Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vP53Ohx5q0.exe

Overview

General Information

Sample name:vP53Ohx5q0.exe
renamed because original name is a hash value
Original sample name:207A0A0F98F554F4B8CE5715F07514C6.exe
Analysis ID:1429007
MD5:207a0a0f98f554f4b8ce5715f07514c6
SHA1:693f287b916c2376573aeff102827961ee1352f4
SHA256:7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disables zone checking for all users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vP53Ohx5q0.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\vP53Ohx5q0.exe" MD5: 207A0A0F98F554F4B8CE5715F07514C6)
    • chargeable.exe (PID: 2720 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 2F2F1040DB8F1E8BF6EB249283EB7D0E)
      • chargeable.exe (PID: 7020 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 2F2F1040DB8F1E8BF6EB249283EB7D0E)
        • netsh.exe (PID: 6636 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • chargeable.exe (PID: 7096 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: 2F2F1040DB8F1E8BF6EB249283EB7D0E)
    • chargeable.exe (PID: 6564 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 2F2F1040DB8F1E8BF6EB249283EB7D0E)
      • WerFault.exe (PID: 5552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • chargeable.exe (PID: 5888 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: 2F2F1040DB8F1E8BF6EB249283EB7D0E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x4070e:$a1: get_Registry
    • 0x417ea:$a2: SEE_MASK_NOZONECHECKS
    • 0x418e6:$a3: Download ERROR
    • 0x417ac:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x4173e:$a5: netsh firewall delete allowedprogram "
    00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4181a:$a1: netsh firewall add allowedprogram
    • 0x417ea:$a2: SEE_MASK_NOZONECHECKS
    • 0x41a94:$b1: [TAP]
    • 0x417ac:$c3: cmd.exe /c ping
    00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x417ea:$reg: SEE_MASK_NOZONECHECKS
    • 0x418c2:$msg: Execute ERROR
    • 0x4191e:$msg: Execute ERROR
    • 0x417ac:$ping: cmd.exe /c ping 0 -n 2 & del
    00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      Click to see the 6 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.chargeable.exe.370da74.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
        2.2.chargeable.exe.370da74.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x1e9a:$a1: get_Registry
        • 0x2f76:$a2: SEE_MASK_NOZONECHECKS
        • 0x3072:$a3: Download ERROR
        • 0x2f38:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x2eca:$a5: netsh firewall delete allowedprogram "
        2.2.chargeable.exe.370da74.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
        • 0x2f38:$x1: cmd.exe /c ping 0 -n 2 & del "
        • 0x3090:$s3: Executed As
        • 0x3072:$s6: Download ERROR
        2.2.chargeable.exe.370da74.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x2fa6:$a1: netsh firewall add allowedprogram
        • 0x2f76:$a2: SEE_MASK_NOZONECHECKS
        • 0x3220:$b1: [TAP]
        • 0x2f38:$c3: cmd.exe /c ping
        2.2.chargeable.exe.370da74.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x2f76:$reg: SEE_MASK_NOZONECHECKS
        • 0x304e:$msg: Execute ERROR
        • 0x30aa:$msg: Execute ERROR
        • 0x2f38:$ping: cmd.exe /c ping 0 -n 2 & del
        Click to see the 13 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\confuse\chargeable.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\vP53Ohx5q0.exe, ProcessId: 6592, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: vP53Ohx5q0.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeAvira: detection malicious, Label: TR/Dropper.Gen
        Found malware configuration
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Njrat {"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}
        Multi AV Scanner detection for submitted file
        Source: vP53Ohx5q0.exeReversingLabs: Detection: 86%
        Yara detected Njrat
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 2720, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 5888, type: MEMORYSTR
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: vP53Ohx5q0.exeJoe Sandbox ML: detected
        Source: vP53Ohx5q0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
        Source: vP53Ohx5q0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: doddyfire.linkpc.net
        Source: global trafficTCP traffic: 192.168.2.4:49740 -> 187.177.82.222:10000
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownDNS traffic detected: queries for: doddyfire.linkpc.net
        Source: chargeable.exe, 00000003.00000002.4126902451.00000000011C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
        Source: chargeable.exe, 00000003.00000002.4126902451.00000000011C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: vP53Ohx5q0.exe, chargeable.exe.0.drString found in binary or memory: https://www.sysinternals.com0

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Contains functionality to log keystrokes (.Net Source)
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, kl.cs.Net Code: VKCodeToUnicode

        E-Banking Fraud

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 2720, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 5888, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_05BE0E3E NtResumeThread,2_2_05BE0E3E
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_05BE0EE6 NtWriteVirtualMemory,2_2_05BE0EE6
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_05BE0EB9 NtWriteVirtualMemory,2_2_05BE0EB9
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 2_2_05BE0DFA NtResumeThread,2_2_05BE0DFA
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067A0EE6 NtWriteVirtualMemory,4_2_067A0EE6
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067A0E3E NtResumeThread,4_2_067A0E3E
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067A0DFA NtResumeThread,4_2_067A0DFA
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 4_2_067A0EB9 NtWriteVirtualMemory,4_2_067A0EB9
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 80
        Source: vP53Ohx5q0.exe, 00000000.00000002.1745548958.000000000057E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1746486569.0000000003741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1.exe0 vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1747086262.0000000006100000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameb6052.dll4 vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1746303399.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1746303399.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1746303399.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1746303399.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6052.dll4 vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000000.1649138607.0000000000132000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1.exe0 vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exe, 00000000.00000002.1745659844.0000000000640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename1.exe0 vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exeBinary or memory string: OriginalFilename1.exe0 vs vP53Ohx5q0.exe
        Source: vP53Ohx5q0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: vP53Ohx5q0.exe, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
        Source: chargeable.exe.0.dr, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
        Source: 0.2.vP53Ohx5q0.exe.3764330.2.raw.unpack, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
        Source: 0.2.vP53Ohx5q0.exe.3747ef0.1.raw.unpack, MusicExpressMain.csBase64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
        Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@14/4@10/1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_054811AE AdjustTokenPrivileges,3_2_054811AE
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_05481177 AdjustTokenPrivileges,3_2_05481177
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeFile created: C:\Users\user\AppData\Roaming\confuseJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_03
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMutant created: \Sessions\1\BaseNamedObjects\e1a87040f2026369a233f9ae76301b7b
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6564
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2d1ab75e-5b4e-43d5-8df8-6bfa03827558Jump to behavior
        Source: vP53Ohx5q0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: vP53Ohx5q0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: vP53Ohx5q0.exeReversingLabs: Detection: 86%
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeFile read: C:\Users\user\Desktop\vP53Ohx5q0.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\vP53Ohx5q0.exe "C:\Users\user\Desktop\vP53Ohx5q0.exe"
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 80
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLEJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: vP53Ohx5q0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
        Source: vP53Ohx5q0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660DA5 push ebx; iretd 3_2_01660DB1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660C22 push ecx; iretd 3_2_01660C51
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660FE0 push ecx; iretd 3_2_01660FE1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_016607AC push ebx; iretd 3_2_016607B9
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_016608EC push ebx; iretd 3_2_016608F9
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660A37 push ecx; iretd 3_2_01660C01
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660CB7 push ebx; iretd 3_2_01660CC1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660DB2 push ecx; iretd 3_2_01660DE1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_0166077B push ebx; iretd 3_2_01660789
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660CC2 push ecx; iretd 3_2_01660CF1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_016605C0 push edi; iretd 3_2_016605C1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_0166000C push ebp; iretd 3_2_01660051
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660C52 push ecx; iretd 3_2_01660CA1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_016605D0 push edi; iretd 3_2_016605D1
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660710 push eax; iretd 3_2_01660711
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_016607DC push esi; iretd 3_2_016607E9
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeCode function: 3_2_01660C1B push ebx; iretd 3_2_01660C21
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeFile created: C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to dropped file

        Boot Survival

        barindex
        Creates multiple autostart registry keys
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuseJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMainJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuseJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuseJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMainJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMainJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeMemory allocated: 4740000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 1970000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 3640000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 1970000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 5160000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: BE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: C50000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory allocated: 12D0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: threadDelayed 919Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: threadDelayed 3711Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: threadDelayed 4797Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeWindow / User API: foregroundWindowGot 1753Jump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exe TID: 6664Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 4588Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7108Thread sleep count: 919 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7108Thread sleep time: -919000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 2596Thread sleep count: 3711 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7108Thread sleep count: 4797 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7108Thread sleep time: -4797000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7060Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: chargeable.exe, 00000003.00000002.4126902451.00000000011C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllneutral, PublicKeyToken=b03f5f7f11d50a3a" allowDefinition="MachineOnly"/>
        Source: chargeable.exe, 00000003.00000002.4126902451.00000000011C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW <ad(
        Source: netsh.exe, 00000009.00000003.1860359865.0000000000853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code contains process injector
        Source: 0.2.vP53Ohx5q0.exe.279c09c.0.raw.unpack, D.cs.Net Code: Run contains injection code
        Source: 0.2.vP53Ohx5q0.exe.6100000.3.raw.unpack, D.cs.Net Code: Run contains injection code
        Source: 2.2.chargeable.exe.369c2fc.1.raw.unpack, D.cs.Net Code: Run contains injection code
        .NET source code references suspicious native API functions
        Source: 0.2.vP53Ohx5q0.exe.279c09c.0.raw.unpack, D.csReference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, *(uint*)(ptr2 + 80), 12288u, 64u)
        Source: 0.2.vP53Ohx5q0.exe.279c09c.0.raw.unpack, D.csReference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, *(uint*)(ptr2 + 84), IntPtr.Zero)
        Source: 0.2.vP53Ohx5q0.exe.279c09c.0.raw.unpack, D.csReference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
        Source: 2.2.chargeable.exe.370da74.0.raw.unpack, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
        Injects a PE file into a foreign processes
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeMemory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" Jump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exeJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vP53Ohx5q0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Disables zone checking for all users
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
        Modifies the windows firewall
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

        Stealing of Sensitive Information

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 2720, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 5888, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.chargeable.exe.370da74.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 2720, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 7020, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: chargeable.exe PID: 5888, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		11
        Registry Run Keys / Startup Folder        		1
        Access Token Manipulation        		1
        Masquerading        		1
        Input Capture        		11
        Security Software Discovery        		Remote Services1
        Input Capture        		1
        Non-Standard Port        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		211
        Process Injection        		31
        Disable or Modify Tools        		LSASS Memory41
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
        Registry Run Keys / Startup Folder        		41
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Application Window Discovery        		SMB/Windows Admin SharesData from Network Shared Drive11
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		1
        Access Token Manipulation        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script211
        Process Injection        		LSA Secrets12
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
        Obfuscated Files or Information        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Software Packing        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429007 Sample: vP53Ohx5q0.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 35 doddyfire.linkpc.net 2->35 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 8 other signatures 2->53 10 vP53Ohx5q0.exe 2 6 2->10         started        14 chargeable.exe 2 2->14         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\chargeable.exe, PE32 10->33 dropped 57 Creates multiple autostart registry keys 10->57 16 chargeable.exe 3 10->16         started        59 Injects a PE file into a foreign processes 14->59 19 chargeable.exe 14->19         started        21 chargeable.exe 2 14->21         started        signatures6 process7 signatures8 39 Antivirus detection for dropped file 16->39 41 Machine Learning detection for dropped file 16->41 43 Uses netsh to modify the Windows network and firewall settings 16->43 45 2 other signatures 16->45 23 chargeable.exe 3 4 16->23         started        27 WerFault.exe 4 19->27         started        process9 dnsIp10 37 doddyfire.linkpc.net 187.177.82.222, 10000 AxtelSABdeCVMX Mexico 23->37 55 Disables zone checking for all users 23->55 29 netsh.exe 2 23->29         started        signatures11 process12 process13 31 conhost.exe 29->31         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        vP53Ohx5q0.exe87%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
        vP53Ohx5q0.exe100%AviraTR/Dropper.Gen
        vP53Ohx5q0.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\confuse\chargeable.exe100%AviraTR/Dropper.Gen
        C:\Users\user\AppData\Roaming\confuse\chargeable.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://go.microsoft.0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        doddyfire.linkpc.net
        		187.177.82.222
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          doddyfire.linkpc.netfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersGvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThevP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.fontbureau.com/designers?vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://go.microsoft.chargeable.exe, 00000003.00000002.4126902451.00000000011C1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.comvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.krvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://go.microsoft.LinkId=42127chargeable.exe, 00000003.00000002.4126902451.00000000011C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		low
                            http://www.carterandcone.comlvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThevP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-user.htmlvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.sysinternals.com0vP53Ohx5q0.exe, chargeable.exe.0.drfalse
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleasevP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8vP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.comvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleasevP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.sakkal.comvP53Ohx5q0.exe, 00000000.00000002.1747104608.0000000006152000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            187.177.82.222
                                            		doddyfire.linkpc.netMexico
                                            		6503AxtelSABdeCVMXfalse

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1429007
                                            Start date and time:2024-04-20 01:41:05 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 52s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:16
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:vP53Ohx5q0.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:207A0A0F98F554F4B8CE5715F07514C6.exe
                                            Detection:MAL
                                            Classification:mal100.phis.troj.spyw.evad.winEXE@14/4@10/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 204
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: vP53Ohx5q0.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            00:42:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                            00:42:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\vP53Ohx5q0.exe
                                            00:42:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                            00:42:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\vP53Ohx5q0.exe
                                            01:42:49API Interceptor1054937x Sleep call for process: chargeable.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            doddyfire.linkpc.net9hYKnCVqcI.exeGet hashmaliciousNjratBrowse
                                            • 196.74.150.120
                                            SjMIbKjuDL.exeGet hashmaliciousNjratBrowse
                                            • 41.248.119.194
                                            ctVXvVgUrO.exeGet hashmaliciousNjratBrowse
                                            • 41.249.48.248
                                            j76l1AiIHm.exeGet hashmaliciousNjratBrowse
                                            • 41.249.48.248
                                            QpcOa13BU1.exeGet hashmaliciousNjratBrowse
                                            • 41.249.108.177
                                            z9gxPEpWws.exeGet hashmaliciousNjratBrowse
                                            • 41.249.108.177
                                            7Hr9O6jK2l.exeGet hashmaliciousNjratBrowse
                                            • 41.249.108.177
                                            tuYTv9rjMX.exeGet hashmaliciousNjratBrowse
                                            • 160.178.39.123
                                            eDafoy5XIk.exeGet hashmaliciousNjratBrowse
                                            • 160.178.39.123
                                            KSqpu62vE4.exeGet hashmaliciousNjratBrowse
                                            • 160.178.39.123

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AxtelSABdeCVMXKSRRrEMt1w.elfGet hashmaliciousMiraiBrowse
                                            • 187.176.36.66
                                            3Bl37j9Opx.elfGet hashmaliciousMiraiBrowse
                                            • 148.250.254.23
                                            0FnrrE8B6Y.elfGet hashmaliciousMiraiBrowse
                                            • 148.248.202.126
                                            tL98mBWW8p.elfGet hashmaliciousMiraiBrowse
                                            • 148.248.202.114
                                            nY3jvpEUvw.elfGet hashmaliciousMiraiBrowse
                                            • 189.205.147.40
                                            XFJxqIEFFQ.elfGet hashmaliciousMiraiBrowse
                                            • 187.176.14.251
                                            QBv5s2bHnV.elfGet hashmaliciousUnknownBrowse
                                            • 148.250.81.67
                                            M0akqPlgtl.elfGet hashmaliciousMiraiBrowse
                                            • 187.176.85.39
                                            QvpSy7ZbUh.elfGet hashmaliciousMirai, GafgytBrowse
                                            • 189.210.74.149
                                            USE5KJLGvF.elfGet hashmaliciousMiraiBrowse
                                            • 189.209.37.252

