(?,?), ref: 00C76F28
                                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00C76FF8
                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00C77018
                                                                                    • Part of subcall function 00C8B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B489
                                                                                    • Part of subcall function 00C8B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B4BB
                                                                                    • Part of subcall function 00C8B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B50C
                                                                                    • Part of subcall function 00C8B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B561
                                                                                    • Part of subcall function 00C8B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B568
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                    • Part of subcall function 00C76BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00CD5454,?,?,00000000,00C77273,00000000,?,0000000A,00000000), ref: 00C76C38
                                                                                    • Part of subcall function 00C76BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00C77273,00000000,?,0000000A,00000000), ref: 00C76C80
                                                                                    • Part of subcall function 00C76BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00C77273,00000000,?,0000000A,00000000,00000000), ref: 00C76CC0
                                                                                    • Part of subcall function 00C76BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00C76CDD
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                    • Part of subcall function 00C74468: WaitForSingleObject.KERNEL32(?,00000000,00C84CE9,?,?,00000004,?,?,00000004,00CE3EE8,00CE45A8,00000000), ref: 00C7450E
                                                                                    • Part of subcall function 00C74468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00CE3EE8,00CE45A8,00000000,?,?,?,?,?,00C84CE9), ref: 00C7453C
                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C77416
                                                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00C774F5
                                                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00C7773A
                                                                                  • DeleteFileA.KERNEL32(?), ref: 00C778CC
                                                                                    • Part of subcall function 00C77A8C: __EH_prolog.LIBCMT ref: 00C77A91
                                                                                    • Part of subcall function 00C77A8C: FindFirstFileW.KERNEL32(00000000,?,00CD5AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C77B4A
                                                                                    • Part of subcall function 00C77A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C77B6E
                                                                                  • Sleep.KERNEL32(000007D0), ref: 00C77976
                                                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00C779BA
                                                                                    • Part of subcall function 00C8BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00C8BC6C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                  • API String ID: 2918587301-1507758755
                                                                                  • Opcode ID: e94ae932d5f9c019f84991aa2deb4cb68ba06a3f691a18622de4c57e0e9f10ed
                                                                                  • Instruction ID: e657ab2c61e1395f27579a86bf36ab45f7983d51b841c7968a0bb8397dc01f80
                                                                                  • Opcode Fuzzy Hash: e94ae932d5f9c019f84991aa2deb4cb68ba06a3f691a18622de4c57e0e9f10ed
                                                                                  • Instruction Fuzzy Hash: ED42B6726083405BD618F778C86BAAE77A99F90710F448A1DFD4E571D2EF209B08E793
                                                                                  Function 00C75042 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 280pipesleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __Init_thread_footer.LIBCMT ref: 00C7508E
                                                                                    • Part of subcall function 00CA34CF: EnterCriticalSection.KERNEL32(00CE0D18,00CE5D2C,?,00C7AEAC,00CE5D2C,00CC6D97,?,00000000,00000000), ref: 00CA34D9
                                                                                    • Part of subcall function 00CA34CF: LeaveCriticalSection.KERNEL32(00CE0D18,?,00C7AEAC,00CE5D2C,00CC6D97,?,00000000,00000000), ref: 00CA350C
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  • __Init_thread_footer.LIBCMT ref: 00C750CB
                                                                                  • CreatePipe.KERNEL32(00CE5CEC,00CE5CD4,00CE5BF8,00000000,00CD556C,00000000), ref: 00C7515E
                                                                                  • CreatePipe.KERNEL32(00CE5CD8,00CE5CF4,00CE5BF8,00000000), ref: 00C75174
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00CE5C08,00CE5CDC), ref: 00C751E7
                                                                                    • Part of subcall function 00CA3519: EnterCriticalSection.KERNEL32(00CE0D18,?,00CE5D2C,?,00C7AE8B,00CE5D2C,?,00000000,00000000), ref: 00CA3524
                                                                                    • Part of subcall function 00CA3519: LeaveCriticalSection.KERNEL32(00CE0D18,?,00C7AE8B,00CE5D2C,?,00000000,00000000), ref: 00CA3561
                                                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00C7523F
                                                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C75264
                                                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00C75291
                                                                                    • Part of subcall function 00CA38A5: __onexit.LIBCMT ref: 00CA38AB
                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00CE3F98,00CD5570,00000062,00CD5554), ref: 00C7538E
                                                                                  • Sleep.KERNEL32(00000064,00000062,00CD5554), ref: 00C753A8
                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00C753C1
                                                                                  • CloseHandle.KERNEL32 ref: 00C753CD
                                                                                  • CloseHandle.KERNEL32 ref: 00C753D5
                                                                                  • CloseHandle.KERNEL32 ref: 00C753E7
                                                                                  • CloseHandle.KERNEL32 ref: 00C753EF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                  • String ID: SystemDrive$cmd.exe
                                                                                  • API String ID: 3815868655-3633465311
                                                                                  • Opcode ID: 67649a23e5180382a0630e7b23715b39d6daaf2ff2daed13ff8f407cc7a2e78c
                                                                                  • Instruction ID: d735c3d08e854cdddb5b890ad4fbf8f8f9df2ed8798205f446085e49fba8e15a
                                                                                  • Opcode Fuzzy Hash: 67649a23e5180382a0630e7b23715b39d6daaf2ff2daed13ff8f407cc7a2e78c
                                                                                  • Instruction Fuzzy Hash: 11914BB0600785AFC704BF75ECA6F2E3BA9EB84348F50402DF9199B1A2DF719D049B61
                                                                                  Function 00C80F36 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00C80F45
                                                                                    • Part of subcall function 00C827D5: RegCreateKeyA.ADVAPI32(80000001,00000000,00CD5554), ref: 00C827E3
                                                                                    • Part of subcall function 00C827D5: RegSetValueExA.KERNELBASE(00CD5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C827FE
                                                                                    • Part of subcall function 00C827D5: RegCloseKey.ADVAPI32(00CD5554,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C82809
                                                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00C80F81
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00C81637,00000000,00000000,00000000), ref: 00C80FE6
                                                                                    • Part of subcall function 00C824B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00C824D7
                                                                                    • Part of subcall function 00C824B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00CE42F8), ref: 00C824F5
                                                                                    • Part of subcall function 00C824B7: RegCloseKey.KERNELBASE(?), ref: 00C82500
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C80F90
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00C8125A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                  • API String ID: 65172268-13974260
                                                                                  • Opcode ID: 5391162e8bab8372437ab25f1d3506cf481985f23c66fb899c28007468f340ef
                                                                                  • Instruction ID: 839dcbed3f0b00a26262535ff36684a842ed44898e9f8ed0e9b2f6eaaa3c5948
                                                                                  • Opcode Fuzzy Hash: 5391162e8bab8372437ab25f1d3506cf481985f23c66fb899c28007468f340ef
                                                                                  • Instruction Fuzzy Hash: 5A71E53160424097C618FB75CC5BDAF73E8AF91724F44452DFC5A521D2EF209A09E7A7
                                                                                  Function 00C7B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 00C7B3B4
                                                                                  • FindClose.KERNEL32(00000000), ref: 00C7B3CE
                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00C7B4F1
                                                                                  • FindClose.KERNEL32(00000000), ref: 00C7B517
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                  • API String ID: 1164774033-3681987949
                                                                                  • Opcode ID: 0daf829e07310595bb58092054a465a6f63689a46fc6e842f0241f49876e7b63
                                                                                  • Instruction ID: 26011230e2c17d38f188083a7e6ac85da3bb68b13ef23fa2a02a419a2ba7ae91
                                                                                  • Opcode Fuzzy Hash: 0daf829e07310595bb58092054a465a6f63689a46fc6e842f0241f49876e7b63
                                                                                  • Instruction Fuzzy Hash: 6F5170319041099BDB14FBF8DC5AEED7738AF20710F44816AFD0A661D2EF306A49DA90
                                                                                  Function 00C7B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 00C7B5B2
                                                                                  • FindClose.KERNEL32(00000000), ref: 00C7B5CC
                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00C7B68C
                                                                                  • FindClose.KERNEL32(00000000), ref: 00C7B6B2
                                                                                  • FindClose.KERNEL32(00000000), ref: 00C7B6D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$Close$File$FirstNext
                                                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                  • API String ID: 3527384056-432212279
                                                                                  • Opcode ID: 30e59e0464c1f03abbc36d4e5a277ec96160e1735177010ac5f0cef922de4a9a
                                                                                  • Instruction ID: 3dcf81c49848a46f816f8c093435b10ddb7fcebafa06ee4108540867973e8ce3
                                                                                  • Opcode Fuzzy Hash: 30e59e0464c1f03abbc36d4e5a277ec96160e1735177010ac5f0cef922de4a9a
                                                                                  • Instruction Fuzzy Hash: DA41AF319042099BDB14F7B8DC5BEEE7778AF21710F44812AF90AA71D2EF305E49DA90
                                                                                  Function 00C859C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenClipboard.USER32 ref: 00C859C7
                                                                                  • EmptyClipboard.USER32 ref: 00C859D5
                                                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00C859F5
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00C859FE
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C85A34
                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00C85A3D
                                                                                  • CloseClipboard.USER32 ref: 00C85A5A
                                                                                  • OpenClipboard.USER32 ref: 00C85A61
                                                                                  • GetClipboardData.USER32(0000000D), ref: 00C85A71
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00C85A7A
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C85A83
                                                                                  • CloseClipboard.USER32 ref: 00C85A89
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                  • String ID:
                                                                                  • API String ID: 3520204547-0
                                                                                  • Opcode ID: a5ec2ec0da636360bb97b8a4b24b60a84ea618c665f01f55b21c5352f9918ce3
                                                                                  • Instruction ID: 922f9676845aa17dba755a0750f0d4b6f26cde5a58480bc50d37ee47a537f76a
                                                                                  • Opcode Fuzzy Hash: a5ec2ec0da636360bb97b8a4b24b60a84ea618c665f01f55b21c5352f9918ce3
                                                                                  • Instruction Fuzzy Hash: 7E2177722042409FD714BBB5DC5EFBE7769EF90711F08461DFC0A86162EF308945AB62
                                                                                  Function 00C7E219 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00CE4358), ref: 00C7E233
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00CE4358), ref: 00C7E25E
                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00C7E27A
                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00C7E2FD
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00CE4358), ref: 00C7E30C
                                                                                    • Part of subcall function 00C827D5: RegCreateKeyA.ADVAPI32(80000001,00000000,00CD5554), ref: 00C827E3
                                                                                    • Part of subcall function 00C827D5: RegSetValueExA.KERNELBASE(00CD5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C827FE
                                                                                    • Part of subcall function 00C827D5: RegCloseKey.ADVAPI32(00CD5554,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C82809
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00CE4358), ref: 00C7E371
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                  • API String ID: 726551946-1743721670
                                                                                  • Opcode ID: 648a5688a2744c699c4ff6a816fb350bd8e44818babbd7bde4c8ac6969e3c5a5
                                                                                  • Instruction ID: d40b91339808c099e5318c430a148a072464eba29b5101002c92f0667999a75e
                                                                                  • Opcode Fuzzy Hash: 648a5688a2744c699c4ff6a816fb350bd8e44818babbd7bde4c8ac6969e3c5a5
                                                                                  • Instruction Fuzzy Hash: A27193311083418BC724FB64D895EEE73A5BF95354F44892DFD9A431A2EF309A0DEB52
                                                                                  Function 00C88754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0$1$2$3$4$5$6$7
                                                                                  • API String ID: 0-3177665633
                                                                                  • Opcode ID: 4c7e308fc0597525c00a84433b2d15d991e3061214a40813edefd1599937d2e8
                                                                                  • Instruction ID: b27993fad5dec0e55d022f8ca69d1a2257486ff18e6bb11aa3515e5f0a69d90b
                                                                                  • Opcode Fuzzy Hash: 4c7e308fc0597525c00a84433b2d15d991e3061214a40813edefd1599937d2e8
                                                                                  • Instruction Fuzzy Hash: BB618D30508341AFDB08EF20D892FAA77E5AF95750F848889F995576E2DF309E08E753
                                                                                  Function 00C76764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00C76788
                                                                                  • CoGetObject.OLE32(?,00000024,00CD59B0,00000000), ref: 00C767E9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Object_wcslen
                                                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                  • API String ID: 240030777-3166923314
                                                                                  • Opcode ID: a21ce0bade6045c6abac3587e18ab34f992fa13d2bdc9d066dc9d07781b266cb
                                                                                  • Instruction ID: f35eee87163fc5967f588eedfb5ae5fd1c02eb9f5e702cc646a1fbee63918145
                                                                                  • Opcode Fuzzy Hash: a21ce0bade6045c6abac3587e18ab34f992fa13d2bdc9d066dc9d07781b266cb
                                                                                  • Instruction Fuzzy Hash: FB11A1B2910518AEDB10EBA4CC86AEEB7BCDB44711F54407AFA08E3280D7749A04DAB4
                                                                                  Function 00C898C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00CE48F8), ref: 00C898D8
                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00C89927
                                                                                  • GetLastError.KERNEL32 ref: 00C89935
                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00C8996D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                  • String ID:
                                                                                  • API String ID: 3587775597-0
                                                                                  • Opcode ID: 767998c612b5b7b31f8fc345d76aed01e09d9cb52051db2792da06362698f7ce
                                                                                  • Instruction ID: 0a75a9ec6ccb4eaccac945fb080d2ddd52b46dc21ec1beb0d186605b3d012a1f
                                                                                  • Opcode Fuzzy Hash: 767998c612b5b7b31f8fc345d76aed01e09d9cb52051db2792da06362698f7ce
                                                                                  • Instruction Fuzzy Hash: E5814E71108304AFC314FB20DC95EAFB7A8FF94754F50892EF99652191EF70AA05DB92
                                                                                  Function 00C8B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B489
                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B4BB
                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B529
                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B536
                                                                                    • Part of subcall function 00C8B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B50C
                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B561
                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B568
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B570
                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00CE42E0,00CE42F8), ref: 00C8B583
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                  • String ID:
                                                                                  • API String ID: 2341273852-0
                                                                                  • Opcode ID: 95b262621a840d5641ae79766a2fc1d7766394f3fd7c58aaedd5200bf5e0647d
                                                                                  • Instruction ID: 247249ded4015701c13492f2021915160f152ffebc398c85f1c3426257737007
                                                                                  • Opcode Fuzzy Hash: 95b262621a840d5641ae79766a2fc1d7766394f3fd7c58aaedd5200bf5e0647d
                                                                                  • Instruction Fuzzy Hash: 3A315B7280912DAACB20EBB0DC49FEE77BCAF45309F440596F615D2051EB719B889F64
                                                                                  Function 00C82F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00C8301A
                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00C83026
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00C831ED
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C831F4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                  • API String ID: 2127411465-314212984
                                                                                  • Opcode ID: 63abc6d0cbf263269859401f023452fe4ea221ea08ee591ff87a24aa25269cf1
                                                                                  • Instruction ID: 8520f68bd416e4e24017639f1163ed244e0b26bf62664faa52963f00ba9b410b
                                                                                  • Opcode Fuzzy Hash: 63abc6d0cbf263269859401f023452fe4ea221ea08ee591ff87a24aa25269cf1
                                                                                  • Instruction Fuzzy Hash: 5CB1E872A043406BCA28F778CC5B9BE76599F90758F44861DFD4A931D2EF209F04A793
                                                                                  Function 00C7B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00C7B257
                                                                                  • GetLastError.KERNEL32 ref: 00C7B261
                                                                                  Strings
                                                                                  • [Chrome StoredLogins not found], xrefs: 00C7B27B
                                                                                  • [Chrome StoredLogins found, cleared!], xrefs: 00C7B287
                                                                                  • UserProfile, xrefs: 00C7B227
                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00C7B222
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteErrorFileLast
                                                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                  • API String ID: 2018770650-1062637481
                                                                                  • Opcode ID: 6fc6868ef83a85a3d9955b383b7a945be2a01ab4997ea4951b91ab7d4e462ed7
                                                                                  • Instruction ID: 40dc7c814297bdca44776dba8c77cc6b12c28127d23fa8b4320024c6754f476f
                                                                                  • Opcode Fuzzy Hash: 6fc6868ef83a85a3d9955b383b7a945be2a01ab4997ea4951b91ab7d4e462ed7
                                                                                  • Instruction Fuzzy Hash: B2012832A44105A78B05BBB9DD2FEBE3738AD21710B44811AF90E536D7FF519F08E681
                                                                                  Function 00C86AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00C86AC4
                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00C86ACB
                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00C86ADD
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00C86AFC
                                                                                  • GetLastError.KERNEL32 ref: 00C86B02
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                  • String ID: SeShutdownPrivilege
                                                                                  • API String ID: 3534403312-3733053543
                                                                                  • Opcode ID: bac5cd00893e0fa2852ecb5790d8cd75df992e5d5f70259362fba12b90446d60
                                                                                  • Instruction ID: 7a6d38a14970f01403d0fab662d4746abd0eb1069475ff826590d9029130d42d
                                                                                  • Opcode Fuzzy Hash: bac5cd00893e0fa2852ecb5790d8cd75df992e5d5f70259362fba12b90446d60
                                                                                  • Instruction Fuzzy Hash: 77F0D4B5805129BBDB10ABA1DC0DFEFBEBCEF05655F010151F906A6151D6748A049BB1
                                                                                  Function 00CC2F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __floor_pentium4
                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                  • API String ID: 4168288129-2761157908
                                                                                  • Opcode ID: f2be0555ed8e29155e779d2b802cd85edc8d5466f7f000084577109dfa88acad
                                                                                  • Instruction ID: 8335d9b9c2325e340143a3a754bcaf270f9db7759984b4b3303c8ec9299e9f1b
                                                                                  • Opcode Fuzzy Hash: f2be0555ed8e29155e779d2b802cd85edc8d5466f7f000084577109dfa88acad
                                                                                  • Instruction Fuzzy Hash: D9C22872E086688BDB25CE68ED40BE9B7B5EB44305F1481EED85DE7240E774AF818F40
                                                                                  Function 00C789A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00C789AE
                                                                                    • Part of subcall function 00C741F1: socket.WS2_32(?,00000001,00000006), ref: 00C74212
                                                                                    • Part of subcall function 00C7428C: connect.WS2_32(?,?,?), ref: 00C742A5
                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00C78A8D
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C78AE0
                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00C78AF7
                                                                                    • Part of subcall function 00C74468: WaitForSingleObject.KERNEL32(?,00000000,00C84CE9,?,?,00000004,?,?,00000004,00CE3EE8,00CE45A8,00000000), ref: 00C7450E
                                                                                    • Part of subcall function 00C74468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00CE3EE8,00CE45A8,00000000,?,?,?,?,?,00C84CE9), ref: 00C7453C
                                                                                    • Part of subcall function 00C747EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C747FD
                                                                                    • Part of subcall function 00C747EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C74808
                                                                                    • Part of subcall function 00C747EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C74811
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00C78DA1
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                  • String ID:
                                                                                  • API String ID: 4043647387-0
                                                                                  • Opcode ID: b26e9a842ae472501d0e367f9e879fe231df2f5f75396a23821895c07f6da002
                                                                                  • Instruction ID: aa5b2dcce1730b2d2cdc7cace0d39bdadeaad2df82c7103e64669baf9d52e857
                                                                                  • Opcode Fuzzy Hash: b26e9a842ae472501d0e367f9e879fe231df2f5f75396a23821895c07f6da002
                                                                                  • Instruction Fuzzy Hash: FAA1A2329001099BCB18FBA4DC96EED7779AF50710F50826AF91AA71D2EF345F48DB90
                                                                                  Function 00C89BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00C8981A,00000000,00000000), ref: 00C89BCD
                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00C8981A,00000000,00000000), ref: 00C89BE2
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00C8981A,00000000,00000000), ref: 00C89BEF
                                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00C8981A,00000000,00000000), ref: 00C89BFA
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00C8981A,00000000,00000000), ref: 00C89C0C
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00C8981A,00000000,00000000), ref: 00C89C0F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                  • String ID:
                                                                                  • API String ID: 276877138-0
                                                                                  • Opcode ID: fc5b7724d2949f6fc8d176b891760d7cf1f13bceac547401fefb99c04f3b7a30
                                                                                  • Instruction ID: 6dfced92060c333edc2b29fd904c3ba35eaec90a16aed399ac90460d5c5bafdd
                                                                                  • Opcode Fuzzy Hash: fc5b7724d2949f6fc8d176b891760d7cf1f13bceac547401fefb99c04f3b7a30
                                                                                  • Instruction Fuzzy Hash: DCF0EC72504228AFE210AB35ECC8FBF2AACEF853A0B040419F842D3140CF64CD06ABB1
                                                                                  Function 00C858B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C86AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00C86AC4
                                                                                    • Part of subcall function 00C86AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00C86ACB
                                                                                    • Part of subcall function 00C86AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00C86ADD
                                                                                    • Part of subcall function 00C86AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00C86AFC
                                                                                    • Part of subcall function 00C86AB7: GetLastError.KERNEL32 ref: 00C86B02
                                                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00C8595B
                                                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00C85970
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C85977
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                  • String ID: PowrProf.dll$SetSuspendState
                                                                                  • API String ID: 1589313981-1420736420
                                                                                  • Opcode ID: 1da1d40d245038721aee1c3ce8134317c8a8fcba26e435ae613589ae64ba20d6
                                                                                  • Instruction ID: 7060b479d2ea9ee00b39b9daf8e9832b554f81dc10da7269505215198f4f5c5b
                                                                                  • Opcode Fuzzy Hash: 1da1d40d245038721aee1c3ce8134317c8a8fcba26e435ae613589ae64ba20d6
                                                                                  • Instruction Fuzzy Hash: D921D670608741D7CF24F7F4D85AABE326A9FA0744F48C82AB90A57282EFA5CD05E715
                                                                                  Function 00CC11E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00CC1502,?,00000000), ref: 00CC127C
                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00CC1502,?,00000000), ref: 00CC12A5
                                                                                  • GetACP.KERNEL32(?,?,00CC1502,?,00000000), ref: 00CC12BA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID: ACP$OCP
                                                                                  • API String ID: 2299586839-711371036
                                                                                  • Opcode ID: 71a7e96915b8236a0538f3c93fd6ff25bbc6d5bb3527535e8760a900b15bd7b5
                                                                                  • Instruction ID: 38d669b3c292fb887ad63eba2ca9e7d8fb0889c1b8c9ab15499dcd50bd389f24
                                                                                  • Opcode Fuzzy Hash: 71a7e96915b8236a0538f3c93fd6ff25bbc6d5bb3527535e8760a900b15bd7b5
                                                                                  • Instruction Fuzzy Hash: 2321A73AA04101A6EB348F57D900FAB73A6EB56B60B5E456CED19D7112F732DF40C790
                                                                                  Function 00C8A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 00C8A650
                                                                                  • LoadResource.KERNEL32(00000000,?,?,00C7E183,00000000), ref: 00C8A664
                                                                                  • LockResource.KERNEL32(00000000,?,?,00C7E183,00000000), ref: 00C8A66B
                                                                                  • SizeofResource.KERNEL32(00000000,?,?,00C7E183,00000000), ref: 00C8A67A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                  • String ID: SETTINGS
                                                                                  • API String ID: 3473537107-594951305
                                                                                  • Opcode ID: f9924e92ace794dc0d092d083afa6b2a16dc3caff776ae9d19195157fb43c595
                                                                                  • Instruction ID: 7ed3f8b1034e1d7761d7c306e9413fe9f7c3be08c11774615e3c858bd9239aa0
                                                                                  • Opcode Fuzzy Hash: f9924e92ace794dc0d092d083afa6b2a16dc3caff776ae9d19195157fb43c595
                                                                                  • Instruction Fuzzy Hash: 7CE09A7A604351ABCB221BA5EC8CF4F7E39E7CAB627594126FA0596230DA358920DB50
                                                                                  Function 00CC13B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6F1E
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F2B
                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00CC14C3
                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00CC151E
                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00CC152D
                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,00CB3CEC,00000040,?,00CB3E0C,00000055,00000000,?,?,00000055,00000000), ref: 00CC1575
                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00CB3D6C,00000040), ref: 00CC1594
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                  • String ID:
                                                                                  • API String ID: 745075371-0
                                                                                  • Opcode ID: 2fe338716b496efd3330513f492cececaa7ec4dfc1ed8eeece259f5f7fc4ccd9
                                                                                  • Instruction ID: f6d4fd34d5d61ac87cdee64c20dc7461298904917af8410d9ae43886ce41706e
                                                                                  • Opcode Fuzzy Hash: 2fe338716b496efd3330513f492cececaa7ec4dfc1ed8eeece259f5f7fc4ccd9
                                                                                  • Instruction Fuzzy Hash: 33517F71A002099BDF24EFA6CC45FBE73B8EF06700F18456DED25EB192E7709A409B61
                                                                                  Function 00C77A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00C77A91
                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00CD5AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C77B4A
                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C77B6E
                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C77C76
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                                                  • String ID:
                                                                                  • API String ID: 1157919129-0
                                                                                  • Opcode ID: 57ed8e2f4c174f313fcfae1ac98edb3dc040559e3bc38d17056cf44ced20c280
                                                                                  • Instruction ID: 6fa274756613101af09ca323989f91d4c04b7186128146e58eceb87db5769009
                                                                                  • Opcode Fuzzy Hash: 57ed8e2f4c174f313fcfae1ac98edb3dc040559e3bc38d17056cf44ced20c280
                                                                                  • Instruction Fuzzy Hash: 6B5193329001099BCB14FBA4DD9A9ED7B78AF14360F548259FD0E93192EF349B49EB90
                                                                                  Function 00CB800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CCD478), ref: 00CB8079
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CB80F1
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE17F0,000000FF,?,0000003F,00000000,?), ref: 00CB811E
                                                                                  • _free.LIBCMT ref: 00CB8067
                                                                                    • Part of subcall function 00CB6AC5: HeapFree.KERNEL32(00000000,00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000), ref: 00CB6ADB
                                                                                    • Part of subcall function 00CB6AC5: GetLastError.KERNEL32(00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000,00000000), ref: 00CB6AED
                                                                                  • _free.LIBCMT ref: 00CB8233
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                  • String ID:
                                                                                  • API String ID: 1286116820-0
                                                                                  • Opcode ID: f0a0c38dfe6b7572759cb6f7cfbc0c186a3f5426c2b699b52ee216dc7482c4dd
                                                                                  • Instruction ID: 95c71be9b790452273e65cf0ae86212b0bdbd91dcaf850f4a8f7ed79f70d60a1
                                                                                  • Opcode Fuzzy Hash: f0a0c38dfe6b7572759cb6f7cfbc0c186a3f5426c2b699b52ee216dc7482c4dd
                                                                                  • Instruction Fuzzy Hash: 2C51EA71904259EBCB10EF69DC81EEEB7BCEF40750F15066AE82497291EB309F49EB50
                                                                                  Function 00C76128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C76234
                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00C76318
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DownloadExecuteFileShell
                                                                                  • String ID: C:\Users\user\Desktop\SHROsQyiAd.exe$open
                                                                                  • API String ID: 2825088817-2934567557
                                                                                  • Opcode ID: ba5053c48afdc75d6033156dd4ca4788a8163322fb7150a6ed10e8b198735e2b
                                                                                  • Instruction ID: 9f8f7403f22f8de0106914801144545a6f6ddffce5f990d2b9bdfa73a0fe3c05
                                                                                  • Opcode Fuzzy Hash: ba5053c48afdc75d6033156dd4ca4788a8163322fb7150a6ed10e8b198735e2b
                                                                                  • Instruction Fuzzy Hash: 6261E271A0430057CB25FB79C85A9BE77A69B91750F04C91EFC4A572D2EF24CA04EB92
                                                                                  Function 00C8BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00C8BC6C
                                                                                    • Part of subcall function 00C826D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00C826E1
                                                                                    • Part of subcall function 00C826D2: RegSetValueExA.KERNELBASE(?,00CD6748,00000000,?,00000000,00000000,00CE42F8,?,?,00C7E5FB,00CD6748,5.3.0 Pro), ref: 00C82709
                                                                                    • Part of subcall function 00C826D2: RegCloseKey.KERNELBASE(?,?,?,00C7E5FB,00CD6748,5.3.0 Pro), ref: 00C82714
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                  • API String ID: 4127273184-3576401099
                                                                                  • Opcode ID: 7e6244e5865434c9d7ca7ec6c07addde78158661b44c990bb2b6f75e09eefcea
                                                                                  • Instruction ID: 4518f44abfaafda5e566cb8967ba914dce0c4bf5f93308899a818634de866584
                                                                                  • Opcode Fuzzy Hash: 7e6244e5865434c9d7ca7ec6c07addde78158661b44c990bb2b6f75e09eefcea
                                                                                  • Instruction Fuzzy Hash: 3311B132B8020073D91831394E2FF7E2D129396B65F95012FF7062B7D6EA868F5013CA
                                                                                  Function 00CC0A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00CB3CF3,?,?,?,?,00CB374A,?,00000004), ref: 00CC0B61
                                                                                  • _wcschr.LIBVCRUNTIME ref: 00CC0BF1
                                                                                  • _wcschr.LIBVCRUNTIME ref: 00CC0BFF
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00CB3CF3,00000000,00CB3E13), ref: 00CC0CA2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                  • String ID:
                                                                                  • API String ID: 4212172061-0
                                                                                  • Opcode ID: ba1a5134b8c88da4919ffede18197e15ec7cec1cbde46a3190ccf76db40c5df6
                                                                                  • Instruction ID: 9369f010fb21558b080750e75ba5a73b1cb687a77c5313ceb6f9ce09a8d16f39
                                                                                  • Opcode Fuzzy Hash: ba1a5134b8c88da4919ffede18197e15ec7cec1cbde46a3190ccf76db40c5df6
                                                                                  • Instruction Fuzzy Hash: 5061E471A00306EAD724AB75CC82FBA73A8EF45710F24052EF919DB182EB74EE45D761
                                                                                  Function 00C78DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00C78DAC
                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00C78E24
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C78E4D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileFind$FirstH_prologNext
                                                                                  • String ID:
                                                                                  • API String ID: 301083792-0
                                                                                  • Opcode ID: 8ac056b07a98974507b2e4084420589e4f1316e3d412d82d5b6081f23db5d0ac
                                                                                  • Instruction ID: 962bbc96f1354816522057350e54efa2dc53b8ab8dc1021b4b66fc9281f98da5
                                                                                  • Opcode Fuzzy Hash: 8ac056b07a98974507b2e4084420589e4f1316e3d412d82d5b6081f23db5d0ac
                                                                                  • Instruction Fuzzy Hash: 9E7133328001199BCB15FBA4DC96DEDB778EF14350F14826AF91AA7191EF306F49EB90
                                                                                  Function 00CC0E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6F1E
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F2B
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CC0EBE
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CC0F0F
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CC0FCF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                  • String ID:
                                                                                  • API String ID: 2829624132-0
                                                                                  • Opcode ID: 52a239e1af185098affd454670b03648ce243392e271356895e20ccf19ae8fdc
                                                                                  • Instruction ID: 05faf11d17361ea5d75560d5d2b065cfad93b6a022f1a2acca3c3c77db910a94
                                                                                  • Opcode Fuzzy Hash: 52a239e1af185098affd454670b03648ce243392e271356895e20ccf19ae8fdc
                                                                                  • Instruction Fuzzy Hash: 2761AD71940207DBDB289F25CC82FBA77A8EF05300F2841AEED15C6686E734DA81DB50
                                                                                  Function 00CAA65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CAA755
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CAA75F
                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00CAA76C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                  • String ID:
                                                                                  • API String ID: 3906539128-0
                                                                                  • Opcode ID: 78c793b6c183523f533f925fd26b072d023a5f0c540a72bc415c069cc1766cb6
                                                                                  • Instruction ID: 35abee32be3a55db438755fca5e46febd978fdac75b67fdfa703118eb3f534ea
                                                                                  • Opcode Fuzzy Hash: 78c793b6c183523f533f925fd26b072d023a5f0c540a72bc415c069cc1766cb6
                                                                                  • Instruction Fuzzy Hash: 4531B37491121D9BCB21DF64D889B9DBBB8EF08310F5442DAE81CA7250E7709F818F45
                                                                                  Function 00CA293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,00CA26C2,00000024,?,?,?), ref: 00CA294C
                                                                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,00C9CBBE,?), ref: 00CA2962
                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,00C9CBBE,?), ref: 00CA2974
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                  • String ID:
                                                                                  • API String ID: 1815803762-0
                                                                                  • Opcode ID: 1024d499c3a65a4dc852522fbcdfd04d07b55d53b0eb020813881c56e6483f2f
                                                                                  • Instruction ID: 32566ca802ebf3ce916fa0e8cfa8457a72e8bfa6aeb66b3ba8bf4740da00dc70
                                                                                  • Opcode Fuzzy Hash: 1024d499c3a65a4dc852522fbcdfd04d07b55d53b0eb020813881c56e6483f2f
                                                                                  • Instruction Fuzzy Hash: E3E0923130C222BBEB310F3AFC0CF5B2B55EB86F74F200628F261E40E4C66148469B18
                                                                                  Function 00CB2554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,00CB252A,00000003,00CDDAE0,0000000C,00CB2681,00000003,00000002,00000000,?,00CB53F8,00000003), ref: 00CB2575
                                                                                  • TerminateProcess.KERNEL32(00000000,?,00CB252A,00000003,00CDDAE0,0000000C,00CB2681,00000003,00000002,00000000,?,00CB53F8,00000003), ref: 00CB257C
                                                                                  • ExitProcess.KERNEL32 ref: 00CB258E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 1703294689-0
                                                                                  • Opcode ID: c9b4359f20ae26826a4a1c9d24a3b9e7f60ed7277bdafb233415ded019a8e951
                                                                                  • Instruction ID: daf294b0a4563b59570499c8d6b4a0b94c6ca43d450d3d1a99974f746c6e4266
                                                                                  • Opcode Fuzzy Hash: c9b4359f20ae26826a4a1c9d24a3b9e7f60ed7277bdafb233415ded019a8e951
                                                                                  • Instruction Fuzzy Hash: 95E0B631404148EFCF216F55DD19F8D3F69EB60792F004214F8068A131CB75DE86DA90
                                                                                  Function 00CBD5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .
                                                                                  • API String ID: 0-248832578
                                                                                  • Opcode ID: 156a0301923b94edc3d0ac4b357177983d58dd7070038e062e72dfd809014d54
                                                                                  • Instruction ID: 7c72ca53e26d621ffa23d03eab83bfcea0d63d4342786944bf67ea7287293c4a
                                                                                  • Opcode Fuzzy Hash: 156a0301923b94edc3d0ac4b357177983d58dd7070038e062e72dfd809014d54
                                                                                  • Instruction Fuzzy Hash: CF31E371900209AFCB249E78CC84EEA7BBDDB86314F1405A8F82A97251F6309E448B60
                                                                                  Function 00CB7597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00CB374A,?,00000004), ref: 00CB75EA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID: GetLocaleInfoEx
                                                                                  • API String ID: 2299586839-2904428671
                                                                                  • Opcode ID: 9f8c21259ddb1b84770484ffdbc9c30a4e21fc0268814df55057fd999210a340
                                                                                  • Instruction ID: ab3f5bb754b223d16962a8d14c537502c17ec2b1f1030003d6700b6d396878b0
                                                                                  • Opcode Fuzzy Hash: 9f8c21259ddb1b84770484ffdbc9c30a4e21fc0268814df55057fd999210a340
                                                                                  • Instruction Fuzzy Hash: CBF0F031A44208FBCB11AF64DC06FAEBB24EB44710F050268FC052A2A0CA718E10AAA5
                                                                                  Function 00CB0E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                  • Instruction ID: ca9ba938771c46c24daf44dd8df2628e5625038ea4055e0a600b419a490112eb
                                                                                  • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                  • Instruction Fuzzy Hash: 31022C71E002199FDF14CFA9D8906EEB7F1EF88314F698269D929E7344D731AA41CB80
                                                                                  Function 00C88C69 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00C88EBF
                                                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00C88F8B
                                                                                    • Part of subcall function 00C8B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00C79F65), ref: 00C8B633
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Find$CreateFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 341183262-0
                                                                                  • Opcode ID: 8bf50174551c45b09e607b15942f80ff2fefbc28fcabc47ca4e4e9b18f1fe040
                                                                                  • Instruction ID: 8cff2ec8d2673a8de3bd19407ad1a0d3e17c98f78e977ca82a4ecc5b922d8c7a
                                                                                  • Opcode Fuzzy Hash: 8bf50174551c45b09e607b15942f80ff2fefbc28fcabc47ca4e4e9b18f1fe040
                                                                                  • Instruction Fuzzy Hash: 628162315042409BD728FB64C866EEFB3A9AFA0750F44892DF95A431D2EF309A09E756
                                                                                  Function 00C76AC2 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00C76ADD
                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00C76BA5
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileFind$FirstNextsend
                                                                                  • String ID:
                                                                                  • API String ID: 4113138495-0
                                                                                  • Opcode ID: 7f7cfbda5cbc2c27c5ce20592ca3bbf5ec02e8c2cb8cd5fed69cabe1f208ff83
                                                                                  • Instruction ID: 9705f8d12cf0e50a08a5fd04e78c0fd2997427ac7b28c0e8d3edd7b799f32c99
                                                                                  • Opcode Fuzzy Hash: 7f7cfbda5cbc2c27c5ce20592ca3bbf5ec02e8c2cb8cd5fed69cabe1f208ff83
                                                                                  • Instruction Fuzzy Hash: 8D2164325043009BD714FB64DC95DAFB7ACAF91360F448A2DFD9A92191EF349A0CEA53
                                                                                  Function 00CC20D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CC20CD,?,?,00000008,?,?,00CC5412,00000000), ref: 00CC22FF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionRaise
                                                                                  • String ID:
                                                                                  • API String ID: 3997070919-0
                                                                                  • Opcode ID: 27186b5e6181b7b665b35473eb7075c0b3b4e862a85210b3ceb84d82bdf32093
                                                                                  • Instruction ID: 529305eea53eff5212e950a6997dedc2ec002886e0d0002c429932a81b368fd9
                                                                                  • Opcode Fuzzy Hash: 27186b5e6181b7b665b35473eb7075c0b3b4e862a85210b3ceb84d82bdf32093
                                                                                  • Instruction Fuzzy Hash: 7AB12B315106499FDB19CF28C48AF647BE1FF45364F29865CE9A9CF2A1C335EA92CB40
                                                                                  Function 00CA2A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0
                                                                                  • API String ID: 0-4108050209
                                                                                  • Opcode ID: defdca1491d80a1dfb9f193988fabc4b1fec9e13e40a9936533af68ee2847aa8
                                                                                  • Instruction ID: dcbbf39a03c93b45473dafdd13844351bb51f098b18ec3ac30398796339ed910
                                                                                  • Opcode Fuzzy Hash: defdca1491d80a1dfb9f193988fabc4b1fec9e13e40a9936533af68ee2847aa8
                                                                                  • Instruction Fuzzy Hash: A302B2327083118BD714DF39D85262FB3E2AFC8B58F15492EF8C9AB391DA34E9059A45
                                                                                  Function 00CC10BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6F1E
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F2B
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CC110E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                  • String ID:
                                                                                  • API String ID: 1663032902-0
                                                                                  • Opcode ID: 7257ddc80028c8ac5bee263fcde499eb577a9f705b2908c7e0633656fc58fbb2
                                                                                  • Instruction ID: 534b4467c6b058b4cdb091482fb02ce81d0e0be41856c9efcfac229aaadf4781
                                                                                  • Opcode Fuzzy Hash: 7257ddc80028c8ac5bee263fcde499eb577a9f705b2908c7e0633656fc58fbb2
                                                                                  • Instruction Fuzzy Hash: 44218332510206ABDB249E66DC86FBE73A8EB06310F18016EFE11C6242EB79DD44DB90
                                                                                  Function 00CC0D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                  • EnumSystemLocalesW.KERNEL32(00CC0E6A,00000001,00000000,?,00CB3CEC,?,00CC1497,00000000,?,?,?), ref: 00CC0DB4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                  • String ID:
                                                                                  • API String ID: 1084509184-0
                                                                                  • Opcode ID: 572ee1770903de485f39508b1b8969107b39f2168e0652a5482a47f4c239199c
                                                                                  • Instruction ID: 4d9cfa08f15757eff8b031ec7b0822e4ea4f4bd0b699fb708bd98dbd2b843571
                                                                                  • Opcode Fuzzy Hash: 572ee1770903de485f39508b1b8969107b39f2168e0652a5482a47f4c239199c
                                                                                  • Instruction Fuzzy Hash: 451129362007059FDB189F78C891BBAB791FF80319B28442CE99747740D371B942CB40
                                                                                  Function 00CC12EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00CC1088,00000000,00000000,?), ref: 00CC1316
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                  • String ID:
                                                                                  • API String ID: 2692324296-0
                                                                                  • Opcode ID: 5864e12c8825a354bfa3075de8fc126b03b273635fecfa31cc11a91677fcec58
                                                                                  • Instruction ID: 5d1fbfd695802a3f33736a1d698b4490902d12d2ce90cbf26522aea3744fe8c3
                                                                                  • Opcode Fuzzy Hash: 5864e12c8825a354bfa3075de8fc126b03b273635fecfa31cc11a91677fcec58
                                                                                  • Instruction Fuzzy Hash: 6DF02D32500155FBDB286E66CC05FFA7758EB41758F1C042DEC15A3551EA34FE41C6D0
                                                                                  Function 00CC0DDD Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                  • EnumSystemLocalesW.KERNEL32(00CC10BA,00000001,?,?,00CB3CEC,?,00CC145B,00CB3CEC,?,?,?,?,?,00CB3CEC,?,?), ref: 00CC0E29
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                  • String ID:
                                                                                  • API String ID: 1084509184-0
                                                                                  • Opcode ID: efa7d439a9e3d95a878d6318f8f690dab5a590a4972d5a4070afeb85d1db3598
                                                                                  • Instruction ID: 593fe1ea9727368e8361e5d9f7cee2b70a547be58b4c9e0469f46c5cd84dfeec
                                                                                  • Opcode Fuzzy Hash: efa7d439a9e3d95a878d6318f8f690dab5a590a4972d5a4070afeb85d1db3598
                                                                                  • Instruction Fuzzy Hash: 39F022362003049FDB145F79D881F6A7B91EF81328B14842CFA458B781D271AD42C640
                                                                                  Function 00CB70AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB4ACC: EnterCriticalSection.KERNEL32(-00062FAC,?,00CB225B,00000000,00CDDAC0,0000000C,00CB2216,?,?,?,00CB8739,?,?,00CB6F74,00000001,00000364), ref: 00CB4ADB
                                                                                  • EnumSystemLocalesW.KERNEL32(00CB7068,00000001,00CDDC48,0000000C), ref: 00CB70E6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                  • String ID:
                                                                                  • API String ID: 1272433827-0
                                                                                  • Opcode ID: cc482fa89cb9ef215fe90dfda7767ed99793c8b175723e87f0116d81fe838752
                                                                                  • Instruction ID: d9be1d3e7d74367e631e0561d85f26eec3057107b714d985cbe49c460e83f3be
                                                                                  • Opcode Fuzzy Hash: cc482fa89cb9ef215fe90dfda7767ed99793c8b175723e87f0116d81fe838752
                                                                                  • Instruction Fuzzy Hash: F6F04F32A20201DFD700EF68DC46B8D77B0EB45711F10825AF810DF2E2CB7489419F51
                                                                                  Function 00CC0CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                  • EnumSystemLocalesW.KERNEL32(00CC0C4E,00000001,?,?,?,00CC14B9,00CB3CEC,?,?,?,?,?,00CB3CEC,?,?,?), ref: 00CC0D2E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                  • String ID:
                                                                                  • API String ID: 1084509184-0
                                                                                  • Opcode ID: 65a1643583f7ce0b98e2bc86ce9855b70661024b1797ee154868615b03f6459f
                                                                                  • Instruction ID: b0708c90acd486b6f30242720a075acf7208242f5339cb2288a97f4ba158e3d5
                                                                                  • Opcode Fuzzy Hash: 65a1643583f7ce0b98e2bc86ce9855b70661024b1797ee154868615b03f6459f
                                                                                  • Instruction Fuzzy Hash: 80F0553A30020597CB14AF75D845B6A7F94EFC1710B1A405CEA1A8B280C231A983C7A0
                                                                                  Function 00CA3CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,00CA39B1), ref: 00CA3CDC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: b71fa49e0d4fdde403139d6f599edde24a9c4cc202a11c404b4d2fe4b21a7923
                                                                                  • Instruction ID: 472dd35dfc9f76ae7738b430e246202d826bc8636b02a306b150197b6a95d38a
                                                                                  • Opcode Fuzzy Hash: b71fa49e0d4fdde403139d6f599edde24a9c4cc202a11c404b4d2fe4b21a7923
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 00CAC9DD Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Offline Keylogger Started, xrefs: 00CACAE3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Offline Keylogger Started
                                                                                  • API String ID: 0-4114347211
                                                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                  • Instruction ID: 251c094d088dd37bbf6e05d1f417e30d58b1bb03c247f8116e71a5d2bcb9f593
                                                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                  • Instruction Fuzzy Hash: C251657160060F9BDB34CA6895E77BE6389DB0330CF080509E8A39B692D6169F02B366
                                                                                  Function 00CACC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0
                                                                                  • API String ID: 0-4108050209
                                                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                  • Instruction ID: 3cd105b7c5dc04930b47349f4cae1c6d9a68807af4d8123dae5f7125473414ff
                                                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                  • Instruction Fuzzy Hash: 21518C31A0474B57DF38866C85D67FF2B959B0371CF18052AE4ABCB782C619DF01A355
                                                                                  Function 00C96E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @
                                                                                  • API String ID: 0-2766056989
                                                                                  • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                  • Instruction ID: 7a65b4a2e66e761e6faacb2c81fdf551197b17468a9bc72e0897e3d64bccc393
                                                                                  • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                  • Instruction Fuzzy Hash: 2D4134759187098BC314CF29C18475BFBE1FBC9354F148A2EF99693390D675EA808B82
                                                                                  Function 00CBE92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: HeapProcess
                                                                                  • String ID:
                                                                                  • API String ID: 54951025-0
                                                                                  • Opcode ID: f358c6b5b1ff116e886506774e845c948fca13897ed2b375d8162248cbd01457
                                                                                  • Instruction ID: b7ecbb6bcd64b706dba0313edbd29e87e213cdbef2c83398b7b0307cea521a38