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):388
                                            Entropy (8bit):5.20595142366915
                                            Encrypted:false
                                            SSDEEP:12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
                                            MD5:2452328391F7A0B3C56DDF0E6389513E
                                            SHA1:6FE308A325AE8BFB17DE5CAAF54432E5301987B6
                                            SHA-256:2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
                                            SHA-512:AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\vP53Ohx5q0.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\vP53Ohx5q0.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):388
                                            Entropy (8bit):5.20595142366915
                                            Encrypted:false
                                            SSDEEP:12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
                                            MD5:2452328391F7A0B3C56DDF0E6389513E
                                            SHA1:6FE308A325AE8BFB17DE5CAAF54432E5301987B6
                                            SHA-256:2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
                                            SHA-512:AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                            C:\Users\user\AppData\Roaming\confuse\chargeable.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\vP53Ohx5q0.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):115808
                                            Entropy (8bit):6.06337224889217
                                            Encrypted:false
                                            SSDEEP:1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiaR:P5eznsjsguGDFqGZ2rf
                                            MD5:2F2F1040DB8F1E8BF6EB249283EB7D0E
                                            SHA1:EE0D1761EE308F9F28449DF1659D12B1F4AC2D55
                                            SHA-256:BF4007F0D5DE0E6831BFA101E1D0B281A3370F493A02567221FB8B76A08640F8
                                            SHA-512:12740A7EB512DB4F9613ABAC5112701DC2D2A6100016ECF3926676144A8C35070A171F1AF076AB628E5F27EC7B6431E53DF7968C891E44C639D1D19035810C79
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@.....................................S.......H................'........................................................... ............... ..H............text...dv... ...x.................. ..`.rsrc...H............z..............@..@.reloc...............~..............@..B................@.......H...........h...........@...^T..........................................N.(.....(.....(....*.0..9I.......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....} ....s....}!....s....}"....s

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Windows\SysWOW64\netsh.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):313
                                            Entropy (8bit):4.971939296804078
                                            Encrypted:false
                                            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                            MD5:689E2126A85BF55121488295EE068FA1
                                            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.061746742092903
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:vP53Ohx5q0.exe
                                            File size:115'744 bytes
                                            MD5:207a0a0f98f554f4b8ce5715f07514c6
                                            SHA1:693f287b916c2376573aeff102827961ee1352f4
                                            SHA256:7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed
                                            SHA512:a7607294b616d99fc4f345bbcf0c038d0aeae3d207a340adccc0c20022168d71fe9e55fe3f2b0d9d8f6b00242f7995333761df3a47951ec124c9de501ca8a243
                                            SSDEEP:1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiaH:P5eznsjsguGDFqGZ2rZ
                                            TLSH:F9B30D387D952133C67AC1F689E50A8BEB69227F3191E8ED4CA742C418B2F156EC1D1F
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:90cececece8e8eb0

                                            Static PE Info

                                            General

                                            Entrypoint:0x41965e
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x5B1EAC53 [Mon Jun 11 17:07:31 2018 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Authenticode Signature

                                            Signature Valid:
                                            Signature Issuer:
                                            Signature Validation Error:
                                            Error Number:
                                            Not Before, Not After
                                              Subject Chain
                                                Version:
                                                Thumbprint MD5:
                                                Thumbprint SHA-1:
                                                Thumbprint SHA-256:
                                                Serial:

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x196080x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x348.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x18e800x27a0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x176640x178007acd957f3266ee65ab01391ebf758013False0.46648520611702127data5.649987526076151IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x1a0000x3480x4002f8c2571ca02df8c52b2a03fcee90517False0.37109375data2.7512174114856074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x1c0000xc0x2005219651ec1890b5711996a05a6f4ed37False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x1a0580x2ecdata0.4625668449197861

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 20, 2024 01:42:42.270503044 CEST4974010000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:42:43.268852949 CEST4974010000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:42:45.284481049 CEST4974010000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:42:49.300143003 CEST4974010000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:42:57.300200939 CEST4974010000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:05.334731102 CEST4974210000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:06.347274065 CEST4974210000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:08.362708092 CEST4974210000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:12.378367901 CEST4974210000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:20.378176928 CEST4974210000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:28.395713091 CEST4974310000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:29.409435987 CEST4974310000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:31.425076962 CEST4974310000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:35.425079107 CEST4974310000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:43.425156116 CEST4974310000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:51.442714930 CEST4974410000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:52.456336021 CEST4974410000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:54.456332922 CEST4974410000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:43:58.458288908 CEST4974410000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:06.456352949 CEST4974410000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:14.473246098 CEST4974510000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:15.487668991 CEST4974510000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:17.503377914 CEST4974510000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:21.503576040 CEST4974510000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:29.503381014 CEST4974510000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:37.530122042 CEST4974610000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:38.545150042 CEST4974610000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:40.550316095 CEST4974610000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:44.550266981 CEST4974610000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:44:52.550153971 CEST4974610000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:00.707719088 CEST4974710000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:01.722059965 CEST4974710000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:03.722019911 CEST4974710000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:07.722067118 CEST4974710000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:15.722064972 CEST4974710000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:23.740519047 CEST4974810000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:24.753439903 CEST4974810000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:26.753477097 CEST4974810000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:30.753460884 CEST4974810000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:38.753468990 CEST4974810000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:46.629815102 CEST4974910000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:47.628319979 CEST4974910000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:49.643932104 CEST4974910000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:45:53.659630060 CEST4974910000192.168.2.4187.177.82.222
                                                Apr 20, 2024 01:46:01.706557989 CEST4974910000192.168.2.4187.177.82.222

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 20, 2024 01:42:18.643455029 CEST6083153192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:19.628869057 CEST6083153192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:20.668565989 CEST6083153192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:21.202291965 CEST53608311.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:21.202353954 CEST53608311.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:21.202392101 CEST53608311.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:25.222830057 CEST6504253192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:25.328459024 CEST53650421.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:29.410794020 CEST5739253192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:30.409790993 CEST5739253192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:31.409818888 CEST5739253192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:31.968133926 CEST53573921.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:31.968192101 CEST53573921.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:31.968234062 CEST53573921.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:35.988828897 CEST5150153192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:36.094471931 CEST53515011.1.1.1192.168.2.4
                                                Apr 20, 2024 01:42:42.130316973 CEST5612053192.168.2.41.1.1.1
                                                Apr 20, 2024 01:42:42.254614115 CEST53561201.1.1.1192.168.2.4
                                                Apr 20, 2024 01:45:00.582703114 CEST6005853192.168.2.41.1.1.1
                                                Apr 20, 2024 01:45:00.706661940 CEST53600581.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Apr 20, 2024 01:42:18.643455029 CEST192.168.2.41.1.1.10x2c2dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:19.628869057 CEST192.168.2.41.1.1.10x2c2dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:20.668565989 CEST192.168.2.41.1.1.10x2c2dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:25.222830057 CEST192.168.2.41.1.1.10xbec8Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:29.410794020 CEST192.168.2.41.1.1.10xc7c1Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:30.409790993 CEST192.168.2.41.1.1.10xc7c1Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:31.409818888 CEST192.168.2.41.1.1.10xc7c1Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:35.988828897 CEST192.168.2.41.1.1.10x878dStandard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:42.130316973 CEST192.168.2.41.1.1.10x9c23Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:45:00.582703114 CEST192.168.2.41.1.1.10x66a6Standard query (0)doddyfire.linkpc.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Apr 20, 2024 01:42:21.202291965 CEST1.1.1.1192.168.2.40x2c2dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:21.202353954 CEST1.1.1.1192.168.2.40x2c2dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:21.202392101 CEST1.1.1.1192.168.2.40x2c2dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:25.328459024 CEST1.1.1.1192.168.2.40xbec8Server failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:31.968133926 CEST1.1.1.1192.168.2.40xc7c1Server failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:31.968192101 CEST1.1.1.1192.168.2.40xc7c1Server failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:31.968234062 CEST1.1.1.1192.168.2.40xc7c1Server failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:36.094471931 CEST1.1.1.1192.168.2.40x878dServer failure (2)doddyfire.linkpc.netnonenoneA (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:42:42.254614115 CEST1.1.1.1192.168.2.40x9c23No error (0)doddyfire.linkpc.net187.177.82.222A (IP address)IN (0x0001)false
                                                Apr 20, 2024 01:45:00.706661940 CEST1.1.1.1192.168.2.40x66a6No error (0)doddyfire.linkpc.net187.177.82.222A (IP address)IN (0x0001)false

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:01:41:53
                                                Start date:20/04/2024
                                                Path:C:\Users\user\Desktop\vP53Ohx5q0.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\vP53Ohx5q0.exe"
                                                Imagebase:0x130000
                                                File size:115'744 bytes
                                                MD5 hash:207A0A0F98F554F4B8CE5715F07514C6
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:01:42:03
                                                Start date:20/04/2024
                                                Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
                                                Imagebase:0xfc0000
                                                File size:115'808 bytes
                                                MD5 hash:2F2F1040DB8F1E8BF6EB249283EB7D0E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.1780405380.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:01:42:06
                                                Start date:20/04/2024
                                                Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Imagebase:0xbb0000
                                                File size:115'808 bytes
                                                MD5 hash:2F2F1040DB8F1E8BF6EB249283EB7D0E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:01:42:08
                                                Start date:20/04/2024
                                                Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
                                                Imagebase:0x360000
                                                File size:115'808 bytes
                                                MD5 hash:2F2F1040DB8F1E8BF6EB249283EB7D0E
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:01:42:13
                                                Start date:20/04/2024
                                                Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Imagebase:0x200000
                                                File size:115'808 bytes
                                                MD5 hash:2F2F1040DB8F1E8BF6EB249283EB7D0E
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:01:42:13
                                                Start date:20/04/2024
                                                Path:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\confuse\chargeable.exe
                                                Imagebase:0x8c0000
                                                File size:115'808 bytes
                                                MD5 hash:2F2F1040DB8F1E8BF6EB249283EB7D0E
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.1903920925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:01:42:14
                                                Start date:20/04/2024
                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                Wow64 process (32bit):true
                                                Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
                                                Imagebase:0x1560000
                                                File size:82'432 bytes
                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:01:42:14
                                                Start date:20/04/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:01:42:14
                                                Start date:20/04/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 80
                                                Imagebase:0x990000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:19%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:90
                                                  Total number of Limit Nodes:3
                                                  execution_graph 6694 a3a622 6695 a3a660 DuplicateHandle 6694->6695 6696 a3a698 6694->6696 6697 a3a66e 6695->6697 6696->6695 6800 a3ac22 6802 a3ac52 RegOpenKeyExW 6800->6802 6803 a3ace0 6802->6803 6804 4e20b60 6805 4e20b86 CreateFileW 6804->6805 6807 4e20c0d 6805->6807 6702 4e210a6 6703 4e210cf SetFileAttributesW 6702->6703 6705 4e210eb 6703->6705 6768 4e211e4 6771 4e21206 ShellExecuteExW 6768->6771 6770 4e21248 6771->6770 6780 4e20aa4 6781 4e20ac6 CreateDirectoryW 6780->6781 6783 4e20b13 6781->6783 6828 4e21325 6829 4e2135e PostMessageW 6828->6829 6831 4e213a8 6829->6831 6808 a3a42a 6811 a3a44e SetErrorMode 6808->6811 6810 a3a48f 6811->6810 6812 a3b42d 6814 a3b45e LoadLibraryShim 6812->6814 6815 a3b4b8 6814->6815 6772 a3a2ac 6773 a3a2f6 CreateActCtxA 6772->6773 6775 a3a354 6773->6775 6706 4e20032 6707 4e20082 VerLanguageNameW 6706->6707 6708 4e20090 6707->6708 6709 a3baf2 6710 a3bb18 LoadLibraryW 6709->6710 6712 a3bb34 6710->6712 6832 4e20431 6835 4e20462 DrawTextExW 6832->6835 6834 4e204bb 6835->6834 6776 a3bab4 6778 a3baf2 LoadLibraryW 6776->6778 6779 a3bb34 6778->6779 6788 4e20eba 6790 4e20eda WriteFile 6788->6790 6791 4e20f41 6790->6791 6792 a3a5fb 6793 a3a622 DuplicateHandle 6792->6793 6795 a3a66e 6793->6795 6816 4e21078 6817 4e210a6 SetFileAttributesW 6816->6817 6819 4e210eb 6817->6819 6796 4e20f83 6798 4e20fbe RegSetValueExW 6796->6798 6799 4e2103f 6798->6799 6728 4e20ac6 6729 4e20aec CreateDirectoryW 6728->6729 6731 4e20b13 6729->6731 6732 4e21206 6733 4e2122c ShellExecuteExW 6732->6733 6735 4e21248 6733->6735 6736 4e20b86 6739 4e20bbe CreateFileW 6736->6739 6738 4e20c0d 6739->6738 6836 4e20007 6837 4e20032 VerLanguageNameW 6836->6837 6839 4e20090 6837->6839 6840 a3bc4b 6842 a3bc82 GetFileVersionInfoSizeW 6840->6842 6843 a3bcc7 6842->6843 6744 a3a44e 6745 a3a4a3 6744->6745 6746 a3a47a SetErrorMode 6744->6746 6745->6746 6747 a3a48f 6746->6747 6820 a3bd10 6823 a3bd32 GetFileVersionInfoW 6820->6823 6822 a3bd84 6823->6822 6844 4e20d17 6845 4e20d4a GetFileType 6844->6845 6847 4e20dac 6845->6847 6752 4e20eda 6755 4e20f0f WriteFile 6752->6755 6754 4e20f41 6755->6754 6824 a3ad19 6825 a3ad5a RegQueryValueExW 6824->6825 6827 a3ade3 6825->6827 6760 4e2135e 6761 4e21393 PostMessageW 6760->6761 6762 4e213be 6760->6762 6763 4e213a8 6761->6763 6762->6761

                                                  Executed Functions

                                                  Function 00B300D0 Relevance: 9.1, Instructions: 9148COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 b300d0-b31855 479 b3185c-b32b7b 0->479 671 b32b82-b38c8d 479->671 1671 b38c94-b38c9c 671->1671 1672 b38ca4-b397f0 1671->1672 1923 b397f7 1672->1923 1924 b397fe-b39804 1923->1924
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa7e3dc5a61af9fb12ce02ab2f5c8551a0551e50e14e3103cad306438f4a9484
                                                  • Instruction ID: f5233464b8f7c7a467e827c7728795be5222c1d0f5d4cf98d43f86583dedbdc3
                                                  • Opcode Fuzzy Hash: aa7e3dc5a61af9fb12ce02ab2f5c8551a0551e50e14e3103cad306438f4a9484
                                                  • Instruction Fuzzy Hash: 97143734601604DFE765DB30C854ADAB3B2EF89304F5188A8D55AAB3A1DF36EE85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B300E0 Relevance: 9.1, Instructions: 9140COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1925 b300e0-b31855 2404 b3185c-b32b7b 1925->2404 2596 b32b82-b38c8d 2404->2596 3596 b38c94-b38c9c 2596->3596 3597 b38ca4-b397f0 3596->3597 3848 b397f7 3597->3848 3849 b397fe-b39804 3848->3849
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e97e69ea4ea34785c52b2e1c56ee7c7aa999bb4e896936b9cb74a8eff95b327b
                                                  • Instruction ID: 762b4fadbb2fa64fc6124ae75f04727a2739e0599bd7087bb1881e196f7f63c1
                                                  • Opcode Fuzzy Hash: e97e69ea4ea34785c52b2e1c56ee7c7aa999bb4e896936b9cb74a8eff95b327b
                                                  • Instruction Fuzzy Hash: C7143734601604DFE765DB30C854ADAB3B2EF89304F5188A8D55AAB3A1DF36EE85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B398A0 Relevance: 2.7, Instructions: 2695COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3850 b398a0-b3b2cd 4363 b3b2d4-b3c61c 3850->4363
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 299586ebbb161881a42b3ee9a452fa5690223aafa43ccac3482088eba7b659f2
                                                  • Instruction ID: e6ffcac88482176d2ead554f4fec3e5fe08b896875dc11554aae6227ff30af3a
                                                  • Opcode Fuzzy Hash: 299586ebbb161881a42b3ee9a452fa5690223aafa43ccac3482088eba7b659f2
                                                  • Instruction Fuzzy Hash: 3E33A6393015729B8A2ABF35D59183E7B73A7C9658314C746C9110B3A8CF3CAB478BE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20B60 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4759 4e20b60-4e20bde 4763 4e20be3-4e20bef 4759->4763 4764 4e20be0 4759->4764 4765 4e20bf1 4763->4765 4766 4e20bf4-4e20bfd 4763->4766 4764->4763 4765->4766 4767 4e20c4e-4e20c53 4766->4767 4768 4e20bff-4e20c23 CreateFileW 4766->4768 4767->4768 4771 4e20c55-4e20c5a 4768->4771 4772 4e20c25-4e20c4b 4768->4772 4771->4772
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04E20C05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 395f0e46cb4171f377b8aa77f3ddff51c4a564bfe57237b6581ec0edd142426d
                                                  • Instruction ID: c84839c3e1346b79e331aaba4cc9a5fc3990922bcc2e11e896e66d6d47cb1734
                                                  • Opcode Fuzzy Hash: 395f0e46cb4171f377b8aa77f3ddff51c4a564bfe57237b6581ec0edd142426d
                                                  • Instruction Fuzzy Hash: FB3190B1505380AFE722CF65CD44F66BFE8EF05224F08849AE9859B692D375F809CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3AC22 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4744 a3ac22-a3acad 4748 a3acb2-a3acc9 4744->4748 4749 a3acaf 4744->4749 4751 a3ad0b-a3ad10 4748->4751 4752 a3accb-a3acde RegOpenKeyExW 4748->4752 4749->4748 4751->4752 4753 a3ad12-a3ad17 4752->4753 4754 a3ace0-a3ad08 4752->4754 4753->4754
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00A3ACD1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: e556a7196478713d8083e8c033e83905d6de51401c8cb484bc99a05ba068b3b1
                                                  • Instruction ID: 3429e2c3b27af4f4be3a74edf51fa3e44d59404c96d0cf59409163597881df47
                                                  • Opcode Fuzzy Hash: e556a7196478713d8083e8c033e83905d6de51401c8cb484bc99a05ba068b3b1
                                                  • Instruction Fuzzy Hash: AF31A2B2504384AFE7228B51CC45FA7BFBCEF16310F08849AF9859B652D264E94DCB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3AD19 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4775 a3ad19-a3ad97 4778 a3ad99 4775->4778 4779 a3ad9c-a3ada5 4775->4779 4778->4779 4780 a3ada7 4779->4780 4781 a3adaa-a3adb0 4779->4781 4780->4781 4782 a3adb2 4781->4782 4783 a3adb5-a3adcc 4781->4783 4782->4783 4785 a3ae03-a3ae08 4783->4785 4786 a3adce-a3ade1 RegQueryValueExW 4783->4786 4785->4786 4787 a3ade3-a3ae00 4786->4787 4788 a3ae0a-a3ae0f 4786->4788 4788->4787
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 00A3ADD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: faa191393a9fa9ec060cf299ca8edffe2b42bee880091a914cdd1d8a084fee8f
                                                  • Instruction ID: 2d008968e5c1af4073a9e7397154418c6edeee5e2b9a96bab24f6b4cbf6cb927
                                                  • Opcode Fuzzy Hash: faa191393a9fa9ec060cf299ca8edffe2b42bee880091a914cdd1d8a084fee8f
                                                  • Instruction Fuzzy Hash: C731B3765047805FD722CB21CC44FA2BFF8EF16314F08849AE985CB693D264E908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20F83 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4792 4e20f83-4e20ffb 4795 4e21000-4e2100c 4792->4795 4796 4e20ffd 4792->4796 4797 4e21011-4e21028 4795->4797 4798 4e2100e 4795->4798 4796->4795 4800 4e2102a-4e2103d RegSetValueExW 4797->4800 4801 4e2105f-4e21064 4797->4801 4798->4797 4802 4e21066-4e2106b 4800->4802 4803 4e2103f-4e2105c 4800->4803 4801->4800 4802->4803
                                                  APIs
                                                  • RegSetValueExW.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 04E21030
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 6b47a5f8b4a2bbc9d0f15a304619951088f1164adf352c7e43500f63525cf6f9
                                                  • Instruction ID: f9247276c98786dd5c415b3f4c6edd7c20c34d76b825f8b37f83acdc965f384c
                                                  • Opcode Fuzzy Hash: 6b47a5f8b4a2bbc9d0f15a304619951088f1164adf352c7e43500f63525cf6f9
                                                  • Instruction Fuzzy Hash: 5221D2B25047806FE722CB11CC44FA3FFB8EF06314F08849AE9849B693D264E908C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20B86 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4811 4e20b86-4e20bde 4814 4e20be3-4e20bef 4811->4814 4815 4e20be0 4811->4815 4816 4e20bf1 4814->4816 4817 4e20bf4-4e20bfd 4814->4817 4815->4814 4816->4817 4818 4e20c4e-4e20c53 4817->4818 4819 4e20bff-4e20c07 CreateFileW 4817->4819 4818->4819 4820 4e20c0d-4e20c23 4819->4820 4822 4e20c55-4e20c5a 4820->4822 4823 4e20c25-4e20c4b 4820->4823 4822->4823
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04E20C05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 2615980bba1366b325e8bea5f1ed71d46fc8dfbbd88b5bb5000a23986633c3bc
                                                  • Instruction ID: 8e69a633cedece74a978fdb2d0bbf9cc655312273e47ca3d9f09e47f736d71e3
                                                  • Opcode Fuzzy Hash: 2615980bba1366b325e8bea5f1ed71d46fc8dfbbd88b5bb5000a23986633c3bc
                                                  • Instruction Fuzzy Hash: C82192B1500640AFE721CF65CD45FA6FBE8EF14324F048459EA499B691D375F408CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3A2AC Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4807 a3a2ac-a3a2f3 4808 a3a2f6-a3a34e CreateActCtxA 4807->4808 4810 a3a354-a3a36a 4808->4810
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00A3A346
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 2b62f1622555098977ada48aaa8baf7ba294b68bc3a1cad73eb24f3f1ec2ffb7
                                                  • Instruction ID: 49c454bc585ccc9515f3fc59e25c2bf56ea7f818931843f6c0fec71c07ba0773
                                                  • Opcode Fuzzy Hash: 2b62f1622555098977ada48aaa8baf7ba294b68bc3a1cad73eb24f3f1ec2ffb7
                                                  • Instruction Fuzzy Hash: DA21C2714097C06FD3138B258C51B62BFB8EF87610F0A81DBE884DB693D225A919C7B2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3AC52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4826 a3ac52-a3acad 4829 a3acb2-a3acc9 4826->4829 4830 a3acaf 4826->4830 4832 a3ad0b-a3ad10 4829->4832 4833 a3accb-a3acde RegOpenKeyExW 4829->4833 4830->4829 4832->4833 4834 a3ad12-a3ad17 4833->4834 4835 a3ace0-a3ad08 4833->4835 4834->4835
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00A3ACD1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 13fbccfcf5f9ad1245742141928ad4ebf3139cfdfcdc786f61245aedcf70aba3
                                                  • Instruction ID: 502f87e06861251cccdb67547dfc277b0c4edf43cce041bf8f7112a0ec53cf9e
                                                  • Opcode Fuzzy Hash: 13fbccfcf5f9ad1245742141928ad4ebf3139cfdfcdc786f61245aedcf70aba3
                                                  • Instruction Fuzzy Hash: 9121AEB2500604AFE7219F51DC44FABFBECEF24324F04845AF9459BA52D764E94C8BB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20D17 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4840 4e20d17-4e20d95 4844 4e20d97-4e20daa GetFileType 4840->4844 4845 4e20dca-4e20dcf 4840->4845 4846 4e20dd1-4e20dd6 4844->4846 4847 4e20dac-4e20dc9 4844->4847 4845->4844 4846->4847
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 04E20D9D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: ba543f8826c2d606a45853cca17f2d205b07b31206ed9b6d27417eee473f7439
                                                  • Instruction ID: a03742a2f4004d25ff593d6ebd19b099c47af9ac1c8a61a51c1b0929d6d7740d
                                                  • Opcode Fuzzy Hash: ba543f8826c2d606a45853cca17f2d205b07b31206ed9b6d27417eee473f7439
                                                  • Instruction Fuzzy Hash: 5B21D5B54097806FE7128B61DC40BA2BFB8DF57324F0980DBE9849F693D268A909C775
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20EBA Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4851 4e20eba-4e20f31 4855 4e20f33-4e20f53 WriteFile 4851->4855 4856 4e20f75-4e20f7a 4851->4856 4859 4e20f55-4e20f72 4855->4859 4860 4e20f7c-4e20f81 4855->4860 4856->4855 4860->4859
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 04E20F39
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 4ee09eb039164afd221ebfcb9170c8606979618a1dcabe13f24fb46b1ada2d5c
                                                  • Instruction ID: 2f980727c36796d2e7208853c976706f05d64ff1400743e2bb12dae06c38ce2d
                                                  • Opcode Fuzzy Hash: 4ee09eb039164afd221ebfcb9170c8606979618a1dcabe13f24fb46b1ada2d5c
                                                  • Instruction Fuzzy Hash: C8219571405740AFE722CF51DC44F97BFB8EF45214F04849AE9449B552D265A508CB75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20431 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4879 4e20431-4e20486 4881 4e2048b-4e2049a 4879->4881 4882 4e20488 4879->4882 4883 4e2049f-4e204ab 4881->4883 4884 4e2049c 4881->4884 4882->4881 4885 4e204e5-4e204ea 4883->4885 4886 4e204ad-4e204b5 DrawTextExW 4883->4886 4884->4883 4885->4886 4887 4e204bb-4e204cd 4886->4887 4889 4e204cf-4e204e2 4887->4889 4890 4e204ec-4e204f1 4887->4890 4890->4889
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 04E204B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: 7f184192a9d3b733c31134e40a9f0d4fc46aca68f8bd3ace52329613469afce6
                                                  • Instruction ID: aea81176a34b325e82a3235a7a9df16b42c3205bc0e30a72d2e90bf5c75d9723
                                                  • Opcode Fuzzy Hash: 7f184192a9d3b733c31134e40a9f0d4fc46aca68f8bd3ace52329613469afce6
                                                  • Instruction Fuzzy Hash: C621A1715047849FDB22CF25DD44B62BFF8EF06224F09849AE9848F563D275E908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3AD5A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4863 a3ad5a-a3ad97 4865 a3ad99 4863->4865 4866 a3ad9c-a3ada5 4863->4866 4865->4866 4867 a3ada7 4866->4867 4868 a3adaa-a3adb0 4866->4868 4867->4868 4869 a3adb2 4868->4869 4870 a3adb5-a3adcc 4868->4870 4869->4870 4872 a3ae03-a3ae08 4870->4872 4873 a3adce-a3ade1 RegQueryValueExW 4870->4873 4872->4873 4874 a3ade3-a3ae00 4873->4874 4875 a3ae0a-a3ae0f 4873->4875 4875->4874
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 00A3ADD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 0891dd0c70f4dd1ee7ad621f032945a8267803e64e4bfdd2456cbaaf41c6737b
                                                  • Instruction ID: 05857d068ee597b7bb738366933f5fd3642bef9c64385b34634628a03c07d2af
                                                  • Opcode Fuzzy Hash: 0891dd0c70f4dd1ee7ad621f032945a8267803e64e4bfdd2456cbaaf41c6737b
                                                  • Instruction Fuzzy Hash: F3218EB6600604AFE721CF15CC84FA6F7ECEF24714F18845AF9459BA91D764E908CAB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3BAB4 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4892 a3bab4-a3bb16 4894 a3bb1b-a3bb24 4892->4894 4895 a3bb18 4892->4895 4896 a3bb26-a3bb46 LoadLibraryW 4894->4896 4897 a3bb5c-a3bb61 4894->4897 4895->4894 4900 a3bb63-a3bb68 4896->4900 4901 a3bb48-a3bb5b 4896->4901 4897->4896 4900->4901
                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(?), ref: 00A3BB2C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 409810a4ff3d6c62b3161a0b130010c4f2072da16c845b5963fdaf6597569b90
                                                  • Instruction ID: 1ab5afcbdeb0e44a913e025fd8f8befc31b62865dd95ddba4843c3c65530640f
                                                  • Opcode Fuzzy Hash: 409810a4ff3d6c62b3161a0b130010c4f2072da16c845b5963fdaf6597569b90
                                                  • Instruction Fuzzy Hash: 00215E715093C05FDB12CB25DC94B92BFB8DF07224F0984DAED848F567D2689908CB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20FBE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegSetValueExW.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 04E21030
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: c8ab9567461cccb014e705adf925766b71a0acbb8ca8d921a37d412d62e8760e
                                                  • Instruction ID: 95c1b09d62f251e4b86390c127af47964d98a5e0794f4d07d8bfbe4474554f3a
                                                  • Opcode Fuzzy Hash: c8ab9567461cccb014e705adf925766b71a0acbb8ca8d921a37d412d62e8760e
                                                  • Instruction Fuzzy Hash: 221190B6600650AFEB218E11DD40FA7FBECEF14724F08845AED459A692E774F508CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3B42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00A3B4A9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: a5e781180a08e90d31350a1e804f13896515fd48d5cd1fb192faecfc7dbcb5be
                                                  • Instruction ID: e2b34ff64a29b25f3e15fef2fa0d25cae6161367a584389931e0ff49cce27640
                                                  • Opcode Fuzzy Hash: a5e781180a08e90d31350a1e804f13896515fd48d5cd1fb192faecfc7dbcb5be
                                                  • Instruction Fuzzy Hash: D12181B55093805FDB228F15DC45B62BFE8EF46724F08808AED848B293D365E808C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E21078 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 04E210E3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 9aa41e50992ef1a64e524b420459815b8d3de836ec78f3f34734d4ec42c5d6d6
                                                  • Instruction ID: ec5d05bdcef58dfafbde915ab43a29e19e9f83a2d7976a3ebeb3baca147f7439
                                                  • Opcode Fuzzy Hash: 9aa41e50992ef1a64e524b420459815b8d3de836ec78f3f34734d4ec42c5d6d6
                                                  • Instruction Fuzzy Hash: 3C2193715082C09FDB118F25DD55B52BFA8EF46224F0C84DAED858F262D279E905CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20AA4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(?,?), ref: 04E20B0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory
                                                  • String ID:
                                                  • API String ID: 4241100979-0
                                                  • Opcode ID: e6045bac2f48fdb4fe510e47a44a745ce9676cb4f9c16fbbc975799f0fd94397
                                                  • Instruction ID: c84487390afcb1a6e51832aea4a000d1c86ce75143e42c84c94258d27906af3a