                                                                                  • Opcode Fuzzy Hash: f358c6b5b1ff116e886506774e845c948fca13897ed2b375d8162248cbd01457
                                                                                  • Instruction Fuzzy Hash: 02A01230102141CB53004F31AF0531D3698A50018030480289405C4120D63040505B00
                                                                                  Function 00CBC739 Relevance: .6, Instructions: 637COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3236f3d17b0bebb2bb8d1212fe30135654e6924076feb5d6bf9619bde988abba
                                                                                  • Instruction ID: 646b0efb88768115fc5b323aff6d7a881651a691254a56c818a5d5e301c44a55
                                                                                  • Opcode Fuzzy Hash: 3236f3d17b0bebb2bb8d1212fe30135654e6924076feb5d6bf9619bde988abba
                                                                                  • Instruction Fuzzy Hash: F6320232D29F414DD7239634D86233AA689AFB73C4F15D737E82AB59A9EB38C5C34100
                                                                                  Function 00C8E5DF Relevance: .6, Instructions: 606COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9c1f3f2d0e21dc0be012d9e2ae295b3203e3b343e115805c7e35ed64ad2b9558
                                                                                  • Instruction ID: 1f09f35aa89db3f7671484d29f39295575a35ee887fcb27e133227687dc7e6b4
                                                                                  • Opcode Fuzzy Hash: 9c1f3f2d0e21dc0be012d9e2ae295b3203e3b343e115805c7e35ed64ad2b9558
                                                                                  • Instruction Fuzzy Hash: 0E32E6316087569FD715EF68C48076AB7E5BF8530CF044A2EF8A58B281E770DE05CB8A
                                                                                  Function 00C967CB Relevance: .4, Instructions: 437COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ec398e54331b7e5d10350fd6aa38733c890917363f1d5d1636520a276df48e66
                                                                                  • Instruction ID: 91a0f1ea1dfff89ae638a8e6948b07bfec333789f32228a3c9f0c6ea17b830bc
                                                                                  • Opcode Fuzzy Hash: ec398e54331b7e5d10350fd6aa38733c890917363f1d5d1636520a276df48e66
                                                                                  • Instruction Fuzzy Hash: D2029F716056518FC718CF2EE89073EB7E2AF8D301746866AE495C7385EB34E926CB90
                                                                                  Function 00C96254 Relevance: .4, Instructions: 377COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4bbca1399793ab9516eeccba82301993ec5775d3b2cf3b3cd169a3163d963954
                                                                                  • Instruction ID: a2bb059864cdcdcc797e25b7deab32b1f03f7a858b7c3f226d86073c0110126e
                                                                                  • Opcode Fuzzy Hash: 4bbca1399793ab9516eeccba82301993ec5775d3b2cf3b3cd169a3163d963954
                                                                                  • Instruction Fuzzy Hash: E8F138716142558FC714DF19E892A3EB3E1EB89301B460A1FF1C2D7392DB34EA1ADB51
                                                                                  Function 00CA1377 Relevance: .4, Instructions: 371COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3c4d0979f66ea803f5fbfe0607e5ffadaf71e909b62db8f938a7b3e4cefb321f
                                                                                  • Instruction ID: 5b28ea475e657d7758665bbd0d021df5b2986943549da1f4baa9057a11608448
                                                                                  • Opcode Fuzzy Hash: 3c4d0979f66ea803f5fbfe0607e5ffadaf71e909b62db8f938a7b3e4cefb321f
                                                                                  • Instruction Fuzzy Hash: BED15D719083168BCB21DE68C88456EB7E4BF95398F481A2DFC96D7251EB34DE058B82
                                                                                  Function 00C8D071 Relevance: .3, Instructions: 276COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                  • Instruction ID: d0c44f71036c3d67b97782fc2bb23cf245b9843865bdce513145d5908c4949d7
                                                                                  • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                  • Instruction Fuzzy Hash: E0B1913911429A8ADB05EF28C4913F63BA1EF6A300F4850B9EC9DCF757D3359906EB24
                                                                                  Function 00CAD098 Relevance: .2, Instructions: 237COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 22bbf47a8cdfee452fd34d4c6c94808048783d3064c919ecf4faa7900aeb2967
                                                                                  • Instruction ID: 1a4404d52501c0943ab26c3381ace88d0f73c96b2b452c94bad7374885f965e2
                                                                                  • Opcode Fuzzy Hash: 22bbf47a8cdfee452fd34d4c6c94808048783d3064c919ecf4faa7900aeb2967
                                                                                  • Instruction Fuzzy Hash: D061AC7160030B66DE385A388995BBF23A4EF0731CF24061AFA63DBE81DA51DF42D346
                                                                                  Function 00CACE3B Relevance: .2, Instructions: 237COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5b01befaabe980f6805e9cc4f6dd04a7ac6e62eb41a70708b23056ad1f5f649e
                                                                                  • Instruction ID: b0da748cd3f986af33bd033709153b3d0b46cbff13a202bdb43905ffda0be1f0
                                                                                  • Opcode Fuzzy Hash: 5b01befaabe980f6805e9cc4f6dd04a7ac6e62eb41a70708b23056ad1f5f649e
                                                                                  • Instruction Fuzzy Hash: B1617971600B0B5ADF385AA84CD5BBEA396DB0370CF10091AF963DF6C1DA51DF429355
                                                                                  Function 00C96FAD Relevance: .2, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e2a8b980d15524a9166ea1c1ad562ce51950159e1ba55b929a656d107737cc95
                                                                                  • Instruction ID: 1d19dc5ab6c6c419edf5c9cf2707634130a45d104ddef187badcecb26dc8b4cd
                                                                                  • Opcode Fuzzy Hash: e2a8b980d15524a9166ea1c1ad562ce51950159e1ba55b929a656d107737cc95
                                                                                  • Instruction Fuzzy Hash: FF614B32A083019FC708DF34D585A5FB7E5EFD8714F554E2EF49A96191E730EA089B82
                                                                                  Function 00CA7150 Relevance: .1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction ID: 5f08dbc190494c6852da6382e50cbd4072744dcfba81c4925378dadbea4751ab
                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction Fuzzy Hash: 8211087724C18343EA24862DDCF45BEA7E5FAC732C76C437AD2694B758D1229B459500
                                                                                  Function 00C87F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C87FB9
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00C87FC4
                                                                                    • Part of subcall function 00C88452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00C88482
                                                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00C88045
                                                                                  • DeleteDC.GDI32(?), ref: 00C8805D
                                                                                  • DeleteDC.GDI32(00000000), ref: 00C88060
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C8806B
                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00C88093
                                                                                  • GetIconInfo.USER32(?,?), ref: 00C880CB
                                                                                  • DeleteObject.GDI32(?), ref: 00C880FA
                                                                                  • DeleteObject.GDI32(?), ref: 00C88107
                                                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00C88114
                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00C88144
                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 00C88173
                                                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 00C881BC
                                                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00C881DF
                                                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00C88248
                                                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00C8826B
                                                                                  • DeleteDC.GDI32(?), ref: 00C8827F
                                                                                  • DeleteDC.GDI32(00000000), ref: 00C88282
                                                                                  • DeleteObject.GDI32(00000000), ref: 00C88285
                                                                                  • GlobalFree.KERNEL32(00CC0020), ref: 00C88290
                                                                                  • DeleteObject.GDI32(00000000), ref: 00C88344
                                                                                  • GlobalFree.KERNEL32(?), ref: 00C8834B
                                                                                  • DeleteDC.GDI32(?), ref: 00C8835B
                                                                                  • DeleteDC.GDI32(00000000), ref: 00C88366
                                                                                  • DeleteDC.GDI32(?), ref: 00C88398
                                                                                  • DeleteDC.GDI32(00000000), ref: 00C8839B
                                                                                  • DeleteObject.GDI32(?), ref: 00C883A1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                  • String ID: DISPLAY
                                                                                  • API String ID: 1765752176-865373369
                                                                                  • Opcode ID: 2b1ed57f88da7f4856fe4508ef2f81ca8f88a69ec78906b7ecaa404cc9c4f170
                                                                                  • Instruction ID: 74d3b0945c78358225ffb2fda91924e6e51e3f57c6de61a70723c51976718b5b
                                                                                  • Opcode Fuzzy Hash: 2b1ed57f88da7f4856fe4508ef2f81ca8f88a69ec78906b7ecaa404cc9c4f170
                                                                                  • Instruction Fuzzy Hash: B9C16831508340AFD720EB65CC48B6FBBE9FF88714F44491DF99A97660DB30A909CB56
                                                                                  Function 00C87245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00C8728C
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C8728F
                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00C872A0
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C872A3
                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00C872B4
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C872B7
                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00C872C8
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C872CB
                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C8736C
                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00C87384
                                                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00C8739A
                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00C873C0
                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00C87440
                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00C87454
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00C8748B
                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C87558
                                                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00C87575
                                                                                  • ResumeThread.KERNEL32(?), ref: 00C87582
                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00C8759A
                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00C875A5
                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00C875BF
                                                                                  • GetLastError.KERNEL32 ref: 00C875C7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                                                  • API String ID: 4188446516-108836778
                                                                                  • Opcode ID: 2481b8b9527069a3419617abc0c75dab5027f2f8231d87b15460052f6b88b506
                                                                                  • Instruction ID: 33e5df2adfd6233f90dfa1395ca2c4a74a24462e0c10e86b59615e48a0598f27
                                                                                  • Opcode Fuzzy Hash: 2481b8b9527069a3419617abc0c75dab5027f2f8231d87b15460052f6b88b506
                                                                                  • Instruction Fuzzy Hash: 09A17CB1508305AFD710AF61DC84F6BBBE8FB88348F140A29F659C6260E771EA54CF65
                                                                                  Function 00C7C28E Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C81699: TerminateProcess.KERNEL32(00000000,pth_unenc,00C7E670), ref: 00C816A9
                                                                                    • Part of subcall function 00C81699: WaitForSingleObject.KERNEL32(000000FF), ref: 00C816BC
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 00C7C38B
                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00C7C39E
                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 00C7C3B7
                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 00C7C3E7
                                                                                    • Part of subcall function 00C7AFBA: TerminateThread.KERNEL32(00C799A9,00000000,00CE42F8,pth_unenc,00C7BF26,00CE42E0,00CE42F8,?,pth_unenc), ref: 00C7AFC9
                                                                                    • Part of subcall function 00C7AFBA: UnhookWindowsHookEx.USER32(00CE40F8), ref: 00C7AFD5
                                                                                    • Part of subcall function 00C7AFBA: TerminateThread.KERNEL32(00C79993,00000000,?,pth_unenc), ref: 00C7AFE3
                                                                                    • Part of subcall function 00C8B58F: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00CD5900,00000000,00000000,00C7C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 00C8B5CE
                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00CD5900,00CD5900,00000000), ref: 00C7C632
                                                                                  • ExitProcess.KERNEL32 ref: 00C7C63E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                  • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                  • API String ID: 1861856835-1536747724
                                                                                  • Opcode ID: a408c8ab1d5d8363f93acf32c36e57290e374bd5a289dca8e59f184e03bec30a
                                                                                  • Instruction ID: cb04b91c5871eb020e8beea221dd87b3435103530c1353f692bea3225daac9cc
                                                                                  • Opcode Fuzzy Hash: a408c8ab1d5d8363f93acf32c36e57290e374bd5a289dca8e59f184e03bec30a
                                                                                  • Instruction Fuzzy Hash: 9D91D4716042405BC728FB24DCA6ABF77D99F91310F04853EF98E931A2EF209E49E752
                                                                                  Function 00C812B5 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 189synchronizationsleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00CE42F8,?,00000000), ref: 00C812D4
                                                                                  • ExitProcess.KERNEL32 ref: 00C8151D
                                                                                    • Part of subcall function 00C8265D: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00CE42F8), ref: 00C82679
                                                                                    • Part of subcall function 00C8265D: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00C82692
                                                                                    • Part of subcall function 00C8265D: RegCloseKey.KERNELBASE(00000000), ref: 00C8269D
                                                                                    • Part of subcall function 00C8B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00C79F65), ref: 00C8B633
                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00C8135B
                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00C7E154,?,?,?,?,00000000), ref: 00C8136A
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00C81375
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00C8137C
                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00C81382
                                                                                    • Part of subcall function 00C827D5: RegCreateKeyA.ADVAPI32(80000001,00000000,00CD5554), ref: 00C827E3
                                                                                    • Part of subcall function 00C827D5: RegSetValueExA.KERNELBASE(00CD5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C827FE
                                                                                    • Part of subcall function 00C827D5: RegCloseKey.ADVAPI32(00CD5554,?,?,?,00C7B94C,00CD60E0,00000001,000000AF,00CD5554), ref: 00C82809
                                                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 00C813B3
                                                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 00C8140F
                                                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C81429
                                                                                  • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 00C8143B
                                                                                    • Part of subcall function 00C8B58F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00C8B5EB
                                                                                    • Part of subcall function 00C8B58F: WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00C8B5FF
                                                                                    • Part of subcall function 00C8B58F: CloseHandle.KERNELBASE(00000000), ref: 00C8B60C
                                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00C81483
                                                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 00C814C4
                                                                                  • OpenProcess.KERNEL32(00100000,00000000,00C7E154,?,?,?,?,00000000), ref: 00C814D9
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00C814E4
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00C814EB
                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00C814F1
                                                                                    • Part of subcall function 00C8B58F: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00CD5900,00000000,00000000,00C7C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 00C8B5CE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                  • String ID: .exe$WDH$exepath$open$temp_
                                                                                  • API String ID: 4250697656-3088914985
                                                                                  • Opcode ID: c338f594548baab6a7cf5ded97fbd6c177b4168ca89de719847f70785aa1a921
                                                                                  • Instruction ID: ebca786b7264edca1a6536ac4440b548eb541515b2fae1cc0c85e87801c9a6dd
                                                                                  • Opcode Fuzzy Hash: c338f594548baab6a7cf5ded97fbd6c177b4168ca89de719847f70785aa1a921
                                                                                  • Instruction Fuzzy Hash: E451ED71A04219ABDB00BBA0DC4AFBE73ADDB44314F084265F916A72D1EF748E429F64
                                                                                  Function 00C8A1BB Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00C8A2B2
                                                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00C8A2C6
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00CD5554), ref: 00C8A2EE
                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00CE3EE8,00000000), ref: 00C8A2FF
                                                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00C8A340
                                                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00C8A358
                                                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00C8A36D
                                                                                  • SetEvent.KERNEL32 ref: 00C8A38A
                                                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 00C8A39B
                                                                                  • CloseHandle.KERNEL32 ref: 00C8A3AB
                                                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00C8A3CD
                                                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00C8A3D7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                  • API String ID: 738084811-1354618412
                                                                                  • Opcode ID: 6f96cdbfb6475086b2358cdbf25c827677a37d48804b5d76f0a55a9647ed0d35
                                                                                  • Instruction ID: 5aab96a14f1d0761c81ef19added9318bc6017fa75796fce3b8e6088b939a07d
                                                                                  • Opcode Fuzzy Hash: 6f96cdbfb6475086b2358cdbf25c827677a37d48804b5d76f0a55a9647ed0d35
                                                                                  • Instruction Fuzzy Hash: 61511571204244AFD214B774DC86FBF3B9CDB80394F04452FF959471A2DF209E48A762
                                                                                  Function 00C7BF04 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C81699: TerminateProcess.KERNEL32(00000000,pth_unenc,00C7E670), ref: 00C816A9
                                                                                    • Part of subcall function 00C81699: WaitForSingleObject.KERNEL32(000000FF), ref: 00C816BC
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00CE42F8,?,pth_unenc), ref: 00C7C013
                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00C7C026
                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00CE42F8,?,pth_unenc), ref: 00C7C056
                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00CE42F8,?,pth_unenc), ref: 00C7C065
                                                                                    • Part of subcall function 00C7AFBA: TerminateThread.KERNEL32(00C799A9,00000000,00CE42F8,pth_unenc,00C7BF26,00CE42E0,00CE42F8,?,pth_unenc), ref: 00C7AFC9
                                                                                    • Part of subcall function 00C7AFBA: UnhookWindowsHookEx.USER32(00CE40F8), ref: 00C7AFD5
                                                                                    • Part of subcall function 00C7AFBA: TerminateThread.KERNEL32(00C79993,00000000,?,pth_unenc), ref: 00C7AFE3
                                                                                    • Part of subcall function 00C8AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00CD5900,00C7C07B,.vbs,?,?,?,?,?,00CE42F8), ref: 00C8AB5F
                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00CD5900,00CD5900,00000000), ref: 00C7C280
                                                                                  • ExitProcess.KERNEL32 ref: 00C7C287
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                  • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                  • API String ID: 3797177996-3018399277
                                                                                  • Opcode ID: c3fe09abbf5d601bb5fbec30731dfb81da204664e8cf6a229cc1d3f34fb24a96
                                                                                  • Instruction ID: 5392cf9a7ce434e66dd1cc7ed7a1be200e5db7205fe0157f5861c46851f99e82
                                                                                  • Opcode Fuzzy Hash: c3fe09abbf5d601bb5fbec30731dfb81da204664e8cf6a229cc1d3f34fb24a96
                                                                                  • Instruction Fuzzy Hash: 088103316042405BC718FB24DCA6ABF77A89F90710F14853EF99A93292EF309E09E752
                                                                                  Function 00C71BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00C71C54
                                                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00C71C7E
                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00C71C8E
                                                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00C71C9E
                                                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00C71CAE
                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00C71CBE
                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00C71CCF
                                                                                  • WriteFile.KERNEL32(00000000,00CE1B02,00000002,00000000,00000000), ref: 00C71CE0
                                                                                  • WriteFile.KERNEL32(00000000,00CE1B04,00000004,00000000,00000000), ref: 00C71CF0
                                                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00C71D00
                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00C71D11
                                                                                  • WriteFile.KERNEL32(00000000,00CE1B0E,00000002,00000000,00000000), ref: 00C71D22
                                                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00C71D32
                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00C71D42
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Write$Create
                                                                                  • String ID: RIFF$WAVE$data$fmt
                                                                                  • API String ID: 1602526932-4212202414
                                                                                  • Opcode ID: e5fedb78d03f051284b9cd7112b3e05737fb14a2af8a8a828f1df436947e414b
                                                                                  • Instruction ID: 786d9b557c8fe7963d55306390ae0be8de0371319225f6b4537799b181162041
                                                                                  • Opcode Fuzzy Hash: e5fedb78d03f051284b9cd7112b3e05737fb14a2af8a8a828f1df436947e414b
                                                                                  • Instruction Fuzzy Hash: E3415F71544218BBE210DE51DD86FBB7EECEB85B50F44041AFA44DA080D764A909DBB3
                                                                                  Function 00C764E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\SHROsQyiAd.exe,00000001,00C768B2,C:\Users\user\Desktop\SHROsQyiAd.exe,00000003,00C768DA,00CE42E0,00C76933), ref: 00C764F4
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C764FD
                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 00C7650E
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C76511
                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00C76522
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C76525
                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00C76536
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C76539
                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00C7654A
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C7654D
                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 00C7655E
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C76561
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: C:\Users\user\Desktop\SHROsQyiAd.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                  • API String ID: 1646373207-2048506329
                                                                                  • Opcode ID: 732d267ed14395645ee93dbad843bffd3e6ec7e6251175c7ef5699179697347f
                                                                                  • Instruction ID: e9769523ad90b5714e46f628f7ec2f48ea6460800292f234c756332059d8adbd
                                                                                  • Opcode Fuzzy Hash: 732d267ed14395645ee93dbad843bffd3e6ec7e6251175c7ef5699179697347f
                                                                                  • Instruction Fuzzy Hash: 6A017CF4E40B96669B22AB7B5C94E1FAEECDE503903084833B905E72A1FE74C5019E74
                                                                                  Function 00C7BC67 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00C7BC75
                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00CE4358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 00C7BC8E
                                                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\SHROsQyiAd.exe,00000000,00000000,00000000,00000000,00000000,?,00CE4358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 00C7BD3E
                                                                                  • _wcslen.LIBCMT ref: 00C7BD54
                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 00C7BDDC
                                                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\SHROsQyiAd.exe,00000000,00000000), ref: 00C7BDF2
                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 00C7BE31
                                                                                  • _wcslen.LIBCMT ref: 00C7BE34
                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 00C7BE4B
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CE4358,0000000E), ref: 00C7BE9B
                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00CD5900,00CD5900,00000001), ref: 00C7BEB9
                                                                                  • ExitProcess.KERNEL32 ref: 00C7BED0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                  • String ID: 6$C:\Users\user\Desktop\SHROsQyiAd.exe$del$open
                                                                                  • API String ID: 1579085052-2670028600
                                                                                  • Opcode ID: 338db18a07dcf8f9d01190a2d68b357387f6ab0c902a60fd4102018c92b9e516
                                                                                  • Instruction ID: 9c53bbb357d355e4b286f43e694817845514bbc21d0a678bb74ecc5d26167786
                                                                                  • Opcode Fuzzy Hash: 338db18a07dcf8f9d01190a2d68b357387f6ab0c902a60fd4102018c92b9e516
                                                                                  • Instruction Fuzzy Hash: 245116616042416BD618B339EC57F7F2B989F81750F14842DFE4D872D2DF249E05A7A2
                                                                                  Function 00C8B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(?), ref: 00C8B1D6
                                                                                  • _memcmp.LIBVCRUNTIME ref: 00C8B1EE
                                                                                  • lstrlenW.KERNEL32(?), ref: 00C8B207
                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 00C8B242
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00C8B255
                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 00C8B299
                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 00C8B2B4
                                                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 00C8B2CC
                                                                                  • _wcslen.LIBCMT ref: 00C8B2DB
                                                                                  • FindVolumeClose.KERNEL32(?), ref: 00C8B2FB
                                                                                  • GetLastError.KERNEL32 ref: 00C8B313
                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 00C8B340
                                                                                  • lstrcatW.KERNEL32(?,?), ref: 00C8B359
                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 00C8B368
                                                                                  • GetLastError.KERNEL32 ref: 00C8B370
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                  • String ID: ?