                                                  • Opcode Fuzzy Hash: e6045bac2f48fdb4fe510e47a44a745ce9676cb4f9c16fbbc975799f0fd94397
                                                  • Instruction Fuzzy Hash: 7E1184B15043809FDB11CF25DD84B56BFE8EF46224F0984AAED89CF692D274E904CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3BC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00A3BCBF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileInfoSizeVersion
                                                  • String ID:
                                                  • API String ID: 1661704012-0
                                                  • Opcode ID: 9ba7e43a65c746b076985d9989bc845ae3a2fd2d71722779ffda86b582f2804c
                                                  • Instruction ID: 5e1810dc04edfb2af05540064ef5eaf57eba37715e05a6f9e9724f7d23300ec8
                                                  • Opcode Fuzzy Hash: 9ba7e43a65c746b076985d9989bc845ae3a2fd2d71722779ffda86b582f2804c
                                                  • Instruction Fuzzy Hash: BE2181B15093849FDB11CF25DC45B52BFA4EF46324F0984DAE9848F163D2749909CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E21325 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04E21399
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 4ee2d769a0a46c6d69ce091e6ef446c7c683ea655f8649f14a883e0c2df22bbb
                                                  • Instruction ID: ca9339144623707fc28753e58ab9a13b0a6ade73948215ead48fa371c0fe16d4
                                                  • Opcode Fuzzy Hash: 4ee2d769a0a46c6d69ce091e6ef446c7c683ea655f8649f14a883e0c2df22bbb
                                                  • Instruction Fuzzy Hash: 7C219D725093C09FDB238F25CC44A62FFB4EF07224F0985DBE9848F563D265A918DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 04E20082
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: LanguageName
                                                  • String ID:
                                                  • API String ID: 2060303382-0
                                                  • Opcode ID: cc2d8fb1e8826089733697b28da0d1bf5c70440c0f2b6419debf599c6d4e68c3
                                                  • Instruction ID: 7ad2664ac709ca902f0330fc3b24825f6ad87ce219db9b0a11df851359b914cb
                                                  • Opcode Fuzzy Hash: cc2d8fb1e8826089733697b28da0d1bf5c70440c0f2b6419debf599c6d4e68c3
                                                  • Instruction Fuzzy Hash: B711E9B15093806FC311CB25CC45F62FFB8EF86610F09819FE8449B693D225B519C7A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3A5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A3A666
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 05bf5de2fafdf4cb654ada72478284819b28117bb02d13957c8295445b31ab92
                                                  • Instruction ID: b90ebe396d6be6426d72ffd688b0533b5023d03ba2acad16219c5e2437dcd5cc
                                                  • Opcode Fuzzy Hash: 05bf5de2fafdf4cb654ada72478284819b28117bb02d13957c8295445b31ab92
                                                  • Instruction Fuzzy Hash: CE117571405780AFDB228F51DC44A62FFF4EF4A324F08849AED858B552D275A518DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E211E4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExW.SHELL32(?), ref: 04E21240
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID:
                                                  • API String ID: 587946157-0
                                                  • Opcode ID: 9e72629896a1c451329301f41ab338941a4715f2bc678e1f350a1deee9842203
                                                  • Instruction ID: 1d1cec38490f6d68aaa73717721c555d7a0a8c59ba7a8d15c3b9de993e1be6e8
                                                  • Opcode Fuzzy Hash: 9e72629896a1c451329301f41ab338941a4715f2bc678e1f350a1deee9842203
                                                  • Instruction Fuzzy Hash: 111190725093809FDB12CF25DD84B52BFA89F46224F0884EBED85CF652D264E908CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20EDA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 04E20F39
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 65e424efa2260257811fa5531ddb4e057cd8b90f8094d7ebbc192bfb411b34e3
                                                  • Instruction ID: 1456c297d6245d057dc65a0a2559e4a52d92314e0c7eb4e0b3d33ac2d3758f01
                                                  • Opcode Fuzzy Hash: 65e424efa2260257811fa5531ddb4e057cd8b90f8094d7ebbc192bfb411b34e3
                                                  • Instruction Fuzzy Hash: 4911BFB2500600AFFB21CF51DD44FA6FBA8EF54724F04C45AEA459A691D375F508CBB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3BD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00A3BD75
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileInfoVersion
                                                  • String ID:
                                                  • API String ID: 2427832333-0
                                                  • Opcode ID: f089c42c61113d6ad84df8254788b41d8ae5c776852999948577c3edc4618040
                                                  • Instruction ID: 4d4fd2d279329bf9b2cc465b33d6d1f441544145d934402dfb38d9a12a24ae01
                                                  • Opcode Fuzzy Hash: f089c42c61113d6ad84df8254788b41d8ae5c776852999948577c3edc4618040
                                                  • Instruction Fuzzy Hash: D51190B2504380AFDB218F15DC44B62FFB8EF46624F08809EED858B662D275E918CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E216B7 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04E21721
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 9ca60acc25dac084c606c2e51b8cc9230aae2180a0e398424e4798572626c76d
                                                  • Instruction ID: ca6064e1a3702f8a32dd12a828de89f8787d3f9af950d29b5b1c6814e2ad4eb6
                                                  • Opcode Fuzzy Hash: 9ca60acc25dac084c606c2e51b8cc9230aae2180a0e398424e4798572626c76d
                                                  • Instruction Fuzzy Hash: 9311C475509380AFDB228F15DC45B52FFB4EF46324F0884DEED454B5A3C275A918CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 04E204B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: 08779aaa328e6971fad639a8e6cf72887411005b4a577965b6a7fb6dc6b72f45
                                                  • Instruction ID: ee42d56d6e24e9c22f59753309fa791ea1ba95ec87de65945462271e00a771ac
                                                  • Opcode Fuzzy Hash: 08779aaa328e6971fad639a8e6cf72887411005b4a577965b6a7fb6dc6b72f45
                                                  • Instruction Fuzzy Hash: E11170756006449FEB20CF55D944B66FBE8EF04324F08C56ADE498F692D375E504CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20AC6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(?,?), ref: 04E20B0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory
                                                  • String ID:
                                                  • API String ID: 4241100979-0
                                                  • Opcode ID: 4d1ce79b7f0c428217d224d3f7731e237c6daf43ab5d7ec7d5a4d48e70b8d9b6
                                                  • Instruction ID: 1b2027a61cdbf7d6db250e2698daa56b578696cb697fa58bc484d92c7d99fcec
                                                  • Opcode Fuzzy Hash: 4d1ce79b7f0c428217d224d3f7731e237c6daf43ab5d7ec7d5a4d48e70b8d9b6
                                                  • Instruction Fuzzy Hash: 021188756002409FEB60CF15D984BA6FBD8EF05324F08C4AADE49CF692E774E504CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20D4A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E24,66B55974,00000000,00000000,00000000,00000000), ref: 04E20D9D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: 2dccc1ee21bdc447e47aea1aa66646b4b028fd3ede0cc7b7116e8e7af0f815b5
                                                  • Instruction ID: 7afc10fd8cfce0a3134e0d5e47af6c998f41919b0ae4471d01503d7e82f9ed12
                                                  • Opcode Fuzzy Hash: 2dccc1ee21bdc447e47aea1aa66646b4b028fd3ede0cc7b7116e8e7af0f815b5
                                                  • Instruction Fuzzy Hash: C101D2B6501604AFE720CF15DD84BA6FBACDF55728F04C496EE049B781D378F4088AB5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E210A6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 04E210E3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 959f514e504aa96d8be2b4a9b6d484c7e0c31e18fde7aed230248746cc4cdf8a
                                                  • Instruction ID: da099c3ab7cdf6580f24997f183a2046b9db2bed710cf7f9dd587112276c5fd0
                                                  • Opcode Fuzzy Hash: 959f514e504aa96d8be2b4a9b6d484c7e0c31e18fde7aed230248746cc4cdf8a
                                                  • Instruction Fuzzy Hash: 5101B5756002548FEB10CF26DD85BA6FBD8EF05224F08C4AADC49DF786D279E504CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3A42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 00A3A480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 0adef5ea525169ae4d7efae2104e129743cdfc078b602a7d52d3bbc0d4a6b5ba
                                                  • Instruction ID: ab1d5b60a7cf8b6db44cac66a75b118542691e50fe8a0224cbbd960f0e37efee
                                                  • Opcode Fuzzy Hash: 0adef5ea525169ae4d7efae2104e129743cdfc078b602a7d52d3bbc0d4a6b5ba
                                                  • Instruction Fuzzy Hash: CE0184B5408384AFDB128F15DC44B62FFB8EF46724F0880DAED854B253D275A818CB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E21206 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExW.SHELL32(?), ref: 04E21240
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID:
                                                  • API String ID: 587946157-0
                                                  • Opcode ID: 7f5a5126508c3f6458a131fa71605df2bddf65cae95d4e732bea8442058162b6
                                                  • Instruction ID: 5dbd77eea44b40c9d4f032fc99460bc2ecb7dae60dd12747d29bb5092d6d4a78
                                                  • Opcode Fuzzy Hash: 7f5a5126508c3f6458a131fa71605df2bddf65cae95d4e732bea8442058162b6
                                                  • Instruction Fuzzy Hash: E60192766002448FEB50CF56D9847A6FBD8DF05224F08C4AAED49CF652E274E504DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3BD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00A3BD75
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileInfoVersion
                                                  • String ID:
                                                  • API String ID: 2427832333-0
                                                  • Opcode ID: 02fb75a1d79917e1a79c7c5921f6ed276132378e7b6a98d468554e5971a78d3a
                                                  • Instruction ID: 7a2f71fbbb8a69bd51f7f31c08a0de6ec8d253afeaa6d6287772c4d16d6f3d4a
                                                  • Opcode Fuzzy Hash: 02fb75a1d79917e1a79c7c5921f6ed276132378e7b6a98d468554e5971a78d3a
                                                  • Instruction Fuzzy Hash: 730192765106408FDB608F16D844B56FBE4EF55720F08805AEE458B752D375E818CE71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3B45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00A3B4A9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: 1dac81a5a1ce39f8f282313b8f973f2c1ad3971a094662cd62435bafa550bf99
                                                  • Instruction ID: 1ffc62a1ee9f98b0bce7dc50ff0355f2346b971dfddfcefa10d24e8cb2cbc161
                                                  • Opcode Fuzzy Hash: 1dac81a5a1ce39f8f282313b8f973f2c1ad3971a094662cd62435bafa550bf99
                                                  • Instruction Fuzzy Hash: 7A0180765102009FEB20CF15D845B62FBE8EF14724F08809AEE498B752D375E808CA75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3A622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A3A666
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 2ee28ae160e02e5ae65cd199ab970f78ccbb27df3cbf9befefd114e7a47ff9a7
                                                  • Instruction ID: 629e041583574a62c34723e181f95479664ae7a6de21927f06a05e1002c43327
                                                  • Opcode Fuzzy Hash: 2ee28ae160e02e5ae65cd199ab970f78ccbb27df3cbf9befefd114e7a47ff9a7
                                                  • Instruction Fuzzy Hash: 3E01C032900600DFDB218F51D945B62FFF4EF18320F08C89AED894AA52D375E418DF62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3BC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00A3BCBF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: FileInfoSizeVersion
                                                  • String ID:
                                                  • API String ID: 1661704012-0
                                                  • Opcode ID: 42dba2abe63b0ca76a766c9f0da974ceb58623f43eec97acb5f6a1aacf55ba38
                                                  • Instruction ID: e9e6d4da396153a60aecc17ff6692574c18af2ba3b294f015cf3490b8ac53493
                                                  • Opcode Fuzzy Hash: 42dba2abe63b0ca76a766c9f0da974ceb58623f43eec97acb5f6a1aacf55ba38
                                                  • Instruction Fuzzy Hash: F101B1719102408FEB20CF16D884766FBE8EF18324F0884AAED488F742D779E804CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E20032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 04E20082
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: LanguageName
                                                  • String ID:
                                                  • API String ID: 2060303382-0
                                                  • Opcode ID: 4d79028c9de4dcba96cb9cbfed64305f809a017f4569c42b454d66518469e2c6
                                                  • Instruction ID: 35125c00281bf27dfbd5e3775695d3937d5ec34a7e369ea3f63db0b9b0aa86d0
                                                  • Opcode Fuzzy Hash: 4d79028c9de4dcba96cb9cbfed64305f809a017f4569c42b454d66518469e2c6
                                                  • Instruction Fuzzy Hash: B601A2B1500600ABD310DF16CC46B76FBE8FB89A20F14811AED089BB41D771F915CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3BAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(?), ref: 00A3BB2C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: ec8d47d9024bacc82073ccd4e9b6bf85ab845d36b9f42b475ffeac48314eae31
                                                  • Instruction ID: f294759bf5ddb8e70c56e50eb9855ea4a31f770d47773d93038c2c2b651f3cad
                                                  • Opcode Fuzzy Hash: ec8d47d9024bacc82073ccd4e9b6bf85ab845d36b9f42b475ffeac48314eae31
                                                  • Instruction Fuzzy Hash: 7E0184719102408FEB50CF15D885762FBE8EF15320F08C4AAED498F75AD778E904CA71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3A2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00A3A346
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: b3a4d70617b680df6bdd1e9a281f5efaf76a27aea5b61030fe07a6a761caa029
                                                  • Instruction ID: 46bf583ee08945e3e643ef4d880564e55353958a1ca5b4f1e1cd57edc6ed695a
                                                  • Opcode Fuzzy Hash: b3a4d70617b680df6bdd1e9a281f5efaf76a27aea5b61030fe07a6a761caa029
                                                  • Instruction Fuzzy Hash: 6F018671500600ABD310DF16DC46B76FBE8FB89A20F14815AED089BB41D775F915CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E216E6 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04E21721
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 44882474b0e57d3610c897cb83393893b686934e9b7c786546a09e3e33d08e2b
                                                  • Instruction ID: 417412346f545f03e28ef0b8338e8f491f135a25aa9b60d3d1dc8f6068475d95
                                                  • Opcode Fuzzy Hash: 44882474b0e57d3610c897cb83393893b686934e9b7c786546a09e3e33d08e2b
                                                  • Instruction Fuzzy Hash: C401D476500200DFDB208F15D944B66FBE4EF55224F08C09EDD494B652D375E518DFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E2135E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04E21399
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746857852.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4e20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: c3c4948804a795336a04af1e7bd3f23bd0739ce2700bdd3956a0cfb9c45ceb73
                                                  • Instruction ID: 04e2075e5c92ec3d5a0ad666b599ba107ee0b16ada571052b5e7a1035a90715b
                                                  • Opcode Fuzzy Hash: c3c4948804a795336a04af1e7bd3f23bd0739ce2700bdd3956a0cfb9c45ceb73
                                                  • Instruction Fuzzy Hash: 92018F76900340DFEB208F15D944B66FBE4EF15224F08C0AADD890BA52D375E518DBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A3A44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 00A3A480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745895518.0000000000A3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3A000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a3a000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 4173c1649129077fd6792429a4619475220c12329cea27a37aa5af189991ff00
                                                  • Instruction ID: 7152a30bed37e4660fd0e9d2701af47edf3db449eed96199bbde39f58cd49a32
                                                  • Opcode Fuzzy Hash: 4173c1649129077fd6792429a4619475220c12329cea27a37aa5af189991ff00
                                                  • Instruction Fuzzy Hash: 34F0A4759042408FDB108F05D888761FBE4DF25334F08C09ADD894F752D2B9E848CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B3C7F0 Relevance: .3, Instructions: 255COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f9338c0e00f812de393fd880a7fb4dab6ff21a127353c6e17618eed40a9d2ad
                                                  • Instruction ID: d5ac705b9cb6835da5042748692da5590570ccc06c81cb0f1587a342dd670b09
                                                  • Opcode Fuzzy Hash: 7f9338c0e00f812de393fd880a7fb4dab6ff21a127353c6e17618eed40a9d2ad
                                                  • Instruction Fuzzy Hash: 9C91C335B002518BCB19EBB4C8516BEBBE2EFC9308F20846AC505AB395DF39DD05CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B3C630 Relevance: .1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 246596a2a2902aeb1a9034b3182bfd43c6287bb9359e0068f3e3271cc792657f
                                                  • Instruction ID: da66664f02e9ffcac26dd25b39b17761f9db1b17a15a1d46172da57801c82016
                                                  • Opcode Fuzzy Hash: 246596a2a2902aeb1a9034b3182bfd43c6287bb9359e0068f3e3271cc792657f
                                                  • Instruction Fuzzy Hash: 4C412332B001149BDB15CBA8C892BBEBBE2AB85304F24C5A9D504DF782D7349C0287E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B3C7E1 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8f8beaf4ef4e7830d63c5b9c944fc602d8c893e6acc20d0952c5f5b35b8a373
                                                  • Instruction ID: 91f0df51c04aa0c0fb69f147d23a1e21482b9757e8ce559d857e98f70b8ea646
                                                  • Opcode Fuzzy Hash: e8f8beaf4ef4e7830d63c5b9c944fc602d8c893e6acc20d0952c5f5b35b8a373
                                                  • Instruction Fuzzy Hash: 9031E538A042428FCB25EBB8D89597EBBF1FF94304B20816AD401E7395DB34EE45CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B20736 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746159052.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11e7cb0090ec0caa862b63fa940dcce53745a7f10a87a71af3488218b6f6b42e
                                                  • Instruction ID: a8200af990caaedd7518803938bad44643a4488e0063e1dbf0843518150a2b00
                                                  • Opcode Fuzzy Hash: 11e7cb0090ec0caa862b63fa940dcce53745a7f10a87a71af3488218b6f6b42e
                                                  • Instruction Fuzzy Hash: 9821503510D3C08FD7138B24D990B55BFB1AF57314F1985DAD8848F6A3C6369C0ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B2076C Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746159052.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 156a7b46b9ec51ff1c61b9de299d0920b46034872d8ffa6edfc283d1bca78785
                                                  • Instruction ID: 2f2dc7a1ffa72049a8b4d4926bd57bed92dee10d21e76af15571afa07babc525
                                                  • Opcode Fuzzy Hash: 156a7b46b9ec51ff1c61b9de299d0920b46034872d8ffa6edfc283d1bca78785
                                                  • Instruction Fuzzy Hash: 0511AE30214280DFD711DB10E980B26B7D5EB99718F24C9DDE94D1BAA3C73AEC02CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B30018 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d98b0209112dfbcb3015cea9b464fce8911b599d7ee39fce211db136189032cb
                                                  • Instruction ID: 82db13cbe5a107c8e6aac6f5d3ceb87efca7bb20e95a1bafe752ca7d98207160
                                                  • Opcode Fuzzy Hash: d98b0209112dfbcb3015cea9b464fce8911b599d7ee39fce211db136189032cb
                                                  • Instruction Fuzzy Hash: 02019D9694E7D05FCB13537018792AA7F705E63104B0A01DFC486CE6E7EA4D494AC3A7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B39819 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24bb43fd790c16512fd69729e87e968b55baeeb1dc0e00a65c4160b0bfc7d3f8
                                                  • Instruction ID: 23a1ec20f7fbdb22acb4b73be0a1e677b468fb56e90ad2dc7f616e1a9c11c2b9
                                                  • Opcode Fuzzy Hash: 24bb43fd790c16512fd69729e87e968b55baeeb1dc0e00a65c4160b0bfc7d3f8
                                                  • Instruction Fuzzy Hash: 1F01F9397053106BD7229278AC01B6E7AD18BCB750F3541ABE605EF392CAA15C068395
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B3C77F Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f17dc3d5d22177a68bae3979e7a24a03be66f102121453fa2876d9f93025e46a
                                                  • Instruction ID: dc0492c32589291ad1520483ab1d78279cc6d6a3fdb15bdcb7741eb99218e502
                                                  • Opcode Fuzzy Hash: f17dc3d5d22177a68bae3979e7a24a03be66f102121453fa2876d9f93025e46a
                                                  • Instruction Fuzzy Hash: 42F049353092001BD714E7359891FEBBBD65FE5308F24406EE2048BB81CB715C0487A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B205E0 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746159052.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67e742e46b844a3651fedd7c7212872d52889a4d2f4bae434880fb498d92e09d
                                                  • Instruction ID: c4f7d5df7a6a594b1428ae8fdbb390318e2d2eb174f0e28a540afd7977869169
                                                  • Opcode Fuzzy Hash: 67e742e46b844a3651fedd7c7212872d52889a4d2f4bae434880fb498d92e09d
                                                  • Instruction Fuzzy Hash: D501DBB64093805FD7118B159C40873FFA8DB86530709859FEC498BA53D125A809C776
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B39828 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ddcde34a11a3689e54ad06ab1e395f44cddb81f085d07e42eda42464868dcce6
                                                  • Instruction ID: 292c0d26abbb275e81aaa220df0c12b35ab27939342f31198d3559fb46e5e650
                                                  • Opcode Fuzzy Hash: ddcde34a11a3689e54ad06ab1e395f44cddb81f085d07e42eda42464868dcce6
                                                  • Instruction Fuzzy Hash: 7CF0FC3570022067D62062695C01B6D71D6CBCAB55F34406AE605EF7D4DFB1DC0643D9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B20828 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746159052.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                                                  • Instruction ID: 0cab3841c5ffb56604c5d39190f26fd4af5f7319794931fbed6b52fc54e95925
                                                  • Opcode Fuzzy Hash: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                                                  • Instruction Fuzzy Hash: EBF0FB35148644DFC216DB40D980B16FBE2EB89718F24CAA9E9490B662C737E812DB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B20606 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746159052.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b20000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92bb7fb52c4aae69812414f3d1ea60a06cd17e9c0a0c424de220898e2a93ec34
                                                  • Instruction ID: 444878a99796326bc3055d9e37eb994f894bdea687e8ed9a5128362ff6e315b0
                                                  • Opcode Fuzzy Hash: 92bb7fb52c4aae69812414f3d1ea60a06cd17e9c0a0c424de220898e2a93ec34
                                                  • Instruction Fuzzy Hash: 84E092B66006408B9750CF0AEC41462F7D8EB84630B08C07FDC0D8B701D27AF508CAA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B300A0 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc01a90df1b848580a2ef728b8dab56c8c4badf045fde685ccb25004f77efa66
                                                  • Instruction ID: c91293490e46c80b972cdb6eb2158c1419200a794659a2b3709093552cc56bb8
                                                  • Opcode Fuzzy Hash: dc01a90df1b848580a2ef728b8dab56c8c4badf045fde685ccb25004f77efa66
                                                  • Instruction Fuzzy Hash: FED0A72634A1708AC60A32A438115AE2B554AE7520B1500AAE90AC6293CE884A034696
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B30070 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd314f85d7e8ca1a50ac3a72ac4547078bcb65748777b55ce0cbdfe88e635804
                                                  • Instruction ID: fc5588d5d3458a1106491916c72e3bbee50050a257d22fb63ea231bac9be16b4
                                                  • Opcode Fuzzy Hash: bd314f85d7e8ca1a50ac3a72ac4547078bcb65748777b55ce0cbdfe88e635804
                                                  • Instruction Fuzzy Hash: F9C08025301524534A59327532360FF724A8EC24EC303007BD11E8B382CF5B8D8603DF
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A323F4 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745883798.0000000000A32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A32000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a32000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52be8d4c0ae38014f5a7eee2ae729fff7931396d98195d2c803378cfe05dc2d3
                                                  • Instruction ID: 8af48c960c1945af1ba150048172cb210a8e4795c0f29d7777ce97f9be57209c
                                                  • Opcode Fuzzy Hash: 52be8d4c0ae38014f5a7eee2ae729fff7931396d98195d2c803378cfe05dc2d3
                                                  • Instruction Fuzzy Hash: FBD05E792456C14FD3169B1CC1A4B9537D4AB65714F4A44F9A8008B763C768E981D700
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A323BC Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1745883798.0000000000A32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A32000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a32000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09cee83d1dd3c3982de647d2e454b69918482fca7a2b547a4f7a7450586c83ab
                                                  • Instruction ID: 2cbfca4296ae11c64ea1e8e5ecef91b1c30e0354af62e5966ca914a0bd5c35d8
                                                  • Opcode Fuzzy Hash: 09cee83d1dd3c3982de647d2e454b69918482fca7a2b547a4f7a7450586c83ab
                                                  • Instruction Fuzzy Hash: CAD05E352402814BD715DB0CC6D4F5977D4AB54B14F0A44E8BC108F762C7A8D8C0DA00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B300B0 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb9f92fe947f2b4c051e74a2418699b0a2c124d36e9b60b34731d77e8dd1ee3e
                                                  • Instruction ID: fe51e03bba69dd263db65eea905839843975f7be8f62b15fa280c42fce96a356
                                                  • Opcode Fuzzy Hash: fb9f92fe947f2b4c051e74a2418699b0a2c124d36e9b60b34731d77e8dd1ee3e
                                                  • Instruction Fuzzy Hash: BCC09B15316534D3495D329D35114AE774D49D6D75741046AF50D57352CF459D0103DE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00B3C7C0 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1746173922.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b30000_vP53Ohx5q0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdff569fc68d83e1886c4fbdd5c7a00c2a4e5d8c54f82d1c96343575d1d25640
                                                  • Instruction ID: 22f02a7cb3b0acc036673effb795c92f2b351fe8e7d778394b71d9a8bc8269da
                                                  • Opcode Fuzzy Hash: fdff569fc68d83e1886c4fbdd5c7a00c2a4e5d8c54f82d1c96343575d1d25640
                                                  • Instruction Fuzzy Hash: A4B0928FD0ABC08FD70282246C582993F60AAD320078E00D69591CA25BE14C4E4E8B62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:19.7%
                                                  Dynamic/Decrypted Code Coverage:88.1%
                                                  Signature Coverage:10.4%
                                                  Total number of Nodes:134
                                                  Total number of Limit Nodes:11
                                                  execution_graph 6852 18ca44e 6853 18ca47a SetErrorMode 6852->6853 6854 18ca4a3 6852->6854 6855 18ca48f 6853->6855 6854->6853 7047 18cbc4b 7049 18cbc82 GetFileVersionInfoSizeW 7047->7049 7050 18cbcc7 7049->7050 6856 5790070 6860 5790079 6856->6860 6857 5790093 6861 57900b0 6860->6861 6866 57900a0 6860->6866 6862 57900bd 6861->6862 6871 5799819 6862->6871 6875 5799828 6862->6875 6863 57900cb 6863->6857 6870 57900b0 6866->6870 6867 57900cb 6867->6857 6868 5799819 6 API calls 6868->6867 6869 5799828 6 API calls 6869->6867 6870->6868 6870->6869 6872 579981c 6871->6872 6873 579985e 6872->6873 6879 579c7e1 6872->6879 6873->6863 6876 5799829 6875->6876 6877 579985e 6876->6877 6878 579c7e1 6 API calls 6876->6878 6877->6863 6878->6877 6880 579c7e4 6879->6880 6881 579c71d 6880->6881 6885 579c7e1 6 API calls 6880->6885 6887 579c7f0 6880->6887 6881->6873 6882 579c7ff 6883 579c8f9 6882->6883 6894 579cde0 6882->6894 6883->6873 6885->6882 6888 579c7f1 6887->6888 6891 579c7e1 6 API calls 6888->6891 6892 579c7f0 6 API calls 6888->6892 6889 579c7ff 6890 579c8f9 6889->6890 6893 579cde0 6 API calls 6889->6893 6890->6882 6891->6889 6892->6889 6893->6890 6895 579cde3 6894->6895 6897 579ce7b 6895->6897 6924 5be0cda 6895->6924 6928 5be0ca1 6895->6928 6896 579cf0a 6896->6897 6898 579cf39 6896->6898 6932 5be0e3e 6896->6932 6936 5be0dfa 6896->6936 6897->6883 6940 5be0ee6 6898->6940 6944 5be0eb9 6898->6944 6899 579cf54 6899->6897 6918 5be0eb9 NtWriteVirtualMemory 6899->6918 6919 5be0ee6 NtWriteVirtualMemory 6899->6919 6900 579d03f 6900->6897 6908 5be0e3e NtResumeThread 6900->6908 6909 5be0dfa NtResumeThread 6900->6909 6901 579cf90 6901->6897 6901->6900 6922 5be0eb9 NtWriteVirtualMemory 6901->6922 6923 5be0ee6 NtWriteVirtualMemory 6901->6923 6902 579d057 6902->6897 6914 5be0eb9 NtWriteVirtualMemory 6902->6914 6915 5be0ee6 NtWriteVirtualMemory 6902->6915 6903 579d0a6 6916 5be0e3e NtResumeThread 6903->6916 6917 5be0dfa NtResumeThread 6903->6917 6904 579d0c3 6920 5be0e3e NtResumeThread 6904->6920 6921 5be0dfa NtResumeThread 6904->6921 6905 579d0d0 6905->6883 6908->6902 6909->6902 6914->6903 6915->6903 6916->6904 6917->6904 6918->6901 6919->6901 6920->6905 6921->6905 6922->6901 6923->6901 6926 5be0d15 CreateProcessA 6924->6926 6927 5be0dac 6926->6927 6927->6896 6929 5be0cda CreateProcessA 6928->6929 6931 5be0dac 6929->6931 6931->6896 6933 5be0e6d NtResumeThread 6932->6933 6934 5be0ea3 6932->6934 6935 5be0e7b 6933->6935 6934->6933 6935->6898 6938 5be0e04 NtResumeThread 6936->6938 6939 5be0e7b 6938->6939 6939->6898 6941 5be0f1e NtWriteVirtualMemory 6940->6941 6942 5be0f56 6940->6942 6943 5be0f2c 6941->6943 6942->6941 6943->6899 6945 5be0ee6 NtWriteVirtualMemory 6944->6945 6947 5be0f2c 6945->6947 6947->6899 6948 5be0032 6949 5be0082 VerLanguageNameW 6948->6949 6950 5be0090 6949->6950 7015 5be0431 7016 5be0462 DrawTextExW 7015->7016 7018 5be04bb 7016->7018 7019 18cad19 7020 18cad5a RegQueryValueExW 7019->7020 7022 18cade3 7020->7022 7023 18cbd10 7026 18cbd32 GetFileVersionInfoW 7023->7026 7025 18cbd84 7026->7025 6994 18ca2ac 6995 18ca2f6 CreateActCtxA 6994->6995 6997 18ca354 6995->6997 7027 18cb42d 7030 18cb45e LoadLibraryShim 7027->7030 7029 18cb4b8 7030->7029 7031 18ca42a 7032 18ca44e SetErrorMode 7031->7032 7034 18ca48f 7032->7034 6971 18ca622 6972 18ca660 DuplicateHandle 6971->6972 6974 18ca698 6971->6974 6973 18ca66e 6972->6973 6974->6972 7035 18cac22 7036 18cac52 RegOpenKeyExW 7035->7036 7038 18cace0 7036->7038 7006 18ca5fb 7007 18ca622 DuplicateHandle 7006->7007 7009 18ca66e 7007->7009 7039 5be1009 7041 5be1042 PostMessageW 7039->7041 7042 5be108c 7041->7042 7002 18cbab4 7005 18cbaf2 LoadLibraryW 7002->7005 7004 18cbb34 7005->7004 7043 5be0006 7044 5be0032 VerLanguageNameW 7043->7044 7046 5be0090 7044->7046 6982 5be1042 6983 5be1077 PostMessageW 6982->6983 6985 5be10a2 6982->6985 6984 5be108c 6983->6984 6985->6983 6986 18cbaf2 6987 18cbb18 LoadLibraryW 6986->6987 6989 18cbb34 6987->6989 7010 5790007 7011 5790021 7010->7011 7013 57900b0 6 API calls 7011->7013 7014 57900a0 6 API calls 7011->7014 7012 5790093 7013->7012 7014->7012