                                                                                  • API String ID: 3941738427-1684325040
                                                                                  • Opcode ID: becbd2940a3c90e47b91f22b67ebe3421a5e8d12b3b7947ab73a23832e362ded
                                                                                  • Instruction ID: 40772cafe2eac4dd730fb3a7ec806303965b78242b924cb4ee35ea8b0312581a
                                                                                  • Opcode Fuzzy Hash: becbd2940a3c90e47b91f22b67ebe3421a5e8d12b3b7947ab73a23832e362ded
                                                                                  • Instruction Fuzzy Hash: 27415F715083069BD720EFA1EC88EAFB7E8FB45718F44092AF555C2160EB70DE488B96
                                                                                  Function 00CBE20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                                                  • String ID:
                                                                                  • API String ID: 3899193279-0
                                                                                  • Opcode ID: be32f858d8eb214b60ee682728abbd06ff07f2e20108ed0ea4f020314fc3ebbd
                                                                                  • Instruction ID: 593da3aacb8620ac68599952a4c9023f47ab76f719f59949b6dce2dd93303c53
                                                                                  • Opcode Fuzzy Hash: be32f858d8eb214b60ee682728abbd06ff07f2e20108ed0ea4f020314fc3ebbd
                                                                                  • Instruction Fuzzy Hash: A8D13A72900714AFDF31AFB4DC817EE7BA89F01B24F08416DF915AB281EB359E059B91
                                                                                  Function 00C83E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00C83E86
                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00C83EC8
                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C83EE8
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C83EEF
                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00C83F27
                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C83F39
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C83F40
                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C83F4F
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C83F66
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                  • API String ID: 2490988753-744132762
                                                                                  • Opcode ID: 2fa7498c0a122c34158a29e4487c8d9f97a36d0793ddc94d86aec4e62374565f
                                                                                  • Instruction ID: 8a866d73ae562fbb0c8b7a2a4f934c0992135361a66c21c2155bd8b86cf3d7b5
                                                                                  • Opcode Fuzzy Hash: 2fa7498c0a122c34158a29e4487c8d9f97a36d0793ddc94d86aec4e62374565f
                                                                                  • Instruction Fuzzy Hash: 7431E5B1905395ABC720AB64DC84E9FB7ECEF44B48F410A69FA5493240D774DF008BEA
                                                                                  Function 00C8B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00C8B846
                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C8B88A
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00C8BB54
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEnumOpen
                                                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                  • API String ID: 1332880857-3714951968
                                                                                  • Opcode ID: 0d33a76dcbe86a36e712e79c3df1b67964a839af455b3574a10e23e7c73e04f1
                                                                                  • Instruction ID: 9d89d09acf7b642d25123a8e0ff04844e301c4651ceee1909d2c6c0c1e0caa5d
                                                                                  • Opcode Fuzzy Hash: 0d33a76dcbe86a36e712e79c3df1b67964a839af455b3574a10e23e7c73e04f1
                                                                                  • Instruction Fuzzy Hash: B0814F311082459BD334EB14D855EEFB7E8EF94314F50892EF98A82195EF30AA49EB52
                                                                                  Function 00C8CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 00C8CAE9
                                                                                  • GetCursorPos.USER32(?), ref: 00C8CAF8
                                                                                  • SetForegroundWindow.USER32(?), ref: 00C8CB01
                                                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00C8CB1B
                                                                                  • Shell_NotifyIconA.SHELL32(00000002,00CE3B50), ref: 00C8CB6C
                                                                                  • ExitProcess.KERNEL32 ref: 00C8CB74
                                                                                  • CreatePopupMenu.USER32 ref: 00C8CB7A
                                                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 00C8CB8F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                  • String ID: Close
                                                                                  • API String ID: 1657328048-3535843008
                                                                                  • Opcode ID: 7c242eaa466733c68ea879784931a1c7a2a791e39bdb33ae7b442be6a7ac446f
                                                                                  • Instruction ID: 092558bd28de633e63f4bf332ad815306aaea450db8ade3e383c36cf33bc458c
                                                                                  • Opcode Fuzzy Hash: 7c242eaa466733c68ea879784931a1c7a2a791e39bdb33ae7b442be6a7ac446f
                                                                                  • Instruction Fuzzy Hash: AD211D31144189FFDB095FA5ED8EFBD3E65EB04705F044264F91295070D7B1AA50AF24
                                                                                  Function 00CB4F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$Info
                                                                                  • String ID:
                                                                                  • API String ID: 2509303402-0
                                                                                  • Opcode ID: 5a4b03580376cf3a2eb9b79490d5c3fbdeec25814ee3e6ee7a4fb899c6d80f45
                                                                                  • Instruction ID: f06d8aff8a004ebc608748f08096031026802c3be5b2402f52da557becaa6132
                                                                                  • Opcode Fuzzy Hash: 5a4b03580376cf3a2eb9b79490d5c3fbdeec25814ee3e6ee7a4fb899c6d80f45
                                                                                  • Instruction Fuzzy Hash: 52B1AF71900605AFDF20DFA8C881BEEBBF4BF09304F144069F9A9B7242DB759945DB60
                                                                                  Function 00CC006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___free_lconv_mon.LIBCMT ref: 00CC00B1
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF300
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF312
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF324
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF336
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF348
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF35A
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF36C
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF37E
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF390
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF3A2
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF3B4
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF3C6
                                                                                    • Part of subcall function 00CBF2E3: _free.LIBCMT ref: 00CBF3D8
                                                                                  • _free.LIBCMT ref: 00CC00A6
                                                                                    • Part of subcall function 00CB6AC5: HeapFree.KERNEL32(00000000,00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000), ref: 00CB6ADB
                                                                                    • Part of subcall function 00CB6AC5: GetLastError.KERNEL32(00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000,00000000), ref: 00CB6AED
                                                                                  • _free.LIBCMT ref: 00CC00C8
                                                                                  • _free.LIBCMT ref: 00CC00DD
                                                                                  • _free.LIBCMT ref: 00CC00E8
                                                                                  • _free.LIBCMT ref: 00CC010A
                                                                                  • _free.LIBCMT ref: 00CC011D
                                                                                  • _free.LIBCMT ref: 00CC012B
                                                                                  • _free.LIBCMT ref: 00CC0136
                                                                                  • _free.LIBCMT ref: 00CC016E
                                                                                  • _free.LIBCMT ref: 00CC0175
                                                                                  • _free.LIBCMT ref: 00CC0192
                                                                                  • _free.LIBCMT ref: 00CC01AA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                  • String ID:
                                                                                  • API String ID: 161543041-0
                                                                                  • Opcode ID: 2aae5990d015d73c291d995876a97e624d9aa81e62dfe42cf0d64f2cd7fa9095
                                                                                  • Instruction ID: a2d838bdc08215482fb19b94cbf6664f3dc4054725e48824a044b7300a6f733c
                                                                                  • Opcode Fuzzy Hash: 2aae5990d015d73c291d995876a97e624d9aa81e62dfe42cf0d64f2cd7fa9095
                                                                                  • Instruction Fuzzy Hash: AC314D31600701EFDB21AA39DC45F9AB3E9AF00754F29842DF4A9E7151DF35AE94EB20
                                                                                  Function 00C77DEF Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 325fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00C77F4C
                                                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00C77FC2
                                                                                  • __aulldiv.LIBCMT ref: 00C77FE9
                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00C7810D
                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C78128
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C78200
                                                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 00C7821A
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C78256
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                  • API String ID: 1884690901-2596673759
                                                                                  • Opcode ID: f78d3663daead44df13ddb629a81a9908221aedf93555e5bd9181fcded2ee4bb
                                                                                  • Instruction ID: caf782bb6edd76b5e1d675435ea08a45dcf11a2ea08e9d38a0fd3262ddf719a2
                                                                                  • Opcode Fuzzy Hash: f78d3663daead44df13ddb629a81a9908221aedf93555e5bd9181fcded2ee4bb
                                                                                  • Instruction Fuzzy Hash: C0B19F316083409FD618FB64C896B6FB7E9AFC4710F40891DF88D52292EF349949DB97
                                                                                  Function 00CBF3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: c9c941a49499e6e20185a684b50d3c8dc45aed449a6822b952d6a3dc801ef390
                                                                                  • Instruction ID: f1a325c9f8a69020b7a7d867336ad13e04fc240f43cda334417e21839fe48232
                                                                                  • Opcode Fuzzy Hash: c9c941a49499e6e20185a684b50d3c8dc45aed449a6822b952d6a3dc801ef390
                                                                                  • Instruction Fuzzy Hash: 69C13372D40205AFEB20DBA8CC42FEE77F8AB19710F144169FE04FB282D6709E419B64
                                                                                  Function 00C747EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C747FD
                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C74808
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C74811
                                                                                  • closesocket.WS2_32(000000FF), ref: 00C7481F
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C74856
                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C74867
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7486E
                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C74880
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C74885
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C7488A
                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C74895
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00C74B8E,?,?,?,00C74B26), ref: 00C7489A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                  • String ID:
                                                                                  • API String ID: 3658366068-0
                                                                                  • Opcode ID: ecdde268955636ddf46a110a59ba85b8b314e827159f5e1b6f7ac25cedf8a03d
                                                                                  • Instruction ID: 9774ad41022acf7daa0a83bd420ffb3a4ea76793d581f8584dd09e494754e083
                                                                                  • Opcode Fuzzy Hash: ecdde268955636ddf46a110a59ba85b8b314e827159f5e1b6f7ac25cedf8a03d
                                                                                  • Instruction Fuzzy Hash: 5A212931104B149FCA256B26DC49A1ABBE1EF40325B108B2DE1F642AF1CB72A851EF44
                                                                                  Function 00C81C81 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 479sleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C81C9A
                                                                                    • Part of subcall function 00C8AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00CD5900,00C7C07B,.vbs,?,?,?,?,?,00CE42F8), ref: 00C8AB5F
                                                                                    • Part of subcall function 00C876B6: CloseHandle.KERNEL32(00C73AB9,?,?,00C73AB9,00CD5324), ref: 00C876CC
                                                                                    • Part of subcall function 00C876B6: CloseHandle.KERNEL32(00CD5324,?,?,00C73AB9,00CD5324), ref: 00C876D5
                                                                                  • Sleep.KERNEL32(0000000A,00CD5324), ref: 00C81DEC
                                                                                  • Sleep.KERNEL32(0000000A,00CD5324,00CD5324), ref: 00C81E8E
                                                                                  • Sleep.KERNEL32(0000000A,00CD5324,00CD5324,00CD5324), ref: 00C81F30
                                                                                  • DeleteFileW.KERNEL32(00000000,00CD5324,00CD5324,00CD5324), ref: 00C81F91
                                                                                  • DeleteFileW.KERNEL32(00000000,00CD5324,00CD5324,00CD5324), ref: 00C81FC8
                                                                                  • DeleteFileW.KERNEL32(00000000,00CD5324,00CD5324,00CD5324), ref: 00C82004
                                                                                  • Sleep.KERNEL32(000001F4,00CD5324,00CD5324,00CD5324), ref: 00C8201E
                                                                                  • Sleep.KERNEL32(00000064), ref: 00C82060
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                  • String ID: /stext "
                                                                                  • API String ID: 1223786279-3856184850
                                                                                  • Opcode ID: bc1945e688aa07f128af02cb5da448500642561c2a12ae51019b23961c4f7406
                                                                                  • Instruction ID: a8fb99cd95b0d21e262b6a51960d8507262e41fc90695e687374294dfa26b484
                                                                                  • Opcode Fuzzy Hash: bc1945e688aa07f128af02cb5da448500642561c2a12ae51019b23961c4f7406
                                                                                  • Instruction Fuzzy Hash: EF0241315083818BD328FB64D8A5AEFB3D5AFE0710F54892DF88E42192EF309A4DD756
                                                                                  Function 00CC4982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CC4650: CreateFileW.KERNEL32(00000000,00000000,?,00CC4A2B,?,?,00000000,?,00CC4A2B,00000000,0000000C), ref: 00CC466D
                                                                                  • GetLastError.KERNEL32 ref: 00CC4A96
                                                                                  • __dosmaperr.LIBCMT ref: 00CC4A9D
                                                                                  • GetFileType.KERNEL32(00000000), ref: 00CC4AA9
                                                                                  • GetLastError.KERNEL32 ref: 00CC4AB3
                                                                                  • __dosmaperr.LIBCMT ref: 00CC4ABC
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00CC4ADC
                                                                                  • CloseHandle.KERNEL32(?), ref: 00CC4C26
                                                                                  • GetLastError.KERNEL32 ref: 00CC4C58
                                                                                  • __dosmaperr.LIBCMT ref: 00CC4C5F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                  • String ID: H
                                                                                  • API String ID: 4237864984-2852464175
                                                                                  • Opcode ID: 5c42e7af87dac217429057e0232bd45aca6ce2433e96c1110f3622d70372b6d9
                                                                                  • Instruction ID: 8ba26753326421b041d6b64312b5b4eb0326aafa09f26ce42185896a324beb5a
                                                                                  • Opcode Fuzzy Hash: 5c42e7af87dac217429057e0232bd45aca6ce2433e96c1110f3622d70372b6d9
                                                                                  • Instruction Fuzzy Hash: 84A1F332A145548FDF1D9F68D8A2BAE7BB0EB06320F18425DF8219F3A1DA318D52DB51
                                                                                  Function 00C83C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 65535$udp
                                                                                  • API String ID: 0-1267037602
                                                                                  • Opcode ID: fe792295f6bc0582348b146f1d84a81a5358b2969f9c2ea76db549f4a35c5596
                                                                                  • Instruction ID: 93fb3059c75570d530e12294c70f9f4052da6808621f7c94486ab7fa04477dfc
                                                                                  • Opcode Fuzzy Hash: fe792295f6bc0582348b146f1d84a81a5358b2969f9c2ea76db549f4a35c5596
                                                                                  • Instruction Fuzzy Hash: 4841E871605381ABD720BB29DD05B2B77D8EF44F48F04292EF8A197290D765CF409B6E
                                                                                  Function 00C7C66D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C81699: TerminateProcess.KERNEL32(00000000,pth_unenc,00C7E670), ref: 00C816A9
                                                                                    • Part of subcall function 00C81699: WaitForSingleObject.KERNEL32(000000FF), ref: 00C816BC
                                                                                    • Part of subcall function 00C8265D: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00CE42F8), ref: 00C82679
                                                                                    • Part of subcall function 00C8265D: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00C82692
                                                                                    • Part of subcall function 00C8265D: RegCloseKey.KERNELBASE(00000000), ref: 00C8269D
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00C7C6C7
                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00CD5900,00CD5900,00000000), ref: 00C7C826
                                                                                  • ExitProcess.KERNEL32 ref: 00C7C832
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                  • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                  • API String ID: 1913171305-2411266221
                                                                                  • Opcode ID: a69eb8a23965363c9de6877a293a85752a4e5bfc85ce20c107aa675d62b55acf
                                                                                  • Instruction ID: 313cf9dcce546fe0a03cbaf87f0453832ac4e818cd61674587ff3047634f726c
                                                                                  • Opcode Fuzzy Hash: a69eb8a23965363c9de6877a293a85752a4e5bfc85ce20c107aa675d62b55acf
                                                                                  • Instruction Fuzzy Hash: A9414F329001185BDB18F764DC96DFE7779AF60710F44817AF90AA3192EF306E86EB91
                                                                                  Function 00CA9361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00C71AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00CA93B9
                                                                                  • GetLastError.KERNEL32(?,?,00C71AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00CA93C6
                                                                                  • __dosmaperr.LIBCMT ref: 00CA93CD
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00C71AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00CA93F9
                                                                                  • GetLastError.KERNEL32(?,?,?,00C71AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00CA9403
                                                                                  • __dosmaperr.LIBCMT ref: 00CA940A
                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00C71AD8,?), ref: 00CA944D
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00C71AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00CA9457
                                                                                  • __dosmaperr.LIBCMT ref: 00CA945E
                                                                                  • _free.LIBCMT ref: 00CA946A
                                                                                  • _free.LIBCMT ref: 00CA9471
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                  • String ID:
                                                                                  • API String ID: 2441525078-0
                                                                                  • Opcode ID: c069a15075eb8315f091a5d7a6b65c1083386687ffa2c4f5dfe9fcf43206562e
                                                                                  • Instruction ID: f38766f7cfde786f17811b4a23b68c972713f4656173224fb946e22019e938c8
                                                                                  • Opcode Fuzzy Hash: c069a15075eb8315f091a5d7a6b65c1083386687ffa2c4f5dfe9fcf43206562e
                                                                                  • Instruction Fuzzy Hash: 023185B140410ABBDF11AFA5CC46EEE7B78EF06368F144159F920562A1DB358D11EB61
                                                                                  Function 00C74E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEvent.KERNEL32(?,?), ref: 00C74E71
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00C74F21
                                                                                  • TranslateMessage.USER32(?), ref: 00C74F30
                                                                                  • DispatchMessageA.USER32(?), ref: 00C74F3B
                                                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00CE3F80), ref: 00C74FF3
                                                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00C7502B
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                  • API String ID: 2956720200-749203953
                                                                                  • Opcode ID: da8ec65e062ae08f82c3bce55b181387443535c23a3944a69fbb4755ae181193
                                                                                  • Instruction ID: 915ad6ccfecd2c5696180928fccb66abb7f20866e2ad8f3c0c53b95259c40aaa
                                                                                  • Opcode Fuzzy Hash: da8ec65e062ae08f82c3bce55b181387443535c23a3944a69fbb4755ae181193
                                                                                  • Instruction Fuzzy Hash: 7C41C4726043409BCB14FBB8DC5AE6E77A9AB81710F048A1DFD1987191EF34DA04E752
                                                                                  Function 00C89C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00C895F8,00000000,00000000), ref: 00C89C94
                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00C895F8,00000000,00000000), ref: 00C89CAB
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C895F8,00000000,00000000), ref: 00C89CB8
                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00C895F8,00000000,00000000), ref: 00C89CC7
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C895F8,00000000,00000000), ref: 00C89CD8
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C895F8,00000000,00000000), ref: 00C89CDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                  • String ID:
                                                                                  • API String ID: 221034970-0
                                                                                  • Opcode ID: 2befdf50d16c3a9830da0bbee8b9afda35b8d9bcca1d7a5a84826531859418c4
                                                                                  • Instruction ID: b83074dda2cd7cda388493281bed532bc36f9fe0e7d3c8830750390b628237cf
                                                                                  • Opcode Fuzzy Hash: 2befdf50d16c3a9830da0bbee8b9afda35b8d9bcca1d7a5a84826531859418c4
                                                                                  • Instruction Fuzzy Hash: 8711A532A01118AFD7116B65DC89FFF3BBCEB457A4B140116F916D2180DB648D06AFB1
                                                                                  Function 00CB6DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00CB6DDF
                                                                                    • Part of subcall function 00CB6AC5: HeapFree.KERNEL32(00000000,00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000), ref: 00CB6ADB
                                                                                    • Part of subcall function 00CB6AC5: GetLastError.KERNEL32(00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000,00000000), ref: 00CB6AED
                                                                                  • _free.LIBCMT ref: 00CB6DEB
                                                                                  • _free.LIBCMT ref: 00CB6DF6
                                                                                  • _free.LIBCMT ref: 00CB6E01
                                                                                  • _free.LIBCMT ref: 00CB6E0C
                                                                                  • _free.LIBCMT ref: 00CB6E17
                                                                                  • _free.LIBCMT ref: 00CB6E22
                                                                                  • _free.LIBCMT ref: 00CB6E2D
                                                                                  • _free.LIBCMT ref: 00CB6E38
                                                                                  • _free.LIBCMT ref: 00CB6E46
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: b004990fbdd1b110696e9373d49494ae8cfd650a6beade0db05820535127fc70
                                                                                  • Instruction ID: 0559bfb66256f6985b2fffc3a641a7e78785a7eac943e1d5a1ebedab9ec44667
                                                                                  • Opcode Fuzzy Hash: b004990fbdd1b110696e9373d49494ae8cfd650a6beade0db05820535127fc70
                                                                                  • Instruction Fuzzy Hash: CC116076500108AFCF01EF94CC42CD93BA9EF04754F55C4A5BA099F622DB35EA64BF80
                                                                                  Function 00C89128 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174sleeptimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00C8912D
                                                                                  • GdiplusStartup.GDIPLUS(00CE3AF0,?,00000000), ref: 00C8915F
                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 00C891EB
                                                                                  • Sleep.KERNEL32(000003E8), ref: 00C8926D
                                                                                  • GetLocalTime.KERNEL32(?), ref: 00C8927C
                                                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00C89365
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                  • API String ID: 489098229-3790400642
                                                                                  • Opcode ID: edb98a31c862c2ee5bc616b6925935f91b34135dfbcc3400b2323c8da4b90352
                                                                                  • Instruction ID: b1ef6597c066cba5495030288524ec4276d832b6ec4cd1e9a8acdfc73b9faa40
                                                                                  • Opcode Fuzzy Hash: edb98a31c862c2ee5bc616b6925935f91b34135dfbcc3400b2323c8da4b90352
                                                                                  • Instruction Fuzzy Hash: FF51B071E002949ACF14FBB8CC5AAFE7BB9AB51304F484069F84AA7192EF344E45E751
                                                                                  Function 00CC5139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CC5DAF), ref: 00CC515C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DecodePointer
                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                  • API String ID: 3527080286-3064271455
                                                                                  • Opcode ID: cbf690dfd90a2697b4f0e939e390341ac5453b3e8a9b2a862d2b3a8cacdce6a2
                                                                                  • Instruction ID: df45a42d516ec61274a6b37de4989fb12b434173bafb5e9ec1028154473d7f7b
                                                                                  • Opcode Fuzzy Hash: cbf690dfd90a2697b4f0e939e390341ac5453b3e8a9b2a862d2b3a8cacdce6a2
                                                                                  • Instruction Fuzzy Hash: F6517EB1900D49CBCF14DF59D94CBACBBB4FB49340F28028DD451AB264CB75AAA4CB18
                                                                                  Function 00C865FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00C8665C
                                                                                    • Part of subcall function 00C8B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00C79F65), ref: 00C8B633
                                                                                  • Sleep.KERNEL32(00000064), ref: 00C86688
                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00C866BC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                  • API String ID: 1462127192-2001430897
                                                                                  • Opcode ID: e3d13a1f1b0089b7ab78419c977fa7ba06bd1c5c132dc4568a818a3d780cea81
                                                                                  • Instruction ID: 82daf44b9993252e927439ae1681e7a28161f5587f061c71b1c9fe627e515a76
                                                                                  • Opcode Fuzzy Hash: e3d13a1f1b0089b7ab78419c977fa7ba06bd1c5c132dc4568a818a3d780cea81
                                                                                  • Instruction Fuzzy Hash: A33165319001199BDB18FBA4DCA6EFE7778AF10714F048129F90A631D2EF305E8ADB94
                                                                                  Function 00C76616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00CE4A28,00000000,00CE42E0,00003000,00000004,00000000,00000001), ref: 00C76647
                                                                                  • GetCurrentProcess.KERNEL32(00CE4A28,00000000,00008000,?,00000000,00000001,00000000,00C768BB,C:\Users\user\Desktop\SHROsQyiAd.exe), ref: 00C76705
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CurrentProcess
                                                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                  • API String ID: 2050909247-4242073005
                                                                                  • Opcode ID: a5c53be15534cb58bba4c88bb53513bc899c6ac323e3ce6b90b5cb3e022e1e00
                                                                                  • Instruction ID: 584e08e2369bd77cd5a9c31987bca5060ed868704c582a81fa0256ccd0375db4
                                                                                  • Opcode Fuzzy Hash: a5c53be15534cb58bba4c88bb53513bc899c6ac323e3ce6b90b5cb3e022e1e00
                                                                                  • Instruction Fuzzy Hash: B53109B1650B40AFD300EFB5DC86F5E77B8FB04766F518529F5058B261EB70D800AB68
                                                                                  Function 00C8C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00C8C988
                                                                                    • Part of subcall function 00C8CA1F: RegisterClassExA.USER32(00000030), ref: 00C8CA6C
                                                                                    • Part of subcall function 00C8CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00C8CA87
                                                                                    • Part of subcall function 00C8CA1F: GetLastError.KERNEL32 ref: 00C8CA91
                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00C8C9BF
                                                                                  • lstrcpynA.KERNEL32(00CE3B68,Remcos,00000080), ref: 00C8C9D9
                                                                                  • Shell_NotifyIconA.SHELL32(00000000,00CE3B50), ref: 00C8C9EF
                                                                                  • TranslateMessage.USER32(?), ref: 00C8C9FB
                                                                                  • DispatchMessageA.USER32(?), ref: 00C8CA05
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00C8CA12
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                  • String ID: Remcos
                                                                                  • API String ID: 1970332568-165870891
                                                                                  • Opcode ID: 3de97cb023bc3d941783a31e8fd3aeb98f91f40d3eabe58296e7216787ca8357
                                                                                  • Instruction ID: 2059999bc9e55fecc4fb47f1ab869d3b1b0921164b8c90624be03e3a676709f0
                                                                                  • Opcode Fuzzy Hash: 3de97cb023bc3d941783a31e8fd3aeb98f91f40d3eabe58296e7216787ca8357
                                                                                  • Instruction Fuzzy Hash: 9F012DB19042C8ABD7109FA6EC8CFAE7BBDEB85B04F004155F602D70A0D7B8A245DF24
                                                                                  Function 00CBB450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a4fbb3c880a245afd3f765ad9e59b1809990bac7fa8e020243db4a78b47e5230
                                                                                  • Instruction ID: 46cf52fc9ac67c25d2c1abde7a3740c8a71c5271eb2bc682baa31d34b0fbcf12
                                                                                  • Opcode Fuzzy Hash: a4fbb3c880a245afd3f765ad9e59b1809990bac7fa8e020243db4a78b47e5230
                                                                                  • Instruction Fuzzy Hash: 07C1A370D042899FDF15DFA9C841BEDBBB4AF4A310F184159E424AB392CBB49E45CB71
                                                                                  Function 00CC2B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00CC2E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00CC2BD6
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00CC2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00CC2C59
                                                                                  • __alloca_probe_16.LIBCMT ref: 00CC2C91
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00CC2E03,?,00CC2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00CC2CEC
                                                                                  • __alloca_probe_16.LIBCMT ref: 00CC2D3B
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CC2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00CC2D03
                                                                                    • Part of subcall function 00CB6AFF: HeapAlloc.KERNEL32(00000000,00C7E5AC,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8,?,?,00CE42E0), ref: 00CB6B31
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00CC2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00CC2D7F
                                                                                  • __freea.LIBCMT ref: 00CC2DAA
                                                                                  • __freea.LIBCMT ref: 00CC2DB6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                                  • String ID:
                                                                                  • API String ID: 3256262068-0
                                                                                  • Opcode ID: 91ad4cf650c70fef3d82a2aa55be39563b6eacf0a57a2db8e802cc81dae86767
                                                                                  • Instruction ID: 42c4b05dd046d359f5d067cb8ce3bc93cfa3f1b0896e4664608bbb5902d8e9ca
                                                                                  • Opcode Fuzzy Hash: 91ad4cf650c70fef3d82a2aa55be39563b6eacf0a57a2db8e802cc81dae86767
                                                                                  • Instruction Fuzzy Hash: 9391C172E102169BDF248E64C8A1FEEBBB5EF19710F14065DE816E7281DB35DD80CBA0
                                                                                  Function 00CB43F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6EBF: GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                    • Part of subcall function 00CB6EBF: _free.LIBCMT ref: 00CB6EF6
                                                                                    • Part of subcall function 00CB6EBF: SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                    • Part of subcall function 00CB6EBF: _abort.LIBCMT ref: 00CB6F3D
                                                                                  • _memcmp.LIBVCRUNTIME ref: 00CB46A3
                                                                                  • _free.LIBCMT ref: 00CB4714
                                                                                  • _free.LIBCMT ref: 00CB472D
                                                                                  • _free.LIBCMT ref: 00CB475F
                                                                                  • _free.LIBCMT ref: 00CB4768
                                                                                  • _free.LIBCMT ref: 00CB4774
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                  • String ID: C
                                                                                  • API String ID: 1679612858-1037565863
                                                                                  • Opcode ID: 0d4a6412681c5f7cfd8b49ea717d4cba29a427daa29c85de4c49d61439140773
                                                                                  • Instruction ID: 8ba5ebd64dea392b07457a1d045514a82f031887196c8aff1b690396489e8903
                                                                                  • Opcode Fuzzy Hash: 0d4a6412681c5f7cfd8b49ea717d4cba29a427daa29c85de4c49d61439140773
                                                                                  • Instruction Fuzzy Hash: 62B13A75A052299FDB28DF18C884BEDB7B4FF08304F1485AAE959A7351D731AE90CF40
                                                                                  Function 00C839C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tcp$udp
                                                                                  • API String ID: 0-3725065008
                                                                                  • Opcode ID: e5c7bb08fe22a728f569a9fbb5abf5dd1d5c6ae02e6a06a11b8e848e75b7666f
                                                                                  • Instruction ID: 2f2f7508d6841f47fe89c7e08b2b2f3ba46bb43459c1e56c2fbcc42da4ae9e39
                                                                                  • Opcode Fuzzy Hash: e5c7bb08fe22a728f569a9fbb5abf5dd1d5c6ae02e6a06a11b8e848e75b7666f
                                                                                  • Instruction Fuzzy Hash: D671BF706083928FDB28EF55C44463BBAE4AF84B48F00152EF8A597251D774CF04DB9A
                                                                                  Function 00C80314 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 192COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Eventinet_ntoa
                                                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                  • API String ID: 3578746661-168337528
                                                                                  • Opcode ID: 108b114f3f16223662d85a571bdfeba229534fa9b00b8a326fb82d56e910b41b
                                                                                  • Instruction ID: a8b7bdcda1754a0c21f6c029866d9c55265456bfa8371c3a4777273337d41d7f
                                                                                  • Opcode Fuzzy Hash: 108b114f3f16223662d85a571bdfeba229534fa9b00b8a326fb82d56e910b41b
                                                                                  • Instruction Fuzzy Hash: 9D51F771A043409BCB55F778DC5AB6E36A5AF80704F58451AFC198B2D2DF309E08EB96
                                                                                  Function 00C86E27 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 107filesynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00CD5554), ref: 00C86F24
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C86F2D
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00C86F3C
                                                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00C86EF0
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                  • String ID: <$@$Temp
                                                                                  • API String ID: 1107811701-1032778388
                                                                                  • Opcode ID: 72352168dd7eb869ccdc1023fa77dda56aed71918de299372c9d092a2800443a
                                                                                  • Instruction ID: 6a17cf8dc9c407b07e4bcf74e76ec5110ab6d64395561a8b24ea464acddab9db
                                                                                  • Opcode Fuzzy Hash: 72352168dd7eb869ccdc1023fa77dda56aed71918de299372c9d092a2800443a
                                                                                  • Instruction Fuzzy Hash: 7F31AD329002099BDB04FBA4DC56FFE7739AF50304F048268F90A660E1EF345E89DB90
                                                                                  Function 00C76BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00CD5454,?,?,00000000,00C77273,00000000,?,0000000A,00000000), ref: 00C76C38
                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00C77273,00000000,?,0000000A,00000000), ref: 00C76C80
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00C77273,00000000,?,0000000A,00000000,00000000), ref: 00C76CC0
                                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00C76CDD
                                                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00C76D08
                                                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00C76D18
                                                                                    • Part of subcall function 00C7455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00C7460E,00000000,?,?), ref: 00C7456A
                                                                                    • Part of subcall function 00C7455B: SetEvent.KERNEL32(?,?,?,00C7460E,00000000,?,?), ref: 00C74588
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                  • String ID: .part
                                                                                  • API String ID: 1303771098-3499674018
                                                                                  • Opcode ID: e5e0c2d6218469e0f1877286533c795d8dffbe6569afb659bdc67d6afc4ecf81
                                                                                  • Instruction ID: bf830084e67f6cda6e0b5be0178b3f7896a02da50b0a1a5255fb7a3f0e4e282a
                                                                                  • Opcode Fuzzy Hash: e5e0c2d6218469e0f1877286533c795d8dffbe6569afb659bdc67d6afc4ecf81
                                                                                  • Instruction Fuzzy Hash: 9931A0715083419FC310EF24DD49EAFB7A8FB84751F048A2EF9D992151DB30AE489B92
                                                                                  Function 00CB9950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CAD564,00CAD564,?,?,?,00CB9BA1,00000001,00000001,1AE85006), ref: 00CB99AA
                                                                                  • __alloca_probe_16.LIBCMT ref: 00CB99E2
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CB9BA1,00000001,00000001,1AE85006,?,?,?), ref: 00CB9A30
                                                                                  • __alloca_probe_16.LIBCMT ref: 00CB9AC7
                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CB9B2A
                                                                                  • __freea.LIBCMT ref: 00CB9B37
                                                                                    • Part of subcall function 00CB6AFF: HeapAlloc.KERNEL32(00000000,00C7E5AC,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8,?,?,00CE42E0), ref: 00CB6B31
                                                                                  • __freea.LIBCMT ref: 00CB9B40
                                                                                  • __freea.LIBCMT ref: 00CB9B65
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                  • String ID:
                                                                                  • API String ID: 2597970681-0
                                                                                  • Opcode ID: 9b692909e8b7b5d7d8ac994ae05c342d5213bfde12afb57d9ef43bff90889f76
                                                                                  • Instruction ID: 41e1c12650d8266c2a32beab8bef3ae92501a2284b120dd55281c95ab97c255c
                                                                                  • Opcode Fuzzy Hash: 9b692909e8b7b5d7d8ac994ae05c342d5213bfde12afb57d9ef43bff90889f76
                                                                                  • Instruction Fuzzy Hash: A151E072A10216AFEF258F64DC81FEB77AAEB80750F144628FE25E6150EB34DD40A660
                                                                                  Function 00C88ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendInput.USER32 ref: 00C88B08
                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00C88B30
                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00C88B57
                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00C88B75
                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00C88B95
                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00C88BBA
                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00C88BDC
                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00C88BFF
                                                                                    • Part of subcall function 00C88AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00C88AB7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InputSend$Virtual
                                                                                  • String ID:
                                                                                  • API String ID: 1167301434-0
                                                                                  • Opcode ID: afc30ca0df7af9c6c22e606aa4863c4f3b8a38dbbf00d233c418ac7c00807d34
                                                                                  • Instruction ID: b67a87ea2a2b97917a4f7521f1143e6de236d48c7b2e4d21885f9619ee008a00
                                                                                  • Opcode Fuzzy Hash: afc30ca0df7af9c6c22e606aa4863c4f3b8a38dbbf00d233c418ac7c00807d34
                                                                                  • Instruction Fuzzy Hash: 20319371248345AAE210EF65DC41F9FFBECAFC5B44F44080FB58497191DAA0894C97AB
                                                                                  Function 00C85A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenClipboard.USER32 ref: 00C85A46
                                                                                  • EmptyClipboard.USER32 ref: 00C85A54
                                                                                  • CloseClipboard.USER32 ref: 00C85A5A
                                                                                  • OpenClipboard.USER32 ref: 00C85A61
                                                                                  • GetClipboardData.USER32(0000000D), ref: 00C85A71
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00C85A7A
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C85A83
                                                                                  • CloseClipboard.USER32 ref: 00C85A89
                                                                                    • Part of subcall function 00C74468: send.WS2_32(?,00000000,00000000,00000000), ref: 00C744FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                  • String ID:
                                                                                  • API String ID: 2172192267-0
                                                                                  • Opcode ID: f8f5479e3649c31baa789c35161a9cbe612c69202720cde9d74c2ec494533599
                                                                                  • Instruction ID: d8537429d2cda9c097c7826b8b56a4436ded42cb74d53762e62ea8ea8320f510
                                                                                  • Opcode Fuzzy Hash: f8f5479e3649c31baa789c35161a9cbe612c69202720cde9d74c2ec494533599
                                                                                  • Instruction Fuzzy Hash: E30171322082409FC714BBB5EC5AFAE77A9EF90711F48462EFD1A82171DF308945AB52
                                                                                  Function 00CB7E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00CB7EBC
                                                                                  • _free.LIBCMT ref: 00CB7EE0
                                                                                  • _free.LIBCMT ref: 00CB8067
                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CCD478), ref: 00CB8079
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CB80F1
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE17F0,000000FF,?,0000003F,00000000,?), ref: 00CB811E
                                                                                  • _free.LIBCMT ref: 00CB8233
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                  • String ID:
                                                                                  • API String ID: 314583886-0
                                                                                  • Opcode ID: 9deccb9b1f5fe9ba23ac6282c96debc3c36d7c07250278f6f9eb504547feae01
                                                                                  • Instruction ID: 24952d0082e07ed978a93e58e02c4e8ff8ef3230c1d176b0fe2105442a290ae0
                                                                                  • Opcode Fuzzy Hash: 9deccb9b1f5fe9ba23ac6282c96debc3c36d7c07250278f6f9eb504547feae01
                                                                                  • Instruction Fuzzy Hash: CBC10771908245ABCB209F68DC41BFE7BBDEF81750F28429AEC549B291EB308F46D750
                                                                                  Function 00CBF806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 09e1fc9560ab1c049b0fac3ba22c7dda4eac10fa2d24d396eedf65db06626a8f
                                                                                  • Instruction ID: 8f04cd7a34d2a1cf4ecd9bca5068c06bc77aef68227967412e1d8cc30cbe1d17
                                                                                  • Opcode Fuzzy Hash: 09e1fc9560ab1c049b0fac3ba22c7dda4eac10fa2d24d396eedf65db06626a8f
                                                                                  • Instruction Fuzzy Hash: 5A617D71D00205AFDB20DF69CC41BDEBBB5AB45720F24417AE954EB391D7709A42AB90
                                                                                  Function 00CBA0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00CBA838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00CBA105
                                                                                  • __fassign.LIBCMT ref: 00CBA180
                                                                                  • __fassign.LIBCMT ref: 00CBA19B
                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00CBA1C1
                                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,00CBA838,00000000,?,?,?,?,?,?,?,?,?,00CBA838,?), ref: 00CBA1E0
                                                                                  • WriteFile.KERNEL32(?,?,00000001,00CBA838,00000000,?,?,?,?,?,?,?,?,?,00CBA838,?), ref: 00CBA219
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 1324828854-0
                                                                                  • Opcode ID: 4a516627c2b9b9ab52c252f89ccdf2e3596a02c182a2b4d933eefd21d888e992
                                                                                  • Instruction ID: a66cbb2e5cbc24ef13446f4f4778368093b9dd2a904e246994962fc26346ce6c
                                                                                  • Opcode Fuzzy Hash: 4a516627c2b9b9ab52c252f89ccdf2e3596a02c182a2b4d933eefd21d888e992
                                                                                  • Instruction Fuzzy Hash: 5751A3B1E042499FDB10CFA8DC85BEEBBF8EF09300F14415AE995E7291D7719A41CB62
                                                                                  Function 00CA7A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00CA7AAB
                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00CA7AB3
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00CA7B41
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00CA7B6C
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00CA7BC1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                  • String ID: csm
                                                                                  • API String ID: 1170836740-1018135373
                                                                                  • Opcode ID: 6d0ed01b1d072be14b920f7b9953d28cbe112458f732701458db94360f30c076
                                                                                  • Instruction ID: 88f1ad66cddfe2fc47d76f4c2dfba7d28480a08c8e04b030cf9746c251905fe8
                                                                                  • Opcode Fuzzy Hash: 6d0ed01b1d072be14b920f7b9953d28cbe112458f732701458db94360f30c076
                                                                                  • Instruction Fuzzy Hash: 8B411470A0420BABCF10DF69DC85A9EBBB5BF4631CF148255E8255B392D731DE51CBA0
                                                                                  Function 00C71A8E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strftime.LIBCMT ref: 00C71AD3
                                                                                    • Part of subcall function 00C71BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00C71C54
                                                                                  • waveInUnprepareHeader.WINMM(00CE1AC0,00000020,00000000,?), ref: 00C71B85
                                                                                  • waveInPrepareHeader.WINMM(00CE1AC0,00000020), ref: 00C71BC3
                                                                                  • waveInAddBuffer.WINMM(00CE1AC0,00000020), ref: 00C71BD2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                  • String ID: %Y-%m-%d %H.%M$.wav
                                                                                  • API String ID: 3809562944-3597965672
                                                                                  • Opcode ID: f2bc6b4f66af0f0597c8f851fae05b678c93d2fdcb960a7bb1208b802ca2d55e
                                                                                  • Instruction ID: d345e4f38fd8dc5ae6bd8a874b510f2c8b1661df1e5efe930758ad2247f4156b
                                                                                  • Opcode Fuzzy Hash: f2bc6b4f66af0f0597c8f851fae05b678c93d2fdcb960a7bb1208b802ca2d55e
                                                                                  • Instruction Fuzzy Hash: 263180715043409FC314EB24DC56FAE7BE4FB54310F48893DF95A861A1EF306A59EB52
                                                                                  Function 00C7B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C82513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00C82537
                                                                                    • Part of subcall function 00C82513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00C82554
                                                                                    • Part of subcall function 00C82513: RegCloseKey.KERNELBASE(?), ref: 00C8255F
                                                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 00C7B76C
                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 00C7B779
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                  • API String ID: 1133728706-4073444585
                                                                                  • Opcode ID: 9349083361b058e21e5c778a6d9f813ec54883d0f57eb25c14a8e49c0bf0bc1a
                                                                                  • Instruction ID: f0f9531633de30685889a2eb69b94a188bc87fd28d6e42c6e0223d2ec0f174bb
                                                                                  • Opcode Fuzzy Hash: 9349083361b058e21e5c778a6d9f813ec54883d0f57eb25c14a8e49c0bf0bc1a
                                                                                  • Instruction Fuzzy Hash: FC217171940118ABCB04F7F4CC6BEEE7778AF91710F448119FA0A67282EF60AE09D791
                                                                                  Function 00CC5903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4ef55f9c4d1566bae83594829fffa64cba2e0fe488cedddc21f35b6335fd58cb
                                                                                  • Instruction ID: 4cbbee41248f52ddb2ee02475dd4648c0779ef5b3d9bbc71b09728fccf2fff12
                                                                                  • Opcode Fuzzy Hash: 4ef55f9c4d1566bae83594829fffa64cba2e0fe488cedddc21f35b6335fd58cb
                                                                                  • Instruction Fuzzy Hash: 24112471908605FBCB202F76CC05FAF7AACEF82370B100298F825C7251DA349841E6A0
                                                                                  Function 00CBFCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CBFA22: _free.LIBCMT ref: 00CBFA4B
                                                                                  • _free.LIBCMT ref: 00CBFD29
                                                                                    • Part of subcall function 00CB6AC5: HeapFree.KERNEL32(00000000,00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000), ref: 00CB6ADB
                                                                                    • Part of subcall function 00CB6AC5: GetLastError.KERNEL32(00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000,00000000), ref: 00CB6AED
                                                                                  • _free.LIBCMT ref: 00CBFD34
                                                                                  • _free.LIBCMT ref: 00CBFD3F
                                                                                  • _free.LIBCMT ref: 00CBFD93
                                                                                  • _free.LIBCMT ref: 00CBFD9E
                                                                                  • _free.LIBCMT ref: 00CBFDA9
                                                                                  • _free.LIBCMT ref: 00CBFDB4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                  • Instruction ID: d63b1c313aaca60c239516e5b70d5c67af608ef67317ad94ac601b4c2e87f0a7
                                                                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                  • Instruction Fuzzy Hash: 52112171651B04BAEA24FBB0CC07FCB77DCAF04700F844C29B29EA6652EB69B5167750
                                                                                  Function 00C76815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\SHROsQyiAd.exe), ref: 00C76835
                                                                                    • Part of subcall function 00C76764: _wcslen.LIBCMT ref: 00C76788