                                                  Executed Functions

                                                  Function 05BE0DFA Relevance: 1.6, APIs: 1, Instructions: 69nativethreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4868 5be0dfa-5be0e02 4869 5be0e0c-5be0e6b 4868->4869 4870 5be0e04-5be0e07 4868->4870 4872 5be0e6d-5be0e75 NtResumeThread 4869->4872 4873 5be0ea3-5be0ea8 4869->4873 4870->4869 4875 5be0e7b-5be0e8d 4872->4875 4873->4872 4876 5be0e8f-5be0ea2 4875->4876 4877 5be0eaa-5be0eaf 4875->4877 4877->4876
                                                  APIs
                                                  • NtResumeThread.NTDLL(?,?), ref: 05BE0E73
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: e92598efa74fa1897de8984041d7f3e89ff68744e0a03aafe438e36355f74c97
                                                  • Instruction ID: 68b9306b07708c24d68ec12bca9f044d115a13c5e91cd7f2f8402658241dec4c
                                                  • Opcode Fuzzy Hash: e92598efa74fa1897de8984041d7f3e89ff68744e0a03aafe438e36355f74c97
                                                  • Instruction Fuzzy Hash: 00217CB14093C49FDB12CF219855BA1BFA0EF46224F1D84EEE9C44F153D266A54ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL ref: 05BE0F24
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: b49562db1e990aef62c8b405ddb01e85dc51ebdac030cc202c366e0e05101f78
                                                  • Instruction ID: 4b6122212b9cadddf578f8ffc29c2fa32d7a708b03d5eea80e382a6052687c6f
                                                  • Opcode Fuzzy Hash: b49562db1e990aef62c8b405ddb01e85dc51ebdac030cc202c366e0e05101f78
                                                  • Instruction Fuzzy Hash: A6116D71409780AFEB228F55DC44B62FFB4EF46220F0884DAED848F562D275A958DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL ref: 05BE0F24
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 844e3ac385269df0303a1948e34da69caeab1b38dfcde766e0666ab02a906de3
                                                  • Instruction ID: c8ccd0248937835d63401645ab853da774098d534bcb6de137386338ec799163
                                                  • Opcode Fuzzy Hash: 844e3ac385269df0303a1948e34da69caeab1b38dfcde766e0666ab02a906de3
                                                  • Instruction Fuzzy Hash: 2001DE314006049FEB20CF51D888B66FBE0EF08320F08C4AADD898B656D375E518CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(?,?), ref: 05BE0E73
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 2b00027571b65c702eeca328e86b1400fc4667e1418fe756dfaca9c0d637eac3
                                                  • Instruction ID: 5e08770e49a329317e55227441e16c29f59ead8b8d31476e67f2ff172467e5c7
                                                  • Opcode Fuzzy Hash: 2b00027571b65c702eeca328e86b1400fc4667e1418fe756dfaca9c0d637eac3
                                                  • Instruction Fuzzy Hash: FF018F71D042449FEB10DF15D888B65FBE4EF48320F0CC4AADD888F656D3B9E404CAA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 057900D0 Relevance: 9.1, Instructions: 9148COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 57900d0-57900da 1 57900dc-57900e0 0->1 2 57900e1-5791855 0->2 1->2 482 579185c-5792b7b 2->482 674 5792b82-5798c8d 482->674 1674 5798c94-5798c9c 674->1674 1675 5798ca4-57997f0 1674->1675 1926 57997f7 1675->1926 1927 57997fe-5799804 1926->1927
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 009dee82dc92cdd39ae5695e35d9063544303c385cfd2a06e75442be5879861c
                                                  • Instruction ID: 81fc738baaca2a698d8f730e29b8b0b013c132e10961bdd76dd8f1b5b3efd269
                                                  • Opcode Fuzzy Hash: 009dee82dc92cdd39ae5695e35d9063544303c385cfd2a06e75442be5879861c
                                                  • Instruction Fuzzy Hash: AE142834601604DFDB65DB30C854ADAB3B2EF89304F6148A8D55AAB3A0DF36EE85CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 057900E0 Relevance: 9.1, Instructions: 9140COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1928 57900e0-5791855 2408 579185c-5792b7b 1928->2408 2600 5792b82-5798c8d 2408->2600 3600 5798c94-5798c9c 2600->3600 3601 5798ca4-57997f0 3600->3601 3852 57997f7 3601->3852 3853 57997fe-5799804 3852->3853
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e857629a3ef9eac8ce0e59c8c1834786fe533cbfb36918be6cf5b015263c515d
                                                  • Instruction ID: 87d2330cc3759ef211df9b3bdfeb9b627a9fbff18a5db71a1d979058deb83fad
                                                  • Opcode Fuzzy Hash: e857629a3ef9eac8ce0e59c8c1834786fe533cbfb36918be6cf5b015263c515d
                                                  • Instruction Fuzzy Hash: 5C142834601604DFDB65DB30C854ADAB3B2EF89304F6148A8D55AAB3A0DF36EE85CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 057998A0 Relevance: 2.7, Instructions: 2697COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3854 57998a0-57998a8 3855 57998aa 3854->3855 3856 57998e6-579b2cd 3854->3856 3857 57998ac-57998ad 3855->3857 3858 57998b1-57998e1 3855->3858 4373 579b2d4-579c61c 3856->4373 3857->3858 3858->3856
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7250c34db2a9a558a283b6a02a1b5f97b02c408c9ec41f14af561df86a6655ab
                                                  • Instruction ID: 64c8f732e92f4189a74af7748aca315d3188a8a25a91ce15e56432a4b221e509
                                                  • Opcode Fuzzy Hash: 7250c34db2a9a558a283b6a02a1b5f97b02c408c9ec41f14af561df86a6655ab
                                                  • Instruction Fuzzy Hash: 5F33D3793015229B8F2ABF31E55182F3A63E7C9A59318A745C90107394EF3C6F478BE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0CA1 Relevance: 1.6, APIs: 1, Instructions: 121processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4754 5be0ca1-5be0d1a 4757 5be0d1f-5be0d25 4754->4757 4758 5be0d1c 4754->4758 4759 5be0d2a-5be0d9c 4757->4759 4760 5be0d27 4757->4760 4758->4757 4764 5be0d9e-5be0da6 CreateProcessA 4759->4764 4765 5be0de9-5be0dee 4759->4765 4760->4759 4767 5be0dac-5be0dbe 4764->4767 4765->4764 4768 5be0df0-5be0df5 4767->4768 4769 5be0dc0-5be0de6 4767->4769 4768->4769
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,00000E24), ref: 05BE0DA4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 675cbe875e144ac3d97f089eeaea9560f4b84ba37b1d9cbaea4e96db097a5d5f
                                                  • Instruction ID: 8d31192751347367379de5b27f96bca8f8b5919b0b0c9780490595f1fd756c66
                                                  • Opcode Fuzzy Hash: 675cbe875e144ac3d97f089eeaea9560f4b84ba37b1d9cbaea4e96db097a5d5f
                                                  • Instruction Fuzzy Hash: AE41B172104344AFEB22CB65CC45FE2BBE8EF05710F08899AF9859B592D275F949CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0CDA Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4772 5be0cda-5be0d1a 4774 5be0d1f-5be0d25 4772->4774 4775 5be0d1c 4772->4775 4776 5be0d2a-5be0d9c 4774->4776 4777 5be0d27 4774->4777 4775->4774 4781 5be0d9e-5be0da6 CreateProcessA 4776->4781 4782 5be0de9-5be0dee 4776->4782 4777->4776 4784 5be0dac-5be0dbe 4781->4784 4782->4781 4785 5be0df0-5be0df5 4784->4785 4786 5be0dc0-5be0de6 4784->4786 4785->4786
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,00000E24), ref: 05BE0DA4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 19eb0a8699ca4540190a7fe708081d64aad036ae874b1e794481e23eb72c4cc8
                                                  • Instruction ID: 3fff1fd41df272b0e8a88200f78bd6f73405646cdab2e0bcb6303058f96d1c52
                                                  • Opcode Fuzzy Hash: 19eb0a8699ca4540190a7fe708081d64aad036ae874b1e794481e23eb72c4cc8
                                                  • Instruction Fuzzy Hash: A4318E76200204AFEB21DF61CD85FA6F7ECEF08714F08855AFA459A690D7B5F548CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CAC22 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4789 18cac22-18cacad 4793 18cacaf 4789->4793 4794 18cacb2-18cacc9 4789->4794 4793->4794 4796 18cad0b-18cad10 4794->4796 4797 18caccb-18cacde RegOpenKeyExW 4794->4797 4796->4797 4798 18cace0-18cad08 4797->4798 4799 18cad12-18cad17 4797->4799 4799->4798
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 018CACD1
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: cbbb210b2a3062420f58f45d02c1bc944d7c5b00409612252b2c1941f0a87217
                                                  • Instruction ID: 450cb303db5389b4261c5d0727d630362f9c18dccf485e2725b136ce2dfd469e
                                                  • Opcode Fuzzy Hash: cbbb210b2a3062420f58f45d02c1bc944d7c5b00409612252b2c1941f0a87217
                                                  • Instruction Fuzzy Hash: 2731D4B1404384AFE7228B15DC44FA7BFBCEF06720F08849AE9858B653D264E94DCB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CAD19 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4804 18cad19-18cad97 4807 18cad9c-18cada5 4804->4807 4808 18cad99 4804->4808 4809 18cadaa-18cadb0 4807->4809 4810 18cada7 4807->4810 4808->4807 4811 18cadb5-18cadcc 4809->4811 4812 18cadb2 4809->4812 4810->4809 4814 18cadce-18cade1 RegQueryValueExW 4811->4814 4815 18cae03-18cae08 4811->4815 4812->4811 4816 18cae0a-18cae0f 4814->4816 4817 18cade3-18cae00 4814->4817 4815->4814 4816->4817
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,A2994225,00000000,00000000,00000000,00000000), ref: 018CADD4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 708dc7140302a69e070d80b24162d19d57295355d3d140d2e3b980f6fec12854
                                                  • Instruction ID: 1a354a3d5ddc7c2af7d0e138dfdd8c566f82b59b0126c71d7a29814ba16058bd
                                                  • Opcode Fuzzy Hash: 708dc7140302a69e070d80b24162d19d57295355d3d140d2e3b980f6fec12854
                                                  • Instruction Fuzzy Hash: 6C31C4715047845FE722CB25DC84FA2BFF8EF06710F08849AE945CB293D364E948CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CA2AC Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4821 18ca2ac-18ca2f3 4822 18ca2f6-18ca34e CreateActCtxA 4821->4822 4824 18ca354-18ca36a 4822->4824
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 018CA346
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: ceed00d98015a82e3092cbadf95153d938d3899b9dc302c50b6f47f3986d62b0
                                                  • Instruction ID: 3ab79e945b652833d1e2768ab925d4ce6001fba0bec21d80ed6f87a2fe791104
                                                  • Opcode Fuzzy Hash: ceed00d98015a82e3092cbadf95153d938d3899b9dc302c50b6f47f3986d62b0
                                                  • Instruction Fuzzy Hash: DB21C2714097C06FD3138B259C51B62BFB8EF87610F0A81DBEC84DB693D225A919C7B2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CAC52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4825 18cac52-18cacad 4828 18cacaf 4825->4828 4829 18cacb2-18cacc9 4825->4829 4828->4829 4831 18cad0b-18cad10 4829->4831 4832 18caccb-18cacde RegOpenKeyExW 4829->4832 4831->4832 4833 18cace0-18cad08 4832->4833 4834 18cad12-18cad17 4832->4834 4834->4833
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 018CACD1
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 67ff3501abd75d36dcc6faf589f4b20bc20bf7bb4e4666f06b8605fe6cff4a11
                                                  • Instruction ID: 0b4f1b4ef3eed20d1c3ed87458c02542a8cc6ee8e144ea297c83277efdd0a89e
                                                  • Opcode Fuzzy Hash: 67ff3501abd75d36dcc6faf589f4b20bc20bf7bb4e4666f06b8605fe6cff4a11
                                                  • Instruction Fuzzy Hash: 0E21BEB2500608AFE7219B55DC44FAABBECEF14724F04845AEA45DB652E234E9488BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0431 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4855 5be0431-5be0486 4857 5be048b-5be049a 4855->4857 4858 5be0488 4855->4858 4859 5be049f-5be04ab 4857->4859 4860 5be049c 4857->4860 4858->4857 4861 5be04ad-5be04b5 DrawTextExW 4859->4861 4862 5be04e5-5be04ea 4859->4862 4860->4859 4864 5be04bb-5be04cd 4861->4864 4862->4861 4865 5be04cf-5be04e2 4864->4865 4866 5be04ec-5be04f1 4864->4866 4866->4865
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05BE04B3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: ca660e618eb00cc3ae842203d381bb38c95d6a37e6870740d28efe2b56a7a85b
                                                  • Instruction ID: 60a574542605aa792604f2afed2737f51bea8faa3372610866becb804a466724
                                                  • Opcode Fuzzy Hash: ca660e618eb00cc3ae842203d381bb38c95d6a37e6870740d28efe2b56a7a85b
                                                  • Instruction Fuzzy Hash: A22190715087849FDB22CF65D944B62BFF8FF46220F08849AE9858F562D375E908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CAD5A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4839 18cad5a-18cad97 4841 18cad9c-18cada5 4839->4841 4842 18cad99 4839->4842 4843 18cadaa-18cadb0 4841->4843 4844 18cada7 4841->4844 4842->4841 4845 18cadb5-18cadcc 4843->4845 4846 18cadb2 4843->4846 4844->4843 4848 18cadce-18cade1 RegQueryValueExW 4845->4848 4849 18cae03-18cae08 4845->4849 4846->4845 4850 18cae0a-18cae0f 4848->4850 4851 18cade3-18cae00 4848->4851 4849->4848 4850->4851
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,A2994225,00000000,00000000,00000000,00000000), ref: 018CADD4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: bf8a985652ed3b6e214c56745f4fae4b257374469b43f57cb33242efdfea49a7
                                                  • Instruction ID: abc4c70ab94a57c109f8bf7da76ccf8cf179591c294895791f5ab2221f7f193e
                                                  • Opcode Fuzzy Hash: bf8a985652ed3b6e214c56745f4fae4b257374469b43f57cb33242efdfea49a7
                                                  • Instruction Fuzzy Hash: 642181755006089FE721CF15DC84FA6B7ECEF14B14F04845AEA45DB691E770E508CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CBAB4 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4879 18cbab4-18cbb16 4881 18cbb18 4879->4881 4882 18cbb1b-18cbb24 4879->4882 4881->4882 4883 18cbb5c-18cbb61 4882->4883 4884 18cbb26-18cbb46 LoadLibraryW 4882->4884 4883->4884 4887 18cbb48-18cbb5b 4884->4887 4888 18cbb63-18cbb68 4884->4888 4888->4887
                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(?), ref: 018CBB2C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 2e2cd1555649deed84be9d39860aef8b1c5791197ee90ba8fa0bdd03cd972fd4
                                                  • Instruction ID: 637bc1798bfad31b6a2838c3e0ae856328c29d0548a2747523472c125122b6a6
                                                  • Opcode Fuzzy Hash: 2e2cd1555649deed84be9d39860aef8b1c5791197ee90ba8fa0bdd03cd972fd4
                                                  • Instruction Fuzzy Hash: 90218E715093C05FDB128B25DC95B92BFB4EF47224F0884DAED848F563D264A908CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CB42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4890 18cb42d-18cb488 4892 18cb48d-18cb493 4890->4892 4893 18cb48a 4890->4893 4894 18cb498-18cb4a1 4892->4894 4895 18cb495 4892->4895 4893->4892 4896 18cb4ce-18cb4d3 4894->4896 4897 18cb4a3-18cb4b6 LoadLibraryShim 4894->4897 4895->4894 4896->4897 4898 18cb4b8-18cb4cb 4897->4898 4899 18cb4d5-18cb4da 4897->4899 4899->4898
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 018CB4A9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: 6d57ac68b460a84c97a072859ae291ee139da0d00275a65d6922c016f09d912e
                                                  • Instruction ID: f9911595660b887d133c35294ad7b3115622bed782fd5e012d50a3f23940f743
                                                  • Opcode Fuzzy Hash: 6d57ac68b460a84c97a072859ae291ee139da0d00275a65d6922c016f09d912e
                                                  • Instruction Fuzzy Hash: AB2181B15097805FD7228E15DC85B62FFE8EF46724F08808EED84CB693D275E908C761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CBC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4902 18cbc4b-18cbca9 4904 18cbcae-18cbcb7 4902->4904 4905 18cbcab 4902->4905 4906 18cbcef-18cbcf4 4904->4906 4907 18cbcb9-18cbcc1 GetFileVersionInfoSizeW 4904->4907 4905->4904 4906->4907 4908 18cbcc7-18cbcd9 4907->4908 4910 18cbcdb-18cbcee 4908->4910 4911 18cbcf6-18cbcfb 4908->4911 4911->4910
                                                  APIs
                                                  • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 018CBCBF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileInfoSizeVersion
                                                  • String ID:
                                                  • API String ID: 1661704012-0
                                                  • Opcode ID: ac9833347c17336204661e688d898a8cca4fafa4f7d1523befb0a6aeb8e1a8e5
                                                  • Instruction ID: c7628cde6999e9e5cee5623a9676f40cd1843224e9184c40b22b42861f3649a8
                                                  • Opcode Fuzzy Hash: ac9833347c17336204661e688d898a8cca4fafa4f7d1523befb0a6aeb8e1a8e5
                                                  • Instruction Fuzzy Hash: FC218EB15093809FEB12CB25DC45B52BFA4EF46724F0984DAED848F263E274A909CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE1009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 05BE107D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 23fbe1aed2cf6399dfc1534eec4372dae6ee14d68976b41c7681756c21154958
                                                  • Instruction ID: 4173d6b331462104b9978a4e7c0f9675e8cc4932e4c43e8d48914f99d3519a85
                                                  • Opcode Fuzzy Hash: 23fbe1aed2cf6399dfc1534eec4372dae6ee14d68976b41c7681756c21154958
                                                  • Instruction Fuzzy Hash: 0B215C715093C09FDB138B25DC44A62BFB4EF47220F0984DAE9858F563D265A858DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CA5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018CA666
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 1a63dfdd28326f00cbd56078ba2888a05035650cbae6c56d40a0e624a3714213
                                                  • Instruction ID: 4fa84db2ab10afbbe621d0c1d93d1acbb8e4e77eda3fff91b9046efb9e39681a
                                                  • Opcode Fuzzy Hash: 1a63dfdd28326f00cbd56078ba2888a05035650cbae6c56d40a0e624a3714213
                                                  • Instruction Fuzzy Hash: FB11A271409380AFDB228F55DC44B62FFF4EF8A720F08889EED858B562D235A518DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0006 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05BE0082
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LanguageName
                                                  • String ID:
                                                  • API String ID: 2060303382-0
                                                  • Opcode ID: 19541f6ca2b400412b291f5d358e808fe7a6723e83a27e714e1d3345bf2e233e
                                                  • Instruction ID: 8d235ac9e625596b68d871460d0f6b29f2fade1bc4a77408560bcc39836a721a
                                                  • Opcode Fuzzy Hash: 19541f6ca2b400412b291f5d358e808fe7a6723e83a27e714e1d3345bf2e233e
                                                  • Instruction Fuzzy Hash: 5311C8715097806FD311CB25CC45F26FFB8EF86620F09819FED489B693D225B919CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CBD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 018CBD75
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileInfoVersion
                                                  • String ID:
                                                  • API String ID: 2427832333-0
                                                  • Opcode ID: a563f525ea9fde3b6b1e33cf6445b079e506981969d579f1306969a6a3cbb103
                                                  • Instruction ID: c9f620429fef4e82a9ebb8406b5852ce9103bbde76827c6d27b28b1fa28790ee
                                                  • Opcode Fuzzy Hash: a563f525ea9fde3b6b1e33cf6445b079e506981969d579f1306969a6a3cbb103
                                                  • Instruction Fuzzy Hash: 381193715047409FDB228B15DC45B62FFF8EF45624F08809EED858B662D275E918CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 05BE1405
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 6e7e42c9a175ef9ed0a51f0ae0751b308578d9b4af4611b89810a2f6925b5aff
                                                  • Instruction ID: 4f05fa7eba3ac9bb15bed984572373cf036e4b993c20e5e61409f13948629676
                                                  • Opcode Fuzzy Hash: 6e7e42c9a175ef9ed0a51f0ae0751b308578d9b4af4611b89810a2f6925b5aff
                                                  • Instruction Fuzzy Hash: FB11DD71408380AFDB228F15DC45B62FFB4EF46224F0884DEED858B6A3C275A818CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05BE04B3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: 27b6d0084475a3078adc8fd657dc5e23ead2d5775a8ba278e604d1b622f93645
                                                  • Instruction ID: 38ef85d4c74723c43ccdd91f0b1f98ee65a7dcbd2446a80f5d3ac04423e2f775
                                                  • Opcode Fuzzy Hash: 27b6d0084475a3078adc8fd657dc5e23ead2d5775a8ba278e604d1b622f93645
                                                  • Instruction Fuzzy Hash: A8115E715042089FEB20DF55D988B66FBF8FF14620F0884AADD858F652D375E504CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CA42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 018CA480
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: d352fe48ffed937283e28a61de6716ae96a32cae86f0e302fa5dabb40862d6c9
                                                  • Instruction ID: 590f6031c1a4c7ff13aa0114aa73bb9b099c45acbab7d7fe6684966e8c56037e
                                                  • Opcode Fuzzy Hash: d352fe48ffed937283e28a61de6716ae96a32cae86f0e302fa5dabb40862d6c9
                                                  • Instruction Fuzzy Hash: 1B016175408384AFD7128B15DC88B62FFA8EF46724F08C09AED858B252D275A908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CBD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 018CBD75
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileInfoVersion
                                                  • String ID:
                                                  • API String ID: 2427832333-0
                                                  • Opcode ID: bef76af902e63277dddffb7ad3e59c7b896d0de9fed2d94594e67172d326c234
                                                  • Instruction ID: 770c98db64546ab205f0eebddd402276d859c2c8acf71e520138fca9fd9fd1ce
                                                  • Opcode Fuzzy Hash: bef76af902e63277dddffb7ad3e59c7b896d0de9fed2d94594e67172d326c234