                                                                                    • Part of subcall function 00C76764: CoGetObject.OLE32(?,00000024,00CD59B0,00000000), ref: 00C767E9
                                                                                  • CoUninitialize.OLE32 ref: 00C7688E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                                                  • String ID: C:\Users\user\Desktop\SHROsQyiAd.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                  • API String ID: 3851391207-4010065956
                                                                                  • Opcode ID: a237ccb06ae775de343a39d8735a7482bfae6d7b90eba028efb9677d3deeb0ab
                                                                                  • Instruction ID: ee45165657831398c4f563285de616c7a379a4e342f584c595e548471712a6aa
                                                                                  • Opcode Fuzzy Hash: a237ccb06ae775de343a39d8735a7482bfae6d7b90eba028efb9677d3deeb0ab
                                                                                  • Instruction Fuzzy Hash: 84019E72345B116FE228AB21DC0AF7B6798DF41766F20812EF5599A2C1EA91AC005B62
                                                                                  Function 00C7B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00C7B2E4
                                                                                  • GetLastError.KERNEL32 ref: 00C7B2EE
                                                                                  Strings
                                                                                  • [Chrome Cookies found, cleared!], xrefs: 00C7B314
                                                                                  • UserProfile, xrefs: 00C7B2B4
                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00C7B2AF
                                                                                  • [Chrome Cookies not found], xrefs: 00C7B308
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteErrorFileLast
                                                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                  • API String ID: 2018770650-304995407
                                                                                  • Opcode ID: d4b6de6b9c4298b88c4cf86386e410c98400070be59d3b0272d39da8401e3080
                                                                                  • Instruction ID: b9f836f6522af948fc499db40c9fa84232246605ff09a585c25d74e8f1d8f76a
                                                                                  • Opcode Fuzzy Hash: d4b6de6b9c4298b88c4cf86386e410c98400070be59d3b0272d39da8401e3080
                                                                                  • Instruction Fuzzy Hash: 370128326405049B8B04BBB8CD6FEBE3728AD21B14B44811AF91A532E2FF119F84E681
                                                                                  Function 00C8BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AllocConsole.KERNEL32(00CE4358), ref: 00C8BEB9
                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 00C8BED2
                                                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 00C8BEF7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Console$AllocOutputShowWindow
                                                                                  • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                  • API String ID: 2425139147-2527699604
                                                                                  • Opcode ID: f67afaca5a3101c94f35ed58a89cbce47a222bb6d498d4e890d5a11a5a65e7b2
                                                                                  • Instruction ID: 259e82ec438bff63ec9bd344a8ef1618d3b926827b8dfa7ab7e061e2bffab67c
                                                                                  • Opcode Fuzzy Hash: f67afaca5a3101c94f35ed58a89cbce47a222bb6d498d4e890d5a11a5a65e7b2
                                                                                  • Instruction Fuzzy Hash: 960162B1990349BFDA00FBF18D4BFDE37AC9B14B04F540422B714A71D2DBA5EA049B25
                                                                                  Function 00C89F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00C89F64
                                                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00C89F72
                                                                                  • Sleep.KERNEL32(00002710), ref: 00C89F79
                                                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00C89F82
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                  • String ID: Alarm triggered$`#v
                                                                                  • API String ID: 614609389-3049340936
                                                                                  • Opcode ID: 3ff3f33f7771af285b6ac10839ddc26ce3147a9cf8dbf39a13aa30a31b0827fb
                                                                                  • Instruction ID: 7b503d9eaa416634dd0aaa1fb2319080184ab981c3947b9d56e4d53b822c63e8
                                                                                  • Opcode Fuzzy Hash: 3ff3f33f7771af285b6ac10839ddc26ce3147a9cf8dbf39a13aa30a31b0827fb
                                                                                  • Instruction Fuzzy Hash: 5BE04F26F0412077952433BAAD0FE6F3E39DEC2B71745016FFA0856295EE4009019BF3
                                                                                  Function 00CA95FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __allrem.LIBCMT ref: 00CA9789
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA97A5
                                                                                  • __allrem.LIBCMT ref: 00CA97BC
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA97DA
                                                                                  • __allrem.LIBCMT ref: 00CA97F1
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA980F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                  • String ID:
                                                                                  • API String ID: 1992179935-0
                                                                                  • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                  • Instruction ID: 45590f2e4049219e99dab2934bf79fd17b63f4ea72e58727e730e5f381d63e38
                                                                                  • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                  • Instruction Fuzzy Hash: D6812A72A00B179BE7249E79CC43BAA73E8EF42728F24412DF521D66D1EB74DE019B50
                                                                                  Function 00CB4B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __cftoe
                                                                                  • String ID:
                                                                                  • API String ID: 4189289331-0
                                                                                  • Opcode ID: a68595126246a42a82befbfbded5dda6a509d9c4fbed4c44691bf013d94ff81c
                                                                                  • Instruction ID: 61a80bde7dc5b1950287c81b4fc3a9b49951f14b7dca220b5d863b81a2bddc0e
                                                                                  • Opcode Fuzzy Hash: a68595126246a42a82befbfbded5dda6a509d9c4fbed4c44691bf013d94ff81c
                                                                                  • Instruction Fuzzy Hash: 0F513B32908205BBDF289B69CC81FEE77B9EF49724F244219F925D61C3DF35DA00A664
                                                                                  Function 00CB6159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __freea$__alloca_probe_16
                                                                                  • String ID: a/p$am/pm
                                                                                  • API String ID: 3509577899-3206640213
                                                                                  • Opcode ID: cc228bedcf82ad761f7ba50177770fab8d8f35db1a8ec7f6e140efe925e29350
                                                                                  • Instruction ID: 477afbd5f345fd793aef176265756b5828f440f4dd5ea25638b564dbc5339cd2
                                                                                  • Opcode Fuzzy Hash: cc228bedcf82ad761f7ba50177770fab8d8f35db1a8ec7f6e140efe925e29350
                                                                                  • Instruction Fuzzy Hash: 31D10271910206CBDB388F69C995BFEB7B0FF05300F244169E921AB659D33D9E94CB61
                                                                                  Function 00C89DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00C89507,00000000,00000000), ref: 00C89DFC
                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00C89507,00000000,00000000), ref: 00C89E10
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00C89507,00000000,00000000), ref: 00C89E1D
                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00C89507), ref: 00C89E52
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00C89507,00000000,00000000), ref: 00C89E64
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00C89507,00000000,00000000), ref: 00C89E67
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                  • String ID:
                                                                                  • API String ID: 493672254-0
                                                                                  • Opcode ID: 9b87ae731fb0eb2624edf67d1e126740e0058b37949cce2679b51d5edcdeb040
                                                                                  • Instruction ID: 8f3a4b882e531e185b91674bb08e9570fd345a109935b52035ec0a8aeea80d60
                                                                                  • Opcode Fuzzy Hash: 9b87ae731fb0eb2624edf67d1e126740e0058b37949cce2679b51d5edcdeb040
                                                                                  • Instruction Fuzzy Hash: 4701D2311482147AD611A7299C4EF7F3E6CDB42374F180319F536961C0DA60CE0197A1
                                                                                  Function 00CA7E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,00CA7DFD,00CA77B1), ref: 00CA7E14
                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CA7E22
                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CA7E3B
                                                                                  • SetLastError.KERNEL32(00000000,?,00CA7DFD,00CA77B1), ref: 00CA7E8D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                  • String ID:
                                                                                  • API String ID: 3852720340-0
                                                                                  • Opcode ID: d45c08b73957634acb519572849bf0b7818114c8aa358c8464f5b084d7875442
                                                                                  • Instruction ID: d2e9df8ed0789a820c38f9d21bdd89cbefce244455e55e26be3bae8dd581b9c4
                                                                                  • Opcode Fuzzy Hash: d45c08b73957634acb519572849bf0b7818114c8aa358c8464f5b084d7875442
                                                                                  • Instruction Fuzzy Hash: 9E01D43221C6175EEA2427B5AC8AB6F2A59FB4337CB3003AAF134450E1EF614D50A280
                                                                                  Function 00CB6EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,00000000,00CB0A45,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6EC3
                                                                                  • _free.LIBCMT ref: 00CB6EF6
                                                                                  • _free.LIBCMT ref: 00CB6F1E
                                                                                  • SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F2B
                                                                                  • SetLastError.KERNEL32(00000000,?,00C8AB73,-00CE5D4C,?,?,?,?,00CD5900,00C7C07B,.vbs), ref: 00CB6F37
                                                                                  • _abort.LIBCMT ref: 00CB6F3D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                  • String ID:
                                                                                  • API String ID: 3160817290-0
                                                                                  • Opcode ID: 8c60138ac77cfb34d1d83703729afd2aa9ceabb4310927b0f7c304604f87307d
                                                                                  • Instruction ID: 3d8f4befeb3acc3a863d80e2871a64898203251e2b8e30ab9fcc3643fd6bc66a
                                                                                  • Opcode Fuzzy Hash: 8c60138ac77cfb34d1d83703729afd2aa9ceabb4310927b0f7c304604f87307d
                                                                                  • Instruction Fuzzy Hash: E1F02D3550870127C62273B4ED45FEF2619DBD17A1F240124F824A6292EF38CD426610
                                                                                  Function 00C89C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,00C8979B,00000000,00000000), ref: 00C89C2F
                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00C8979B,00000000,00000000), ref: 00C89C43
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C8979B,00000000,00000000), ref: 00C89C50
                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00C8979B,00000000,00000000), ref: 00C89C5F
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C8979B,00000000,00000000), ref: 00C89C71
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C8979B,00000000,00000000), ref: 00C89C74
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                  • String ID:
                                                                                  • API String ID: 221034970-0
                                                                                  • Opcode ID: f2220d2dd431c12483cf0412e0eafdc7a059c372a9fdba9f6bda2e03d5a8fb3f
                                                                                  • Instruction ID: 5abb350103a3bd15df1191912c9de97f2d6ed3991cdaf88b99ed330825868258
                                                                                  • Opcode Fuzzy Hash: f2220d2dd431c12483cf0412e0eafdc7a059c372a9fdba9f6bda2e03d5a8fb3f
                                                                                  • Instruction Fuzzy Hash: 23F06D325402187BD6116B69DC89FBF3B6CEB457A0B044115F90692181DB64CE469BB1
                                                                                  Function 00C89D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00C89697,00000000,00000000), ref: 00C89D96
                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00C89697,00000000,00000000), ref: 00C89DAA
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C89697,00000000,00000000), ref: 00C89DB7
                                                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00C89697,00000000,00000000), ref: 00C89DC6
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C89697,00000000,00000000), ref: 00C89DD8
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C89697,00000000,00000000), ref: 00C89DDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                  • String ID:
                                                                                  • API String ID: 221034970-0
                                                                                  • Opcode ID: 8b74e9e60acfe48aa5d1829e2696069f6768e4c46e6d7683d6270c1a7f5da721
                                                                                  • Instruction ID: a5159c86be1c33cd1c7edfad6b1e7bfb6301eb89499b086a26eb9e2d86c93bb2
                                                                                  • Opcode Fuzzy Hash: 8b74e9e60acfe48aa5d1829e2696069f6768e4c46e6d7683d6270c1a7f5da721
                                                                                  • Instruction Fuzzy Hash: F9F06D725002187BD6117B69EC89FBF3A6CDB456A0B080116FE4AA2191DB64CE069BB4
                                                                                  Function 00C89D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00C89719,00000000,00000000), ref: 00C89D31
                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00C89719,00000000,00000000), ref: 00C89D45
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C89719,00000000,00000000), ref: 00C89D52
                                                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00C89719,00000000,00000000), ref: 00C89D61
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C89719,00000000,00000000), ref: 00C89D73
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00C89719,00000000,00000000), ref: 00C89D76
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                  • String ID:
                                                                                  • API String ID: 221034970-0
                                                                                  • Opcode ID: e8ea69585e40c6ea265805d54720fdc35658010bf7b018abd8e7feec13b4dc3e
                                                                                  • Instruction ID: 7e9f9a02b5437751b9864818f759827c4e861facefadb16db8ced415af79942d
                                                                                  • Opcode Fuzzy Hash: e8ea69585e40c6ea265805d54720fdc35658010bf7b018abd8e7feec13b4dc3e
                                                                                  • Instruction Fuzzy Hash: 6DF06D729002287BD2116B69DC89FBF3B6CEB457A0B044116FE0AA2191DB64CE069BB4
                                                                                  Function 00CB26D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SHROsQyiAd.exe,00000104), ref: 00CB2714
                                                                                  • _free.LIBCMT ref: 00CB27DF
                                                                                  • _free.LIBCMT ref: 00CB27E9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$FileModuleName
                                                                                  • String ID: C:\Users\user\Desktop\SHROsQyiAd.exe$5
                                                                                  • API String ID: 2506810119-1592904007
                                                                                  • Opcode ID: a0af12bb55787ae2d9acc69ed9fb3061cb7bd035e54828708640af00188d73a7
                                                                                  • Instruction ID: 5a05f1205bcba2b9c648941b4a230e6256e104e7fb2c84a456b5025009fd40c6
                                                                                  • Opcode Fuzzy Hash: a0af12bb55787ae2d9acc69ed9fb3061cb7bd035e54828708640af00188d73a7
                                                                                  • Instruction Fuzzy Hash: D2319471A04258AFDB21DF99DC85EEEBBFCEB85710F144066F814AB211DB708E41EB91
                                                                                  Function 00C8A81D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C82584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00C825A6
                                                                                    • Part of subcall function 00C82584: RegQueryValueExW.ADVAPI32(?,00C7E0BA,00000000,00000000,?,00000400), ref: 00C825C5
                                                                                    • Part of subcall function 00C82584: RegCloseKey.ADVAPI32(?), ref: 00C825CE
                                                                                    • Part of subcall function 00C8B15B: GetCurrentProcess.KERNEL32(?,?,?,00C7C914,WinDir,00000000,00000000), ref: 00C8B16C
                                                                                  • _wcslen.LIBCMT ref: 00C8A8F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                  • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                                                  • API String ID: 37874593-4246244872
                                                                                  • Opcode ID: 7b9f09eef18b959f1e5c66fc4b16d4d8c59a8fb73eaa21a74a7e096f152dfce8
                                                                                  • Instruction ID: f0c321da5f110ee3c8e976263c27c6fd4f22993df862d7062c9f7e0b1eaf671a
                                                                                  • Opcode Fuzzy Hash: 7b9f09eef18b959f1e5c66fc4b16d4d8c59a8fb73eaa21a74a7e096f152dfce8
                                                                                  • Instruction Fuzzy Hash: 6B21C872B001046BDF08BAB88C9BDEE366D9B45364F15043DF806A72C3EE309D196765
                                                                                  Function 00C7A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00C7A884
                                                                                  • wsprintfW.USER32 ref: 00C7A905
                                                                                    • Part of subcall function 00C79D58: SetEvent.KERNEL32(?,?,00000000,00C7A91C,00000000), ref: 00C79D84
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EventLocalTimewsprintf
                                                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                  • API String ID: 1497725170-248792730
                                                                                  • Opcode ID: d7e1382a6e9c855af986bdbce2cb3e3762dd7fd6b35acf52245a9c4b80525bf2
                                                                                  • Instruction ID: daca98dab78fa4eff7a079a59429efc5687cda6c9c5a8bb722ba6a5ba7bbb475
                                                                                  • Opcode Fuzzy Hash: d7e1382a6e9c855af986bdbce2cb3e3762dd7fd6b35acf52245a9c4b80525bf2
                                                                                  • Instruction Fuzzy Hash: BB118272504018AACB1CFB54EC56CFF77B8EE58361B00412AF80666191EF389A86E6A5
                                                                                  Function 00C8CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegisterClassExA.USER32(00000030), ref: 00C8CA6C
                                                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00C8CA87
                                                                                  • GetLastError.KERNEL32 ref: 00C8CA91
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                                                  • String ID: 0$MsgWindowClass
                                                                                  • API String ID: 2877667751-2410386613
                                                                                  • Opcode ID: c8b14774fa9d04413fe065b78bacbcda00d465aacf71f0731dc165f2797ecb13
                                                                                  • Instruction ID: 955a64de1b81057d878f56b96b7268ce5953837de859d150ac1c0f2397cda7c6
                                                                                  • Opcode Fuzzy Hash: c8b14774fa9d04413fe065b78bacbcda00d465aacf71f0731dc165f2797ecb13
                                                                                  • Instruction Fuzzy Hash: 7001EDB1D1421EABCB00DFD6DCC4AEFBBBDFE49258B54062AE510B2140D7705A459F60
                                                                                  Function 00C769BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00C76A00
                                                                                  • CloseHandle.KERNEL32(?), ref: 00C76A0F
                                                                                  • CloseHandle.KERNEL32(?), ref: 00C76A14
                                                                                  Strings
                                                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00C769F6
                                                                                  • C:\Windows\System32\cmd.exe, xrefs: 00C769FB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$CreateProcess
                                                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                  • API String ID: 2922976086-4183131282
                                                                                  • Opcode ID: 5691a1e7ecbe68a436d630ddb9a9aa573be0b9b6ccf996ad6521255df8ee9359
                                                                                  • Instruction ID: 990db780f45343a90328b7ba2fd1d48697b9620d0043e06a1e4605f42d49645a
                                                                                  • Opcode Fuzzy Hash: 5691a1e7ecbe68a436d630ddb9a9aa573be0b9b6ccf996ad6521255df8ee9359
                                                                                  • Instruction Fuzzy Hash: 68F03AB69002A9BACB20ABD6DC0EFDF7F7CEBC2B10F00052AF615A6150D6706145CAB4
                                                                                  Function 00CB25D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CB258A,00000003,?,00CB252A,00000003,00CDDAE0,0000000C,00CB2681,00000003,00000002), ref: 00CB25F9
                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CB260C
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00CB258A,00000003,?,00CB252A,00000003,00CDDAE0,0000000C,00CB2681,00000003,00000002,00000000), ref: 00CB262F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                  • API String ID: 4061214504-1276376045
                                                                                  • Opcode ID: a5f588f18e9ab71259f3183149804bd0a6c699f5c6b008d5b67885552dfa585a
                                                                                  • Instruction ID: d3598c2dae9b0557eec6261a8dd0ed07036b013bfe1cf00345ac6381c96d475a
                                                                                  • Opcode Fuzzy Hash: a5f588f18e9ab71259f3183149804bd0a6c699f5c6b008d5b67885552dfa585a
                                                                                  • Instruction Fuzzy Hash: E0F0FF31A54219FBCB159FA5DC4AFDDBFB8EB08755F1041A8F805A6150DF709E40CB94
                                                                                  Function 00C74AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00CE45A8,00C84DB5,00000000,00000000,00000001), ref: 00C74AED
                                                                                  • SetEvent.KERNEL32(?), ref: 00C74AF9
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C74B04
                                                                                  • CloseHandle.KERNEL32(?), ref: 00C74B0D
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                  • String ID: KeepAlive | Disabled
                                                                                  • API String ID: 2993684571-305739064
                                                                                  • Opcode ID: 1f8f88f90bf51f8dbb21328517849a12c2e1ea17fb9a8e423195f0102406bb22
                                                                                  • Instruction ID: c4d952da0067a7e1dd6518ed0b60244eb24185e780ce3ffb455743c5b70eef70
                                                                                  • Opcode Fuzzy Hash: 1f8f88f90bf51f8dbb21328517849a12c2e1ea17fb9a8e423195f0102406bb22
                                                                                  • Instruction Fuzzy Hash: 91F0B471908710AFDB1537B5DD0EF6E7FA8EB02321F048A5AF8A2826B1D6208C50DB52
                                                                                  Function 00C8BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,00C8BF02), ref: 00C8BE79
                                                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,00C8BF02), ref: 00C8BE86
                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,00C8BF02), ref: 00C8BE93
                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,00C8BF02), ref: 00C8BEA6
                                                                                  Strings
                                                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 00C8BE99
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                  • API String ID: 3024135584-2418719853
                                                                                  • Opcode ID: 241f649d6347e9528d94f6d8c2c6b1904ef11c00fb83a88a6439f718194bf9e9
                                                                                  • Instruction ID: 8ab79d9e56c8e858ed36dfcabb1de6c2f003066102f7061fcbea25259f987275
                                                                                  • Opcode Fuzzy Hash: 241f649d6347e9528d94f6d8c2c6b1904ef11c00fb83a88a6439f718194bf9e9
                                                                                  • Instruction Fuzzy Hash: B1E04F62104248ABD31037F6EC4EEAF3B7CE784712B041615F616902929A7084448A70
                                                                                  Function 00C71430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00C7143A
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C71441
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: GetCursorInfo$User32.dll$`#v
                                                                                  • API String ID: 1646373207-1032071883
                                                                                  • Opcode ID: ec4aaea268c076fab9dbe80aaf97586af596db4173cc3625f67ad601daa3e0ee
                                                                                  • Instruction ID: 77090538e2ca6e377209748d621994b0d5e2703de854638f2be376957a912b67
                                                                                  • Opcode Fuzzy Hash: ec4aaea268c076fab9dbe80aaf97586af596db4173cc3625f67ad601daa3e0ee
                                                                                  • Instruction Fuzzy Hash: C3B092B8549356DBCA205BA0ED0DF0D7A24EA04702301026AF247C5360CB704440BE24
                                                                                  Function 00CB016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 688bb62f90adb0688bbc24fd266b16eafbe07324e0a0927114b2e6858c9e0575
                                                                                  • Instruction ID: 65f9dfdaa662eb3f1da85cd00fc22c68e0a8a39819e73f8ee74cd843dd3dd198
                                                                                  • Opcode Fuzzy Hash: 688bb62f90adb0688bbc24fd266b16eafbe07324e0a0927114b2e6858c9e0575
                                                                                  • Instruction Fuzzy Hash: 1B71C571900716DBCB218F99C888AFFB7B5FF51350F340269E821A7161D7709E45CBA1
                                                                                  Function 00C80B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C805B9: SetLastError.KERNEL32(0000000D,00C80B38,?,00000000), ref: 00C805BF
                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C80B15), ref: 00C80BC4
                                                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00C80C2A
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00C80C31
                                                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C80D3F
                                                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C80B15), ref: 00C80D69
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                  • String ID:
                                                                                  • API String ID: 3525466593-0
                                                                                  • Opcode ID: 59c81aa1727fdeec3c3a05764936e93379e2ea138924b56f1525edf536037d43
                                                                                  • Instruction ID: bd6f6df1efcbbfc5fe96d0617afc88865b5e1c4a409f27d05ea9e364c74d9fc9
                                                                                  • Opcode Fuzzy Hash: 59c81aa1727fdeec3c3a05764936e93379e2ea138924b56f1525edf536037d43
                                                                                  • Instruction Fuzzy Hash: 4361F770201701ABDBA0BF65CD81B267BA5FF44708F24411AFD158B286D7B4ED48DBD9
                                                                                  Function 00CB3F7B Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CB6AFF: HeapAlloc.KERNEL32(00000000,00C7E5AC,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8,?,?,00CE42E0), ref: 00CB6B31
                                                                                  • _free.LIBCMT ref: 00CB4086
                                                                                  • _free.LIBCMT ref: 00CB409D
                                                                                  • _free.LIBCMT ref: 00CB40BC
                                                                                  • _free.LIBCMT ref: 00CB40D7
                                                                                  • _free.LIBCMT ref: 00CB40EE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$AllocHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1835388192-0
                                                                                  • Opcode ID: d62f3ed59bbe5c4e0a2ee8a1330a7d3d44c8b8dc17741afc536562fd596b447b
                                                                                  • Instruction ID: cc2a008e2f2c66f21e72e712fdfca2751556ad0834096f8138e75e982ef9c273
                                                                                  • Opcode Fuzzy Hash: d62f3ed59bbe5c4e0a2ee8a1330a7d3d44c8b8dc17741afc536562fd596b447b
                                                                                  • Instruction Fuzzy Hash: 9E51E031A04204AFDB24EF69DC81BAA73F4EF54724F14416DE919D7292E731EE01DB80
                                                                                  Function 00C73DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000000), ref: 00C73E8A
                                                                                    • Part of subcall function 00C73FCD: __EH_prolog.LIBCMT ref: 00C73FD2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prologSleep
                                                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                  • API String ID: 3469354165-3547787478
                                                                                  • Opcode ID: 80fa5837db3279d1cac8d84f62757036c03ca1b9a038953506e6c386864bb1c1
                                                                                  • Instruction ID: 5a3fd8edba8fce66d7080a7527fabb8be64b899c17e4ae0ff70ddd8fccbf228f
                                                                                  • Opcode Fuzzy Hash: 80fa5837db3279d1cac8d84f62757036c03ca1b9a038953506e6c386864bb1c1
                                                                                  • Instruction Fuzzy Hash: AB41E571A0429097CB14FBB8C85AB6D37616B81790F088559FC598B7D2EF30CF05E786
                                                                                  Function 00C7E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C8B15B: GetCurrentProcess.KERNEL32(?,?,?,00C7C914,WinDir,00000000,00000000), ref: 00C8B16C
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C7E6C1
                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00C7E6E5
                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00C7E6F4
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C7E8AB
                                                                                    • Part of subcall function 00C8B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00C7E4D0,00000000,?,?,00CE4358), ref: 00C8B19C
                                                                                    • Part of subcall function 00C8B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 00C8B395
                                                                                    • Part of subcall function 00C8B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 00C8B3A8
                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00C7E89C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 4269425633-0
                                                                                  • Opcode ID: 320b3b022a764be626abc06fd7b1b353a92e48b3b8d0d704bac50ddc6c28d006
                                                                                  • Instruction ID: 67b2c975ea67a85b37e4f8cc07fe5a9f78ca42fb1798bd0ca703bfe2cc6a6889
                                                                                  • Opcode Fuzzy Hash: 320b3b022a764be626abc06fd7b1b353a92e48b3b8d0d704bac50ddc6c28d006
                                                                                  • Instruction Fuzzy Hash: 8F4110321082405BD335FB64DC66BEFB3A8AFE4700F54852DF88E86191EF309A49DB56
                                                                                  Function 00CB3098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 1315827a36a7e72a7bc0347db1c15fcc61a1b5c124dec98ae58acf4b47837f0f
                                                                                  • Instruction ID: 175435f5b2d6e8089e7f924c6a9439d01c2cd03e529361cd11459b064b87ddb2
                                                                                  • Opcode Fuzzy Hash: 1315827a36a7e72a7bc0347db1c15fcc61a1b5c124dec98ae58acf4b47837f0f
                                                                                  • Instruction Fuzzy Hash: 0341C536E002449FCB24DF7CC881A9DB7A5EF85714F158569E915EB391DB31EE02DB80
                                                                                  Function 00CBFED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00CAE3ED,?,00000000,?,00000001,?,?,00000001,00CAE3ED,?), ref: 00CBFF20
                                                                                  • __alloca_probe_16.LIBCMT ref: 00CBFF58
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CBFFA9
                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00CA99BF,?), ref: 00CBFFBB
                                                                                  • __freea.LIBCMT ref: 00CBFFC4
                                                                                    • Part of subcall function 00CB6AFF: HeapAlloc.KERNEL32(00000000,00C7E5AC,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8,?,?,00CE42E0), ref: 00CB6B31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                  • String ID:
                                                                                  • API String ID: 1857427562-0
                                                                                  • Opcode ID: b7383f438ea4291220acdb331be2ca9cbf4a43f4fc4234a6c98cc2860521fe31
                                                                                  • Instruction ID: fba5f2590223666dd8c729b10089262bfbc8b5ef7203217dc9709a432b6610d3
                                                                                  • Opcode Fuzzy Hash: b7383f438ea4291220acdb331be2ca9cbf4a43f4fc4234a6c98cc2860521fe31
                                                                                  • Instruction Fuzzy Hash: 8E31DE72A0021AABDF249FA4DC91EFE7BA5EB01350F05426DFC14D6250EB35DE61CBA0
                                                                                  Function 00C7196B Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00C7197B
                                                                                  • waveInOpen.WINMM(00CE1AF8,000000FF,00CE1B00,Function_00001A8E,00000000,00000000,00000024), ref: 00C71A11
                                                                                  • waveInPrepareHeader.WINMM(00CE1AC0,00000020,00000000), ref: 00C71A66
                                                                                  • waveInAddBuffer.WINMM(00CE1AC0,00000020), ref: 00C71A75
                                                                                  • waveInStart.WINMM ref: 00C71A81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                  • String ID:
                                                                                  • API String ID: 1356121797-0
                                                                                  • Opcode ID: bb8e0bfbe8e6b6b94ae2012517215bb1dfb61cfeb3ebcbf798e2acfe6c021d95
                                                                                  • Instruction ID: b970da4212a168c6b4fc669f593b9b25b92596f0ffa61bb39883e6984f1e78d4
                                                                                  • Opcode Fuzzy Hash: bb8e0bfbe8e6b6b94ae2012517215bb1dfb61cfeb3ebcbf798e2acfe6c021d95
                                                                                  • Instruction Fuzzy Hash: 8E214FB1A01280DBC704DF6AED99B3E7AA5FB9875170C813AED15CF6B0E7744860EB14
                                                                                  Function 00C7FBEF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00C7FBFC
                                                                                  • int.LIBCPMT ref: 00C7FC0F
                                                                                    • Part of subcall function 00C7CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 00C7CEF1
                                                                                    • Part of subcall function 00C7CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00C7CF0B
                                                                                  • std::_Facet_Register.LIBCPMT ref: 00C7FC4B
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00C7FC71
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00C7FC8D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                  • String ID:
                                                                                  • API String ID: 2536120697-0
                                                                                  • Opcode ID: 17b375315b72c7a572a400e697a9db2d0e7c3331b88cfe89a5bf4f2a7adbb1bc
                                                                                  • Instruction ID: 9dabbab06e6495a88e942afe62ec89227af4ad0bec9c67d95218b33fdcd7cf6c
                                                                                  • Opcode Fuzzy Hash: 17b375315b72c7a572a400e697a9db2d0e7c3331b88cfe89a5bf4f2a7adbb1bc
                                                                                  • Instruction Fuzzy Hash: BD113332900459ABCF15FBA4E882DDDB779AF40318F204068F909A7281EF709F02E391
                                                                                  Function 00CBE13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00CBE144
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CBE167
                                                                                    • Part of subcall function 00CB6AFF: HeapAlloc.KERNEL32(00000000,00C7E5AC,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8,?,?,00CE42E0), ref: 00CB6B31
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CBE18D
                                                                                  • _free.LIBCMT ref: 00CBE1A0
                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CBE1AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                  • String ID:
                                                                                  • API String ID: 2278895681-0
                                                                                  • Opcode ID: c5388bc572d2e759a878d3f10e817b829641b7da0d4133942dde3f4ec33885c6
                                                                                  • Instruction ID: 31dfddd508f5846326c7a7301d1d46a15c5c08576ef5c1c7d43a3a82e0462888
                                                                                  • Opcode Fuzzy Hash: c5388bc572d2e759a878d3f10e817b829641b7da0d4133942dde3f4ec33885c6
                                                                                  • Instruction Fuzzy Hash: 5401D4B26012217F67215ABE9C8CDFF6A6DDEC2FA17280228FD14D6102DA708D02A5B0
                                                                                  Function 00C7FED2 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00C7FEDF
                                                                                  • int.LIBCPMT ref: 00C7FEF2
                                                                                    • Part of subcall function 00C7CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 00C7CEF1
                                                                                    • Part of subcall function 00C7CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00C7CF0B
                                                                                  • std::_Facet_Register.LIBCPMT ref: 00C7FF2E
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00C7FF54
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00C7FF70
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                  • String ID:
                                                                                  • API String ID: 2536120697-0
                                                                                  • Opcode ID: 3193682a3f9b742631dcf36b8af42191d14986c587e14da2c883368b941b6eee
                                                                                  • Instruction ID: dd74efb04afd53d920de988eea4b8b0924ceb296c6d33da4360d26b367fe9a38
                                                                                  • Opcode Fuzzy Hash: 3193682a3f9b742631dcf36b8af42191d14986c587e14da2c883368b941b6eee
                                                                                  • Instruction Fuzzy Hash: FC110631900419ABCF05FBE4C8869DDB7B9AF81318B20406CF519A72C1EF709F06E791
                                                                                  Function 00CB6F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,00C7E5AC,?,00CB5359,00CB6B42,00000000,?,00CA3627,00C7E5AC,?,00C72BE9,00CE42E0,00C72F1C,00000000,00CE42E0,00C784A8), ref: 00CB6F48
                                                                                  • _free.LIBCMT ref: 00CB6F7D
                                                                                  • _free.LIBCMT ref: 00CB6FA4
                                                                                  • SetLastError.KERNEL32(00000000,?,00C7E5AC,00CE42E0), ref: 00CB6FB1
                                                                                  • SetLastError.KERNEL32(00000000,?,00C7E5AC,00CE42E0), ref: 00CB6FBA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free
                                                                                  • String ID:
                                                                                  • API String ID: 3170660625-0
                                                                                  • Opcode ID: c4394e3a9b289b932769b7c29b9bb3303bc1b7eb7e40559e2cb84fffcd0afcb3
                                                                                  • Instruction ID: 01b2ba90b8b6eefbed5228e82d3861a3c12af5e8ffe534f36fd25a4fea11c7b4
                                                                                  • Opcode Fuzzy Hash: c4394e3a9b289b932769b7c29b9bb3303bc1b7eb7e40559e2cb84fffcd0afcb3
                                                                                  • Instruction Fuzzy Hash: EC01F93620C70067861263F5FC85FFF272DDBD1761F290228F925A2282EE78CD056960
                                                                                  Function 00CBF79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00CBF7B5
                                                                                    • Part of subcall function 00CB6AC5: HeapFree.KERNEL32(00000000,00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000), ref: 00CB6ADB
                                                                                    • Part of subcall function 00CB6AC5: GetLastError.KERNEL32(00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000,00000000), ref: 00CB6AED
                                                                                  • _free.LIBCMT ref: 00CBF7C7
                                                                                  • _free.LIBCMT ref: 00CBF7D9
                                                                                  • _free.LIBCMT ref: 00CBF7EB
                                                                                  • _free.LIBCMT ref: 00CBF7FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: 45ed9c7a946e845909ae10d2aecad75de49a958967b6339f38dc9ced2eff761d
                                                                                  • Instruction ID: 800ef49319834875ac0008de5e8b016a9634dd3b8542c075feeb32c2d8c102e4
                                                                                  • Opcode Fuzzy Hash: 45ed9c7a946e845909ae10d2aecad75de49a958967b6339f38dc9ced2eff761d
                                                                                  • Instruction Fuzzy Hash: AFF01232504240BB8A20DB68ECC5E9E73E9AB41B14F78481DF414FB651CB74FDD19EA4
                                                                                  Function 00CB32E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00CB3305
                                                                                    • Part of subcall function 00CB6AC5: HeapFree.KERNEL32(00000000,00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000), ref: 00CB6ADB
                                                                                    • Part of subcall function 00CB6AC5: GetLastError.KERNEL32(00000000,?,00CBFA50,00000000,00000000,00000000,00000000,?,00CBFCF4,00000000,00000007,00000000,?,00CC0205,00000000,00000000), ref: 00CB6AED
                                                                                  • _free.LIBCMT ref: 00CB3317
                                                                                  • _free.LIBCMT ref: 00CB332A
                                                                                  • _free.LIBCMT ref: 00CB333B
                                                                                  • _free.LIBCMT ref: 00CB334C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: 9d449008ea9c56211e53354f14b58cbf4117aff65bd843e2281b5966e21603d3
                                                                                  • Instruction ID: 2a36d12125f12965e638e68343ce9a132467463e557de74d4dc5854c308dc723
                                                                                  • Opcode Fuzzy Hash: 9d449008ea9c56211e53354f14b58cbf4117aff65bd843e2281b5966e21603d3
                                                                                  • Instruction Fuzzy Hash: 96F05EB18061A09BCB01AF54FD867ED3B60B744B54B1C012AF8116E672EB3C0976FBC1
                                                                                  Function 00C829AA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C82A1D
                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00C82A4C
                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00C82AED
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Enum$InfoQueryValue
                                                                                  • String ID: [regsplt]
                                                                                  • API String ID: 3554306468-4262303796
                                                                                  • Opcode ID: b3dc9ac0ac8377cb18db60b3f8ed9e7549c9cf2ecf6af5b28bc3c8c8474d9f85
                                                                                  • Instruction ID: fde154a5b82e6e4f16983eab77f0f1003fd42b04b3ec6a7889b680adf3f73aeb
                                                                                  • Opcode Fuzzy Hash: b3dc9ac0ac8377cb18db60b3f8ed9e7549c9cf2ecf6af5b28bc3c8c8474d9f85
                                                                                  • Instruction Fuzzy Hash: 2E514E72108344AFD324EB64DC55DAFB7ECEF84704F00492EF99A82151EB70EA09DB62
                                                                                  Function 00CBD459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strpbrk.LIBCMT ref: 00CBD4A8
                                                                                  • _free.LIBCMT ref: 00CBD5C5
                                                                                    • Part of subcall function 00CAA854: IsProcessorFeaturePresent.KERNEL32(00000017,00CAA826,00C7E5AC,?,?,00CE42F8,00000000,00000000,00000000,?,00CAA846,00000000,00000000,00000000,00000000,00000000), ref: 00CAA856
                                                                                    • Part of subcall function 00CAA854: GetCurrentProcess.KERNEL32(C0000417,?,00C7E5AC,00CE42E0), ref: 00CAA878
                                                                                    • Part of subcall function 00CAA854: TerminateProcess.KERNEL32(00000000,?,00C7E5AC,00CE42E0), ref: 00CAA87F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                  • String ID: *?$.
                                                                                  • API String ID: 2812119850-3972193922
                                                                                  • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                  • Instruction ID: dc10ddf761fea25856a6aa9c08001e09f28921847a8a45f29e81a6e8ca655b0e
                                                                                  • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                  • Instruction Fuzzy Hash: 4651C4B1E0020AAFDF24CFA8C881AEDB7F5EF58314F24416AE455E7341E6359E05DB50
                                                                                  Function 00C7A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C7A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00C7A884
                                                                                    • Part of subcall function 00C7A876: wsprintfW.USER32 ref: 00C7A905
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 00C7A691
                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00C7A69D
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00C799C1,?,00000000,00000000), ref: 00C7A6A9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                                                  • String ID: Online Keylogger Started
                                                                                  • API String ID: 112202259-1258561607
                                                                                  • Opcode ID: bc5a6b01b6a0eeefe32547aa3a6fe526147f35a02ce84feea13b3d2ae53a4cae
                                                                                  • Instruction ID: 68b983317ceb936d467e8c114d7eedd9b77529a29ba646bf9fdf332f6849586a
                                                                                  • Opcode Fuzzy Hash: bc5a6b01b6a0eeefe32547aa3a6fe526147f35a02ce84feea13b3d2ae53a4cae
                                                                                  • Instruction Fuzzy Hash: 5B01F591B002083EFB2076788CCBD7F7E7DCAC23A8B44442DFA4916182E9605D0593F7
                                                                                  Function 00C74B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00C74B26), ref: 00C74B40
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00C74B26), ref: 00C74B98
                                                                                  • SetEvent.KERNEL32(?,?,?,?,00C74B26), ref: 00C74BA7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEventHandleObjectSingleWait
                                                                                  • String ID: Connection Timeout
                                                                                  • API String ID: 2055531096-499159329
                                                                                  • Opcode ID: dfacebc4c60771a4e3371641867592d4b64f1466799793b0f4433cc2a6fd8fcf
                                                                                  • Instruction ID: 42c9a185ff846ead550920fb1e1952306e37caa734901fb246a588fc463313c5
                                                                                  • Opcode Fuzzy Hash: dfacebc4c60771a4e3371641867592d4b64f1466799793b0f4433cc2a6fd8fcf
                                                                                  • Instruction Fuzzy Hash: C3012831900F40DF932AAB3ACC4695EBFE5EF05311300462EE5A746A20DB20D800DB52
                                                                                  Function 00C764D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • C:\Users\user\Desktop\SHROsQyiAd.exe, xrefs: 00C76927
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: C:\Users\user\Desktop\SHROsQyiAd.exe
                                                                                  • API String ID: 0-734936187
                                                                                  • Opcode ID: b842996836b0e39e865b33cebf2ca774bd3297e39123910d6f4f03ce6148944e
                                                                                  • Instruction ID: d8c7b3611745c4f31684b151f7ffed9151c014248bbcaf85ab8b412f51a76782
                                                                                  • Opcode Fuzzy Hash: b842996836b0e39e865b33cebf2ca774bd3297e39123910d6f4f03ce6148944e
                                                                                  • Instruction Fuzzy Hash: 50F024B0B00650DBCF042B75AC19B3E3609EB80362F048531FA5ADE2A1EB708941DB90
                                                                                  Function 00C82774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,00CE42E0), ref: 00C8277F
                                                                                  • RegSetValueExW.ADVAPI32(00CE42E0,?,00000000,00000001,00000000,00000000,00CE42F8,?,00C7E5CB,pth_unenc,00CE42E0), ref: 00C827AD
                                                                                  • RegCloseKey.ADVAPI32(00CE42E0,?,00C7E5CB,pth_unenc,00CE42E0), ref: 00C827B8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateValue
                                                                                  • String ID: pth_unenc
                                                                                  • API String ID: 1818849710-4028850238
                                                                                  • Opcode ID: 126638cdb909eff2563797b7130845b5736fb8bd4eeb7997374818f3f458aff1
                                                                                  • Instruction ID: 8301551cd1143329dc5580fbecb04fd7a61f9ded455589441cdcdb9f09845686
                                                                                  • Opcode Fuzzy Hash: 126638cdb909eff2563797b7130845b5736fb8bd4eeb7997374818f3f458aff1
                                                                                  • Instruction Fuzzy Hash: BBF06D71500118BBDF10AFA0ED4AFEE376CEB40790F108614FD1696050EB319B04EB60
                                                                                  Function 00C7CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00C7CDC9
                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C7CE08
                                                                                    • Part of subcall function 00CA47BD: _Yarn.LIBCPMT ref: 00CA47DC
                                                                                    • Part of subcall function 00CA47BD: _Yarn.LIBCPMT ref: 00CA4800
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00C7CE2C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                  • String ID: bad locale name
                                                                                  • API String ID: 3628047217-1405518554
                                                                                  • Opcode ID: fcfee67d9983d232d78a3c79ff9ba9d76688408d4709d3ca85eedb29ba483605
                                                                                  • Instruction ID: 9550341c92a8102b75e6aae97ab4b335e2038661574d9390628c9992408000fb
                                                                                  • Opcode Fuzzy Hash: fcfee67d9983d232d78a3c79ff9ba9d76688408d4709d3ca85eedb29ba483605
                                                                                  • Instruction Fuzzy Hash: 52F04F33400205EAC728FB60E857DDAB7A49F19794B90C5ADF61A524D2EF70AA08D694
                                                                                  Function 00C851B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00C851F4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell
                                                                                  • String ID: /C $cmd.exe$open
                                                                                  • API String ID: 587946157-3896048727
                                                                                  • Opcode ID: 75749b9b78d4cd86150e36222e7c210fc37272601b1ef93b9c2e2892353bdcc2
                                                                                  • Instruction ID: bdd191055b7198b019fcaf7029e32a483fcd2fa99082b1b5ca948cf7727e4a09
                                                                                  • Opcode Fuzzy Hash: 75749b9b78d4cd86150e36222e7c210fc37272601b1ef93b9c2e2892353bdcc2
                                                                                  • Instruction Fuzzy Hash: 0BE06570104340AEC708F764DCA9C7FB7AD9A90744F04982DB94652191DF309D04AA15
                                                                                  Function 00C7AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TerminateThread.KERNEL32(00C799A9,00000000,00CE42F8,pth_unenc,00C7BF26,00CE42E0,00CE42F8,?,pth_unenc), ref: 00C7AFC9
                                                                                  • UnhookWindowsHookEx.USER32(00CE40F8), ref: 00C7AFD5
                                                                                  • TerminateThread.KERNEL32(00C79993,00000000,?,pth_unenc), ref: 00C7AFE3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: TerminateThread$HookUnhookWindows
                                                                                  • String ID: pth_unenc
                                                                                  • API String ID: 3123878439-4028850238
                                                                                  • Opcode ID: b1f61bd632e9fba8bed93198908f2fc8bc5ac3e6b1735e5b159f49852c7a4280
                                                                                  • Instruction ID: fe2bc8a10d32ab697f9ddb5fe6721099105ba7970c87a0e0ce187ba5cbea4318
                                                                                  • Opcode Fuzzy Hash: b1f61bd632e9fba8bed93198908f2fc8bc5ac3e6b1735e5b159f49852c7a4280
                                                                                  • Instruction Fuzzy Hash: 6BE01271209256EFE3201FE0DC88E2DBBAAEA84395314853EF7CA81120C6754C44CF51
                                                                                  Function 00C714D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00C714DF
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C714E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetLastInputInfo$User32.dll
                                                                                  • API String ID: 2574300362-1519888992
                                                                                  • Opcode ID: d15e01cbac1f8ad7f7f6d13bbf70d215c5a8ecbfc0521a2d58657e5706b062ca
                                                                                  • Instruction ID: d642811249e352b2657312ff8ec4da9c6ee6a422e623d1710509617e21fc0044
                                                                                  • Opcode Fuzzy Hash: d15e01cbac1f8ad7f7f6d13bbf70d215c5a8ecbfc0521a2d58657e5706b062ca