                                                  • Instruction Fuzzy Hash: 1301B5715006048FEB618F1AD845B56FBE4EF54B21F08C09EEE45CB762D275E548CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CB45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 018CB4A9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: 1b7e0bd084b4b636eaa7b7ddc707b1d61635b44cdcd7919c67af8463e7f1922e
                                                  • Instruction ID: 3809472549789015a5b8b09ff29dfcc032ead0206e5e1dc778699ec1b805480f
                                                  • Opcode Fuzzy Hash: 1b7e0bd084b4b636eaa7b7ddc707b1d61635b44cdcd7919c67af8463e7f1922e
                                                  • Instruction Fuzzy Hash: AB016D715046048FEB20CE19D886B62FBE8EF14B64F08809EDD49CB652D275E908CA61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CA622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018CA666
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: d347ff0431a0aaa7a8432a13fb2f26e4027572831114746fbfd8d7dab67451eb
                                                  • Instruction ID: 45b8c7999cf4d1ce622700ef48180dfebae98a3a2f60437d65e137995228fd3c
                                                  • Opcode Fuzzy Hash: d347ff0431a0aaa7a8432a13fb2f26e4027572831114746fbfd8d7dab67451eb
                                                  • Instruction Fuzzy Hash: 6E01C4315006049FDB218F55D944B56FFE4EF48720F08C85EDD858BA52E335E514CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CBC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 018CBCBF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileInfoSizeVersion
                                                  • String ID:
                                                  • API String ID: 1661704012-0
                                                  • Opcode ID: b2c35cbb65bcff022e3986bc9a56742635e6833764cb3059ad9fa97a8a9b1855
                                                  • Instruction ID: 129f8e70bdb3406f34233286042874c0c39fa0eae5150db56bbc2e94329dec5f
                                                  • Opcode Fuzzy Hash: b2c35cbb65bcff022e3986bc9a56742635e6833764cb3059ad9fa97a8a9b1855
                                                  • Instruction Fuzzy Hash: 3D01B1719006448FEB10CF1AD885766FBE4EF44720F08C4AADD48CB752D675E504CAA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05BE0082
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LanguageName
                                                  • String ID:
                                                  • API String ID: 2060303382-0
                                                  • Opcode ID: fa5543c1c7b04b5d37f842d1bd3667ec1b13f7e8dd27172f826c6ad8f67c9ad0
                                                  • Instruction ID: 9108e123c0995e93b745c2ee0cfb12873d647e13036e606fccdf34503e2920e6
                                                  • Opcode Fuzzy Hash: fa5543c1c7b04b5d37f842d1bd3667ec1b13f7e8dd27172f826c6ad8f67c9ad0
                                                  • Instruction Fuzzy Hash: BA01AD71600600ABD314DF16DC86B66FBE8FB88A20F14C11AED089BB81D731F915CBE6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CA2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 018CA346
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 02b7f536b7778f26f97f82fdafc9fbbec4d778ab8738757d43739da662c30fec
                                                  • Instruction ID: ac8d069d8f2cc5188864edfc1a7ec66c486695d898aec9ccece6d26d4da4b68d
                                                  • Opcode Fuzzy Hash: 02b7f536b7778f26f97f82fdafc9fbbec4d778ab8738757d43739da662c30fec
                                                  • Instruction Fuzzy Hash: 5101AD71600600ABD314DF16DC86B66FBE8FB88A20F14815AED089BB81D731F915CBE6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CBAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNELBASE(?), ref: 018CBB2C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: c316cac126033d3331ca1b2a4dde3cc16ace227ad3b46cf7c45b18e27910a5ab
                                                  • Instruction ID: e78cd82b3c5bbd625f2000513a78a7c5ecfeb407b6fcae16a97e660e0eb1d56f
                                                  • Opcode Fuzzy Hash: c316cac126033d3331ca1b2a4dde3cc16ace227ad3b46cf7c45b18e27910a5ab
                                                  • Instruction Fuzzy Hash: 3701F7719006008FEB20CF59D885762FBE4EF44720F08C4AADD48CF75AD274E504CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE13CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 05BE1405
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: cd0eeacf92d362d52a22d875c942762b13bd584c59d6e38a12129b7bf1f233a2
                                                  • Instruction ID: ecbdb777e3d8228238da17e7a68f0b57d179bdb3884a3c2bc4db617a330f08ed
                                                  • Opcode Fuzzy Hash: cd0eeacf92d362d52a22d875c942762b13bd584c59d6e38a12129b7bf1f233a2
                                                  • Instruction Fuzzy Hash: C201B1369002009FEB218F1AD844B65FBE4EF18220F1CC09EDD454AB62D375E458CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BE1042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 05BE107D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1781341150.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5be0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: fbcd2a27711d286b16e1e93a0aa0c86a7187d8252b2da6c9ecf10751d75ea63e
                                                  • Instruction ID: a3976a9409abea25c0bcc2fa85ee11ddc44ad7519d19380e7cee01709f8d8a4b
                                                  • Opcode Fuzzy Hash: fbcd2a27711d286b16e1e93a0aa0c86a7187d8252b2da6c9ecf10751d75ea63e
                                                  • Instruction Fuzzy Hash: 8A018F35900240DFEB21CF06D944B65FBE4FF59220F18C09ADD450B662D375E458CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018CA44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 018CA480
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779825645.00000000018CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18ca000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 8f464e0fa77a24b07f6ee42ad5fb97e638c19e3916bd7c492c9053f27dd2502c
                                                  • Instruction ID: d3b375d84c1babbb1acc6f81c7e9251a7641a7845faa6146c221c01da94493c0
                                                  • Opcode Fuzzy Hash: 8f464e0fa77a24b07f6ee42ad5fb97e638c19e3916bd7c492c9053f27dd2502c
                                                  • Instruction Fuzzy Hash: 54F0A4759042488FEB108F05D888761FBE4EF45734F08C09EDD458B752E279E948CEA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579CDE0 Relevance: 1.3, Instructions: 1262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aae76bff16c964536581df7ef889c4cce8d826390dfe284720a5f6728b8e8eb4
                                                  • Instruction ID: cbde41bb2c65f9d819bbb3e08e178132caf6cdc683aaefcd8e2c720d1dc8d8a3
                                                  • Opcode Fuzzy Hash: aae76bff16c964536581df7ef889c4cce8d826390dfe284720a5f6728b8e8eb4
                                                  • Instruction Fuzzy Hash: BEA10B75E002099FDB18CBA8D884BADB7F6BF88314F158066E515AB3A1D731DD42CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579C7F0 Relevance: .3, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b2ad074729664e8f0e6753a2b4a25b8a2b76cfb8ac7ab9cd54b6dc68c0b3246
                                                  • Instruction ID: 0bbad6f86193b39df60d27e8e3562568d5a647387e86348c7b61555c4b5dcad8
                                                  • Opcode Fuzzy Hash: 3b2ad074729664e8f0e6753a2b4a25b8a2b76cfb8ac7ab9cd54b6dc68c0b3246
                                                  • Instruction Fuzzy Hash: 4891C135B002168FCF1AEB74D8559BEBBA6EFC9318B10446AC5059B391EF38DD05CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579C630 Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a027858d85187a26ce6ed5e12860faf315d29d908a5a0b91f2ffd1293e33629
                                                  • Instruction ID: 2af8ade479457321b4bb1d7a6e91a935f94985efcc66f44f6048700825bb5504
                                                  • Opcode Fuzzy Hash: 6a027858d85187a26ce6ed5e12860faf315d29d908a5a0b91f2ffd1293e33629
                                                  • Instruction Fuzzy Hash: 8C4114367001159FDF0ADB69D881BBEBBAAAB85714F148469D104CF7C6D634DC0193E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579CB00 Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53c608502f4d25d81760a85c9500b90d21b5e79adaad4d86e558a4b5575e0aa2
                                                  • Instruction ID: dcf759321b254acaef89c8614e20d6d840e8fdbd4c1cd7b370e47e1e33f791e2
                                                  • Opcode Fuzzy Hash: 53c608502f4d25d81760a85c9500b90d21b5e79adaad4d86e558a4b5575e0aa2
                                                  • Instruction Fuzzy Hash: A141E631B041068BDF2AEA78A4657BD7BE7ABC9210F14403ED406EB791DF348D059BE2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579C7E1 Relevance: .1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fab6457e26bb76dfb332ca8e7c82cda1bab1b8c4059e820fee1d3a9447bfe421
                                                  • Instruction ID: df21ac5ce81f3d80405a532f2b36883a603cd65b535c6e5d59711e5a5b9f367d
                                                  • Opcode Fuzzy Hash: fab6457e26bb76dfb332ca8e7c82cda1bab1b8c4059e820fee1d3a9447bfe421
                                                  • Instruction Fuzzy Hash: CB41E535A042468FCF2ADB68E855CBEBBBAFF84305B10406AD441D7354EB34AD04DBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05790007 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23b9abaaac72b3ac2b2448369ddbcd5aed9c0c94e85cf38a4e61f010c0a0afcb
                                                  • Instruction ID: 0fde5c1bd8d19a127fa495934edfe3ea4c92086b09f984d293f0b7fd3cbfcbe1
                                                  • Opcode Fuzzy Hash: 23b9abaaac72b3ac2b2448369ddbcd5aed9c0c94e85cf38a4e61f010c0a0afcb
                                                  • Instruction Fuzzy Hash: 4311B01260E3C15FC7575374A8395A67FB15E13118B0E44EBC0C4CF1A3EA4A884A93B7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01A10734 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780236956.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_1a10000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 633c480c5b57b415138f08447ef034b59a71ddb0131376aa90b9752e980c0e2b
                                                  • Instruction ID: f73ebde92abf75dd4e77f94edc687a54a38b08b0932951debf90b233565f8d58
                                                  • Opcode Fuzzy Hash: 633c480c5b57b415138f08447ef034b59a71ddb0131376aa90b9752e980c0e2b
                                                  • Instruction Fuzzy Hash: 05218E3110E7C09FD713CB24C9A0B51BFB1EF47304F1989DAE4848B6A7C23A9846CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01A1076C Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780236956.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_1a10000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c35e9fab1aec895d5428b74e6671979a3b4a49b4e21dec887e8aafe192f1ab87
                                                  • Instruction ID: 7bb5529973270eca18ae7deb21abc51d21be432bb9c27af68bfb705f25abd73f
                                                  • Opcode Fuzzy Hash: c35e9fab1aec895d5428b74e6671979a3b4a49b4e21dec887e8aafe192f1ab87
                                                  • Instruction Fuzzy Hash: 5711E430204684DFD712CB54DA80B26FBA5EB89718F28C59DF9491BB46C73BD843CA91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579C77F Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88bb9dcb20b8663686153029e260e4e6fb370b81df0068671c2905eb2eca3bb7
                                                  • Instruction ID: 1fa56de25a48dc610d43f406badf5b80eafbd460f0d04c9443dcb1390abe07f7
                                                  • Opcode Fuzzy Hash: 88bb9dcb20b8663686153029e260e4e6fb370b81df0068671c2905eb2eca3bb7
                                                  • Instruction Fuzzy Hash: 2101482520D3405FCB0A97359861AEA7FA69FE6308F2500ABD244CBB91DA618C0493A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05799819 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50265437f928686c839807050ea9a8854160839c49a48de9a131df371f17c3e2
                                                  • Instruction ID: 8a52990a39dbf22d670b3200f6a57b4ab560c373b6765f6c5f3b5c4657df8a19
                                                  • Opcode Fuzzy Hash: 50265437f928686c839807050ea9a8854160839c49a48de9a131df371f17c3e2
                                                  • Instruction Fuzzy Hash: 5501D631B053106BDB259269A805F9D7AD69BCBB51F3500AEE301DF391DE629C0583E5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01A105E0 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780236956.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_1a10000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c99fc819a041d7b1facc7acc54bd1ea5ec98e5e35bab4ade95b89b8eb48e800
                                                  • Instruction ID: cfc3b6458ba53d9ce6b2a20cf0910fd7192df34f8af80fdda3ea14513953d29f
                                                  • Opcode Fuzzy Hash: 1c99fc819a041d7b1facc7acc54bd1ea5ec98e5e35bab4ade95b89b8eb48e800
                                                  • Instruction Fuzzy Hash: 940126B11483806FD7018B16EC00863BFE8EF86230B0980AFED488B652D125A908CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05799828 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de7118541153d06bac0ff7a5096af3117bc148fee129a92d5b5c08421e6651f7
                                                  • Instruction ID: 3f8f0e92567955a4fcd1c1e6b91617adc4389de7fe8c94444e484892b4d66a42
                                                  • Opcode Fuzzy Hash: de7118541153d06bac0ff7a5096af3117bc148fee129a92d5b5c08421e6651f7
                                                  • Instruction Fuzzy Hash: E0F0F632B0022067DA24926DA815FAD76D7CBCAB50F35402EE705EF7D4DE62DC0643E9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01A10828 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780236956.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_1a10000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                                                  • Instruction ID: ecadccd50374fbe6ddb85f6a4ea8f7850e35df845bbac35fe22146208a515f63
                                                  • Opcode Fuzzy Hash: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                                                  • Instruction Fuzzy Hash: 1FF0FB35148644DFC216CB54DA80B16FBA2EB89718F24CAA9E9490B656C737D812DA81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01A10606 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780236956.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_1a10000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6ef832519a15d717c0c5f29effb610d82a6ed7898f7bb6a78712d7eb3d6e5df
                                                  • Instruction ID: 90a8b1451282a7688bf4ecfe0854f087d1c2b059c7659ad2534cbc20ba0ada9c
                                                  • Opcode Fuzzy Hash: b6ef832519a15d717c0c5f29effb610d82a6ed7898f7bb6a78712d7eb3d6e5df
                                                  • Instruction Fuzzy Hash: 0FE092B66006004B9754CF0AFC45462F7D8EB88630B08C07FDC0D8B711E276B508CAA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 057900A0 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c4c184ac1615fba7bf837e137b13e8dd669cc8c356aa7443037150fdf58b8c4
                                                  • Instruction ID: 267dc0749fcf036553b51c699d58133f76f2358070220ac4d2e48b1d3964343d
                                                  • Opcode Fuzzy Hash: 0c4c184ac1615fba7bf837e137b13e8dd669cc8c356aa7443037150fdf58b8c4
                                                  • Instruction Fuzzy Hash: E1D0A71264462093850A33AC781449F3B8D8BE7A2171104A6E405CB292CF494E0152DB
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05790070 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8af8e642841fd4a3c3e002e8c151d60cfa334a75ff4073431fdc90e26a3a0de0
                                                  • Instruction ID: cf4843a716a16279ae53f0c332bfbc3e84d9c06f04a1a1d87c55b32d9358f13f
                                                  • Opcode Fuzzy Hash: 8af8e642841fd4a3c3e002e8c151d60cfa334a75ff4073431fdc90e26a3a0de0
                                                  • Instruction Fuzzy Hash: 1AC01221301524434959327521290FF728A8E5349C702006BC21ACA381DF5B8A8A02DA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018C23F4 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779802529.00000000018C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C2000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18c2000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ced3a98cf0513dc28b8e7050369cb3814383f82155699200e06e894031b4ebbd
                                                  • Instruction ID: 75a830bc5d69a04c41fb5cc72554568a5378cdf9967fb7b1fd8b45eb9db7183d
                                                  • Opcode Fuzzy Hash: ced3a98cf0513dc28b8e7050369cb3814383f82155699200e06e894031b4ebbd
                                                  • Instruction Fuzzy Hash: 26D05E7A2056C14FE316DA1CC1A4B957BE5BB65B14F4A44FDA800CB7A3C778D681D600
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 018C23BC Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1779802529.00000000018C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C2000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_18c2000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f14189d2cd4310252c3108181457fbf7458885c04358f44edc8d77d4711d7e8
                                                  • Instruction ID: bcf0d6e25033c5acc430fbf52536a97d7c373d0301060c98aa7bd514a5fa85c3
                                                  • Opcode Fuzzy Hash: 6f14189d2cd4310252c3108181457fbf7458885c04358f44edc8d77d4711d7e8
                                                  • Instruction Fuzzy Hash: 5ED05E343002814BE715DA1CC6D4F593BD5AB54B14F0A44ECAC10CB7B2C7B4D9C0DA00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 057900B0 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0807f804e34c8eedb6bc5c85f820e0a902dd337f86a642d6b693ead4442fb98f
                                                  • Instruction ID: 4c41460916fef6bae1c01ed9613dd42d9757fcc5372289df5aa9eae0f59c5324
                                                  • Opcode Fuzzy Hash: 0807f804e34c8eedb6bc5c85f820e0a902dd337f86a642d6b693ead4442fb98f
                                                  • Instruction Fuzzy Hash: 0DC09B1171453553095D329D34144AE7BCD49B7D65741045AD509D7751CF459F0103DF
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579C7C0 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.1780948500.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_5790000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c3ef1481ad72c9dab0cb8460ea007fae8446f7f5e6ca51c7b968751fac49f52
                                                  • Instruction ID: a922b5b184a1443657c1df93ac0c1a84a34b6de332c168fd6407be41540ed9c4
                                                  • Opcode Fuzzy Hash: 6c3ef1481ad72c9dab0cb8460ea007fae8446f7f5e6ca51c7b968751fac49f52
                                                  • Instruction Fuzzy Hash: 65C0929B94F2C08FCF0291342C5A58E3F36AAD33147DE00CA6289C7912E0484A0D93A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:17.2%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:5.4%
                                                  Total number of Nodes:111
                                                  Total number of Limit Nodes:4
                                                  execution_graph 3479 5480548 3481 548056e ConvertStringSecurityDescriptorToSecurityDescriptorW 3479->3481 3482 54805e7 3481->3482 3563 14bb8ca 3565 14bb90a CreateFileW 3563->3565 3566 14bb991 3565->3566 3531 5480c4c 3532 5480c59 GetProcessTimes 3531->3532 3534 5480cf1 3532->3534 3370 14ba74e 3371 14ba77a FindCloseChangeNotification 3370->3371 3372 14ba7b9 3370->3372 3373 14ba788 3371->3373 3372->3371 3567 14bbcc2 3569 14bbce2 ReadFile 3567->3569 3570 14bbd49 3569->3570 3503 14babc1 3504 14babee closesocket 3503->3504 3506 14bac28 3504->3506 3571 14ba8c1 3572 14ba902 SendMessageTimeoutA 3571->3572 3574 14ba985 3572->3574 3507 14ba7c7 3508 14ba7fa RegOpenKeyExW 3507->3508 3510 14ba888 3508->3510 3382 14ba646 3383 14ba67e CreateMutexW 3382->3383 3385 14ba6c1 3383->3385 3575 54814c7 3576 54814ea SetProcessWorkingSetSize 3575->3576 3578 548154b 3576->3578 3579 5481ad9 3581 5481b1e WSAConnect 3579->3581 3582 5481b72 3581->3582 3583 14ba2d2 3586 14ba2d6 SetErrorMode 3583->3586 3585 14ba33f 3586->3585 3483 5480d54 3485 5480d76 getaddrinfo 3483->3485 3486 5480e23 3485->3486 3511 54819d4 3512 54819f6 RegCreateKeyExW 3511->3512 3514 5481aa0 3512->3514 3415 54803ea 3416 548043a GetComputerNameW 3415->3416 3417 5480448 3416->3417 3422 14babee 3423 14bac1a closesocket 3422->3423 3424 14bac50 3422->3424 3425 14bac28 3423->3425 3424->3423 3445 14bbce2 3447 14bbd17 ReadFile 3445->3447 3448 14bbd49 3447->3448 3539 14ba462 3541 14ba486 RegSetValueExW 3539->3541 3542 14ba507 3541->3542 3487 14ba361 3488 14ba392 RegQueryValueExW 3487->3488 3490 14ba41b 3488->3490 3515 14bb9e0 3517 14bba22 GetFileType 3515->3517 3518 14bba84 3517->3518 3519 54813e3 3520 5481406 GetProcessWorkingSetSize 3519->3520 3522 5481467 3520->3522 3587 54812f9 3589 548132a GetExitCodeProcess 3587->3589 3590 5481388 3589->3590 3459 14ba2fe 3460 14ba32a SetErrorMode 3459->3460 3461 14ba353 3459->3461 3462 14ba33f 3460->3462 3461->3460 3491 5481177 3494 5481181 AdjustTokenPrivileges 3491->3494 3493 54811ff 3494->3493 3362 14bb90a 3364 14bb942 CreateFileW 3362->3364 3365 14bb991 3364->3365 3547 548100c 3549 548102e LookupPrivilegeValueW 3547->3549 3550 548107e 3549->3550 3551 5480006 3553 5480032 WSASocketW 3551->3553 3554 54800a6 3553->3554 3401 548071e 3403 5480756 MapViewOfFile 3401->3403 3404 54807a5 3403->3404 3523 14baf93 3525 14bafba DuplicateHandle 3523->3525 3526 14bb006 3525->3526 3555 14ba612 3557 14ba646 CreateMutexW 3555->3557 3558 14ba6c1 3557->3558 3495 14ba710 3497 14ba74e FindCloseChangeNotification 3495->3497 3498 14ba788 3497->3498 3433 54811ae 3435 54811dd AdjustTokenPrivileges 3433->3435 3436 54811ff 3435->3436 3499 5480f26 3500 5480f54 FormatMessageW 3499->3500 3502 5480fde 3500->3502 3449 5370b58 KiUserExceptionDispatcher 3450 5370b9c 3449->3450 3455 14bafba 3456 14baff8 DuplicateHandle 3455->3456 3457 14bb030 3455->3457 3458 14bb006 3456->3458 3457->3456 3527 54803be 3528 54803c5 GetComputerNameW 3527->3528 3530 5480448 3528->3530