                                                                                  • Instruction Fuzzy Hash: 78B092B8584381DBCB301BA0EC0DF1D7AA4FA48742701452AF203C12A0CB740400AF20
                                                                                  Function 00CB8D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __alldvrm$_strrchr
                                                                                  • String ID:
                                                                                  • API String ID: 1036877536-0
                                                                                  • Opcode ID: 356596f341ec539a94dfe36e390bc51e19313ec426e60b5603d27ca0cdfe98ae
                                                                                  • Instruction ID: cc8c41bd083014f5702a9d75749f57be2f885cd14b8c93159def83a439fde2e1
                                                                                  • Opcode Fuzzy Hash: 356596f341ec539a94dfe36e390bc51e19313ec426e60b5603d27ca0cdfe98ae
                                                                                  • Instruction Fuzzy Hash: A1A16A769043869FEB21CF98C881BFEBBEAEF15350F18416DE5949B281CA34CE49C750
                                                                                  Function 00CC59CA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 857b94336e3fc5ab441c74f721345463d2e0aabcf9189d2ed3aa07ae9a833777
                                                                                  • Instruction ID: 067e49afc177bb64403b9bd0a2c86a98b17ad42e69b14a89521a62ad1b54f7ab
                                                                                  • Opcode Fuzzy Hash: 857b94336e3fc5ab441c74f721345463d2e0aabcf9189d2ed3aa07ae9a833777
                                                                                  • Instruction Fuzzy Hash: 4641E731A009016BDB25BBBACCC6FFE3AA4DF51360F14035DF428D6291DAB45D85B6A1
                                                                                  Function 00CB1A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aa848523b99a99fcbba471c348d2a36401b16c37f61d34f4166d735c8635df1c
                                                                                  • Instruction ID: ae34be674eb51bc61237044e4414053e0b303ffc4ddf30da79553dbd13a6a0ec
                                                                                  • Opcode Fuzzy Hash: aa848523b99a99fcbba471c348d2a36401b16c37f61d34f4166d735c8635df1c
                                                                                  • Instruction Fuzzy Hash: 434109B2A00744AFD724AF78CC51BEABBE8EF84710F14452EF511DB281E7B1AA019790
                                                                                  Function 00C7B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • [Cleared browsers logins and cookies.], xrefs: 00C7B8DE
                                                                                  • Cleared browsers logins and cookies., xrefs: 00C7B8EF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                  • API String ID: 3472027048-1236744412
                                                                                  • Opcode ID: 088511c0b95140fe3e5338f0ec919569aab18ac2384b399287f562971fb60fde
                                                                                  • Instruction ID: 5ffc2edfa5dee2750c6b63deca05cfc9d851e73e1c6085329c4ebad9cf652838
                                                                                  • Opcode Fuzzy Hash: 088511c0b95140fe3e5338f0ec919569aab18ac2384b399287f562971fb60fde
                                                                                  • Instruction Fuzzy Hash: C8318D1564C3C0AACA156BB858667EE6F964E93754F08C15DF8EC0B3C3DB528E08A363
                                                                                  Function 00C79C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C8B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8B6F6
                                                                                    • Part of subcall function 00C8B6E6: GetWindowTextLengthW.USER32(00000000), ref: 00C8B6FF
                                                                                    • Part of subcall function 00C8B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C8B729
                                                                                  • Sleep.KERNEL32(000001F4), ref: 00C79C95
                                                                                  • Sleep.KERNEL32(00000064), ref: 00C79D1F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$SleepText$ForegroundLength
                                                                                  • String ID: [ $ ]
                                                                                  • API String ID: 3309952895-93608704
                                                                                  • Opcode ID: 65b71a631e187366df71d76025e97ff0d26f6f10a912cfef93ef07fc7d5f8645
                                                                                  • Instruction ID: 0624a2fafb7c839ecb08f045edeb35bcc0f8547319941a9d0e1e3c1b5840f6b9
                                                                                  • Opcode Fuzzy Hash: 65b71a631e187366df71d76025e97ff0d26f6f10a912cfef93ef07fc7d5f8645
                                                                                  • Instruction Fuzzy Hash: 1A11B1325042009BC618B738DC17AAEB7A8EF51710F40852EF95A121D3EF21AA19A7D7
                                                                                  Function 00CB2CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7259c0685d8de694ffae0225b48cf57b253cb4d66f2e836629dbb694b1ef34f
                                                                                  • Instruction ID: ae81b620d263e4d6f0b13eac6f0014693371556045c2976c7d0e2c3582810269
                                                                                  • Opcode Fuzzy Hash: e7259c0685d8de694ffae0225b48cf57b253cb4d66f2e836629dbb694b1ef34f
                                                                                  • Instruction Fuzzy Hash: 4901D6B22097157EF6202679ACC1FEB671CDF917B8F340725F931A61E5EB608D04A560
                                                                                  Function 00CB2D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c33e12d3981bd594f28f0d353957ef09132b2a404bc3c011e93e8bc1deb7ca0a
                                                                                  • Instruction ID: 5d4a453acc694d276a90a0ec3775e4d066c1fc4132be12574df39b58dce4b6ad
                                                                                  • Opcode Fuzzy Hash: c33e12d3981bd594f28f0d353957ef09132b2a404bc3c011e93e8bc1deb7ca0a
                                                                                  • Instruction Fuzzy Hash: D501A4B22096167EE72156B8BCD4EEB635DDF817B8B341329F431611D5EF308D11E560
                                                                                  Function 00CA80F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00CA810F
                                                                                    • Part of subcall function 00CA805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CA808B
                                                                                    • Part of subcall function 00CA805C: ___AdjustPointer.LIBCMT ref: 00CA80A6
                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00CA8124
                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CA8135
                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00CA815D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                  • String ID:
                                                                                  • API String ID: 737400349-0
                                                                                  • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                  • Instruction ID: 6e98330ec95ee4a5b86d614b4de65cd43706b387f3a82177f5b1e988f27b5177
                                                                                  • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                  • Instruction Fuzzy Hash: 2F014C3250010ABBCF125F95CC46EEF3B69FF4A758F044118FE18A6121DB32E865EBA0
                                                                                  Function 00CB7210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CE42F8,00000000,00000000,?,00CB71B7,00CE42F8,00000000,00000000,00000000,?,00CB74E3,00000006,FlsSetValue), ref: 00CB7242
                                                                                  • GetLastError.KERNEL32(?,00CB71B7,00CE42F8,00000000,00000000,00000000,?,00CB74E3,00000006,FlsSetValue,00CCD328,FlsSetValue,00000000,00000364,?,00CB6F91), ref: 00CB724E
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CB71B7,00CE42F8,00000000,00000000,00000000,?,00CB74E3,00000006,FlsSetValue,00CCD328,FlsSetValue,00000000), ref: 00CB725C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 3177248105-0
                                                                                  • Opcode ID: 2a81c1210149c6693820402e63967d0ba520067a8e35647833344102a87a4d2e
                                                                                  • Instruction ID: ef46135f62e05f33da7c907d8cec45adfcb1757c15b656f16648f6b0171082f4
                                                                                  • Opcode Fuzzy Hash: 2a81c1210149c6693820402e63967d0ba520067a8e35647833344102a87a4d2e
                                                                                  • Instruction Fuzzy Hash: 9301D43265D222EBCB214B69EC44F9A7798EF85BA1F210720FD26E7240D620DD00CAE1
                                                                                  Function 00C8B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00C79F65), ref: 00C8B633
                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00C8B647
                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00C8B66C
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C8B67A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleReadSize
                                                                                  • String ID:
                                                                                  • API String ID: 3919263394-0
                                                                                  • Opcode ID: 63b9d20d8bcc8b45ad10f88b14c2ff5b348429c57d08e707bbd2c3991a156e55
                                                                                  • Instruction ID: ea9217e9c9dd347ac1327a904658ff246579ef408074e255ff789f68a062c9a4
                                                                                  • Opcode Fuzzy Hash: 63b9d20d8bcc8b45ad10f88b14c2ff5b348429c57d08e707bbd2c3991a156e55
                                                                                  • Instruction Fuzzy Hash: CDF0F6B1205214BFE6142B25EC89FBF375CDB867A8F000329FC0192190DA614D055634
                                                                                  Function 00C8850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 00C88519
                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 00C8851F
                                                                                  • GetSystemMetrics.USER32(0000004E), ref: 00C88525
                                                                                  • GetSystemMetrics.USER32(0000004F), ref: 00C8852B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem
                                                                                  • String ID:
                                                                                  • API String ID: 4116985748-0
                                                                                  • Opcode ID: 606eaa01dc3090180b0ac4ad0d8ebc3bc4b75be77ee30ad2c043ad1471c3b109
                                                                                  • Instruction ID: 1df99f4332b2e5448de42a234216baaa01209a94a4bd480e4c4e68ac79c0ea24
                                                                                  • Opcode Fuzzy Hash: 606eaa01dc3090180b0ac4ad0d8ebc3bc4b75be77ee30ad2c043ad1471c3b109
                                                                                  • Instruction Fuzzy Hash: 9BF02B62B043154BDA00FE798C0451FAB969FC02A4F25092AF50597341EE74EC0957D8
                                                                                  Function 00C8B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 00C8B395
                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 00C8B3A8
                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00C8B3D3
                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00C8B3DB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandleOpenProcess
                                                                                  • String ID:
                                                                                  • API String ID: 39102293-0
                                                                                  • Opcode ID: 57beb9108bc05eb8300389fdc294affa618a6c9fa04cdc7052c1f982e4c04775
                                                                                  • Instruction ID: 436fc518e0fd263ff42efd07af180042464629bc830c1845700fdeea533a1d14
                                                                                  • Opcode Fuzzy Hash: 57beb9108bc05eb8300389fdc294affa618a6c9fa04cdc7052c1f982e4c04775
                                                                                  • Instruction Fuzzy Hash: 76F0F471204616BBD3117359DC5EF6FB26CDB44799F000121FA65D22B0EFB08D414B65
                                                                                  Function 00C73A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C73A2A
                                                                                    • Part of subcall function 00C8AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00CD5900,00C7C07B,.vbs,?,?,?,?,?,00CE42F8), ref: 00C8AB5F
                                                                                    • Part of subcall function 00C876B6: CloseHandle.KERNEL32(00C73AB9,?,?,00C73AB9,00CD5324), ref: 00C876CC
                                                                                    • Part of subcall function 00C876B6: CloseHandle.KERNEL32(00CD5324,?,?,00C73AB9,00CD5324), ref: 00C876D5
                                                                                    • Part of subcall function 00C8B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00C79F65), ref: 00C8B633
                                                                                  • Sleep.KERNEL32(000000FA,00CD5324), ref: 00C73AFC
                                                                                  Strings
                                                                                  • /sort "Visit Time" /stext ", xrefs: 00C73A76
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                  • String ID: /sort "Visit Time" /stext "
                                                                                  • API String ID: 368326130-1573945896
                                                                                  • Opcode ID: 04ade3110d11d5d151825a8d19ec91acbcc3da4e255e6bc3889f7882309b12c2
                                                                                  • Instruction ID: 86d46f37e2a14d3dc1ab3c68d58aa385f514e285f6f3f1d16eb51f77abdbff0b
                                                                                  • Opcode Fuzzy Hash: 04ade3110d11d5d151825a8d19ec91acbcc3da4e255e6bc3889f7882309b12c2
                                                                                  • Instruction Fuzzy Hash: 25318431A001545BCB18F7B8DC9ADFE7775AF90310F448169F80EA7192EF305A4AEB91
                                                                                  Function 00CC08DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00CC0B39,?,00000050,?,?,?,?,?), ref: 00CC09B9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ACP$OCP
                                                                                  • API String ID: 0-711371036
                                                                                  • Opcode ID: a3a0e9cf7f794a8827f35afffe84f8f457369b5f26ca0da143daa83d212e4378
                                                                                  • Instruction ID: 4fe5b8aaf3ddbd6182ffdac54672bcf3671bec05087d0e36c20d0a1a77c7bd40
                                                                                  • Opcode Fuzzy Hash: a3a0e9cf7f794a8827f35afffe84f8f457369b5f26ca0da143daa83d212e4378
                                                                                  • Instruction Fuzzy Hash: 1A21C562A14201E6FB349B55C901F9773AAEB94B20F76452CED5AD7202F732DF40C390
                                                                                  Function 00C7AE58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00CA3519: EnterCriticalSection.KERNEL32(00CE0D18,?,00CE5D2C,?,00C7AE8B,00CE5D2C,?,00000000,00000000), ref: 00CA3524
                                                                                    • Part of subcall function 00CA3519: LeaveCriticalSection.KERNEL32(00CE0D18,?,00C7AE8B,00CE5D2C,?,00000000,00000000), ref: 00CA3561
                                                                                    • Part of subcall function 00CA38A5: __onexit.LIBCMT ref: 00CA38AB
                                                                                  • __Init_thread_footer.LIBCMT ref: 00C7AEA7
                                                                                    • Part of subcall function 00CA34CF: EnterCriticalSection.KERNEL32(00CE0D18,00CE5D2C,?,00C7AEAC,00CE5D2C,00CC6D97,?,00000000,00000000), ref: 00CA34D9
                                                                                    • Part of subcall function 00CA34CF: LeaveCriticalSection.KERNEL32(00CE0D18,?,00C7AEAC,00CE5D2C,00CC6D97,?,00000000,00000000), ref: 00CA350C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                  • API String ID: 2974294136-3686566968
                                                                                  • Opcode ID: 216a9c665d1147c833650b1e47ff1c5a69d0e5d056bc29f9a9ce9c9b72de6a17
                                                                                  • Instruction ID: d4498d04ca6a471b5c338c99968198ef7fba72a7c3ca58683b1bf62be0c5d89d
                                                                                  • Opcode Fuzzy Hash: 216a9c665d1147c833650b1e47ff1c5a69d0e5d056bc29f9a9ce9c9b72de6a17
                                                                                  • Instruction Fuzzy Hash: A621EA31A001198BCB14FBB8DC96DED7775AF94314F44803AF90A67192EF305E4AD791
                                                                                  Function 00C749BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(?,00CE3EE8,00CE45A8,?,?,?,?,?,?,?,00C84D7D,?,00000001,0000004C,00000000), ref: 00C749F1
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  • GetLocalTime.KERNEL32(?,00CE3EE8,00CE45A8,?,?,?,?,?,?,?,00C84D7D,?,00000001,0000004C,00000000), ref: 00C74A4E
                                                                                  Strings
                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00C749E5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LocalTime
                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                  • API String ID: 481472006-1507639952
                                                                                  • Opcode ID: 2ae36602a474470c212424e26a531956efa8227103beb7bfec020bb0b49fe3bb
                                                                                  • Instruction ID: a4b869fa8ab3224d5ff8029fb4918f7e09bba54dc7426e8e0bbe69190aa0f77e
                                                                                  • Opcode Fuzzy Hash: 2ae36602a474470c212424e26a531956efa8227103beb7bfec020bb0b49fe3bb
                                                                                  • Instruction Fuzzy Hash: 0F215B629042C0AFD71DF769CC4A79F7BAC9791325F48800DF80947262EB245609D79B
                                                                                  Function 00C8A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LocalTime
                                                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                                                  • API String ID: 481472006-2430845779
                                                                                  • Opcode ID: 48f433442fbc0197cef80799fdc45692ab618109eb471c34813e7438e9412deb
                                                                                  • Instruction ID: 10ddf7f86958390b4ead5a79221b82199bc2c0ff41b91c4c4e3c38030444f041
                                                                                  • Opcode Fuzzy Hash: 48f433442fbc0197cef80799fdc45692ab618109eb471c34813e7438e9412deb
                                                                                  • Instruction Fuzzy Hash: DC1182725082449BC704FBA4DC559BF73ECAB98700F54852EFC89821D1EF34DA88E756
                                                                                  Function 00C7A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00C7A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00C7A884
                                                                                    • Part of subcall function 00C7A876: wsprintfW.USER32 ref: 00C7A905
                                                                                    • Part of subcall function 00C8A686: GetLocalTime.KERNEL32(00000000), ref: 00C8A6A0
                                                                                  • CloseHandle.KERNEL32(?), ref: 00C7A7CA
                                                                                  • UnhookWindowsHookEx.USER32 ref: 00C7A7DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                  • String ID: Online Keylogger Stopped
                                                                                  • API String ID: 1623830855-1496645233
                                                                                  • Opcode ID: af5985539f4eb53a4609f496c1de391967be49638644849b912d1af6eb519289
                                                                                  • Instruction ID: 5a3fdbe894f807c057958ece7ed0b9d8eeaf51f68013300e061e5437d0fb179d
                                                                                  • Opcode Fuzzy Hash: af5985539f4eb53a4609f496c1de391967be49638644849b912d1af6eb519289
                                                                                  • Instruction Fuzzy Hash: B7019E31A082009BDB297778CC0B7BD7FB99F81310F84805DF84602192DB615945E7D3
                                                                                  Function 00C7AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyState.USER32(00000011), ref: 00C7AD5B
                                                                                    • Part of subcall function 00C79B10: GetForegroundWindow.USER32(?,?,00CE40F8), ref: 00C79B3F
                                                                                    • Part of subcall function 00C79B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00C79B4B
                                                                                    • Part of subcall function 00C79B10: GetKeyboardLayout.USER32(00000000), ref: 00C79B52
                                                                                    • Part of subcall function 00C79B10: GetKeyState.USER32(00000010), ref: 00C79B5C
                                                                                    • Part of subcall function 00C79B10: GetKeyboardState.USER32(?,?,00CE40F8), ref: 00C79B67
                                                                                    • Part of subcall function 00C79B10: ToUnicodeEx.USER32(00CE414C,?,?,?,00000010,00000000,00000000), ref: 00C79B8A
                                                                                    • Part of subcall function 00C79B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00C79BE3
                                                                                    • Part of subcall function 00C79D58: SetEvent.KERNEL32(?,?,00000000,00C7A91C,00000000), ref: 00C79D84
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                  • String ID: [AltL]$[AltR]
                                                                                  • API String ID: 2738857842-2658077756
                                                                                  • Opcode ID: bbfec1d35a9532878cac9e48b02f692de33ae09fba9c93929b8bc588f145231d
                                                                                  • Instruction ID: 3f192343b7aa8ec87413f8bf0026dcba885922252b8f2e356fdcc7cb89a9dfd5
                                                                                  • Opcode Fuzzy Hash: bbfec1d35a9532878cac9e48b02f692de33ae09fba9c93929b8bc588f145231d
                                                                                  • Instruction Fuzzy Hash: DFE09221740621178A78323EAA2F7FD3D32DB92F61B80814DF88E5BA95DD954E4093D3
                                                                                  Function 00C7ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyState.USER32(00000012), ref: 00C7ADB5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: State
                                                                                  • String ID: [CtrlL]$[CtrlR]
                                                                                  • API String ID: 1649606143-2446555240
                                                                                  • Opcode ID: 4cd768b406c4a06fe51590e0bf78fbedec0e7541ae23c520db00f343811f40b4
                                                                                  • Instruction ID: 6f24d42799fd66da97971f2685ae3a37d1211660740dd0838b8214debacc17c2
                                                                                  • Opcode Fuzzy Hash: 4cd768b406c4a06fe51590e0bf78fbedec0e7541ae23c520db00f343811f40b4
                                                                                  • Instruction Fuzzy Hash: EDE08621700711178634363DD71FA7D2921CBA5762F804119F96A4BAC5D9554A4023D3
                                                                                  Function 00C8297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,00C7BFB2,00000000,00CE42E0,00CE42F8,?,pth_unenc), ref: 00C82988
                                                                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00C82998
                                                                                  Strings
                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00C82986
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteOpenValue
                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                  • API String ID: 2654517830-1051519024
                                                                                  • Opcode ID: b6d80b60a0a3d35d3904c84c1678781043fc5a3345eb2f147f7777e3e18d3908
                                                                                  • Instruction ID: d49311c9d55d8e08f5ac79f0a5547f8dfbea933cd616f4768a23f64cd1a6854d
                                                                                  • Opcode Fuzzy Hash: b6d80b60a0a3d35d3904c84c1678781043fc5a3345eb2f147f7777e3e18d3908
                                                                                  • Instruction Fuzzy Hash: 9EE01270200304BBEF106F61DC0AF9A3BACFB40B88F004164F516E5090E275DE04AB54
                                                                                  Function 00C7AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 00C7AF84
                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 00C7AFAF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteDirectoryFileRemove
                                                                                  • String ID: pth_unenc
                                                                                  • API String ID: 3325800564-4028850238
                                                                                  • Opcode ID: 10cc9c38c4c9bb4c47a2813af1c37b9a2225bced38c24c9be1d0d3c861eb4e69
                                                                                  • Instruction ID: 3b9a8f530b9e787e4c8f8f0f105c126b64a4fe7d0a856fc8e8b7164b1d195023
                                                                                  • Opcode Fuzzy Hash: 10cc9c38c4c9bb4c47a2813af1c37b9a2225bced38c24c9be1d0d3c861eb4e69
                                                                                  • Instruction Fuzzy Hash: 80E08C714006108FCB14AB74DC58BEBB3ACFF05312F04892AF8E793221DF249A49EA90
                                                                                  Function 00C81699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,00C7E670), ref: 00C816A9
                                                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 00C816BC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ObjectProcessSingleTerminateWait
                                                                                  • String ID: pth_unenc
                                                                                  • API String ID: 1872346434-4028850238
                                                                                  • Opcode ID: 3f54f4c0accddfac991bb326eb8a5bb6bd3855398d4c83ea4aebad107d531189
                                                                                  • Instruction ID: 47dca5648315fad8130d383e2cb37c706bbb6c7f4d8c6f00653ffd3897803064
                                                                                  • Opcode Fuzzy Hash: 3f54f4c0accddfac991bb326eb8a5bb6bd3855398d4c83ea4aebad107d531189
                                                                                  • Instruction Fuzzy Hash: A3D0C9385491919FE7424B61AC88B4D3AA9E705A22F588306FC21852F0C7354574AA14
                                                                                  Function 00CBE0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CommandLine
                                                                                  • String ID: 5
                                                                                  • API String ID: 3253501508-3632891597
                                                                                  • Opcode ID: b4aedc8b4e0c0deff884830f8abf4814af07dadb05f85e8939ed96f8850cc226
                                                                                  • Instruction ID: 4cab73c0111fc65b96594a2054436e0e477597475744b9fcc3fa38fc6f0913b2
                                                                                  • Opcode Fuzzy Hash: b4aedc8b4e0c0deff884830f8abf4814af07dadb05f85e8939ed96f8850cc226
                                                                                  • Instruction Fuzzy Hash: 36B008798052408B8B419F66EE9C75C3AA0E66861239855A5DC1986A24DA394096AF10
                                                                                  Function 00CAFA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00C71AD8), ref: 00CAFAF4
                                                                                  • GetLastError.KERNEL32 ref: 00CAFB02
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CAFB5D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.4641788822.0000000000C70000.00000040.00000400.00020000.00000000.sdmp, Offset: 00C70000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_c70000_SHROsQyiAd.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1717984340-0
                                                                                  • Opcode ID: b40cedfd14257f3643217aa4d19c1a90b10c34bca184623578cf7255e8ef046c
                                                                                  • Instruction ID: 70c082746407627f864ef1c9e98f957ac3be3d07a5c6315e4009cbc0dda2c025
                                                                                  • Opcode Fuzzy Hash: b40cedfd14257f3643217aa4d19c1a90b10c34bca184623578cf7255e8ef046c
                                                                                  • Instruction Fuzzy Hash: F041C631604257AFCF218FA5D854BBABBB5EF02358F1441BDF869972A5DB308E02D760