                                                  Executed Functions

                                                  Function 05481177 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054811F7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: AdjustPrivilegesToken
                                                  • String ID:
                                                  • API String ID: 2874748243-0
                                                  • Opcode ID: 2f773e6bfe05fafa1cf691ad73b3f784e65b29915a3bbc77d4af40894649b158
                                                  • Instruction ID: 67132b7dbbde40d320efe7d7fa526b768d578e5c2ca0372718a0d7b24b1e05a1
                                                  • Opcode Fuzzy Hash: 2f773e6bfe05fafa1cf691ad73b3f784e65b29915a3bbc77d4af40894649b158
                                                  • Instruction Fuzzy Hash: 9421AD755097809FDB128F25DC40BA2BFB4FF06310F0884DBE9858B663D274A908CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054811AE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054811F7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: AdjustPrivilegesToken
                                                  • String ID:
                                                  • API String ID: 2874748243-0
                                                  • Opcode ID: 9a09bd401213ee5d8d6959fc0662b4219b8e228b3253ea6dd777915440dc0869
                                                  • Instruction ID: 9c45e5e5b1dbbb031ba552d59e5849727c6b3aeb89f9a2817a071f2ef284eedd
                                                  • Opcode Fuzzy Hash: 9a09bd401213ee5d8d6959fc0662b4219b8e228b3253ea6dd777915440dc0869
                                                  • Instruction Fuzzy Hash: 0E115E716006009FEB20DF55D884BA6FBE8FF09320F0884ABED458BA62D375E459CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548063F Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 278 548063f-5480673 279 54806e0-54806f6 278->279 280 5480675-548067c 278->280 280->279
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5b74acbd359c2a5d22a13a875486a525b4fe55738630a7153cde10753cce376
                                                  • Instruction ID: 911b3fed9f6e22fb0e4559eef493258d4ebcf373878fe34b3291e8c0ea87a1c5
                                                  • Opcode Fuzzy Hash: f5b74acbd359c2a5d22a13a875486a525b4fe55738630a7153cde10753cce376
                                                  • Instruction Fuzzy Hash: E041E3724093C05FD7138B258C49BA6BFB4EF07224F0985DBE9849F6A3D265A90DC772
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05370B68 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 283 5370b68-5370ba6 KiUserExceptionDispatcher 286 5370ba9-5370baf 283->286 287 5370bb5-5370bb8 286->287 288 5370cad-5370cca 286->288 289 5370bba 287->289 317 5370bbc call 1660606 289->317 318 5370bbc call 16605e2 289->318 319 5370bbc call 166064a 289->319 291 5370bc1-5370bee 297 5370c35-5370c38 291->297 298 5370bf0-5370bf2 291->298 297->288 299 5370c3a-5370c40 297->299 320 5370bf4 call 1660606 298->320 321 5370bf4 call 16605e2 298->321 322 5370bf4 call 53714f0 298->322 323 5370bf4 call 166064a 298->323 299->289 300 5370c46-5370c4d 299->300 302 5370c4f-5370c65 300->302 303 5370c9e 300->303 301 5370bfa-5370c01 304 5370c03-5370c2a 301->304 305 5370c32 301->305 302->288 309 5370c67-5370c6f 302->309 306 5370ca8 303->306 304->305 305->297 306->286 311 5370c71-5370c7c 309->311 312 5370c90-5370c98 call 5371aff 309->312 311->288 313 5370c7e-5370c88 311->313 312->303 313->312 317->291 318->291 319->291 320->301 321->301 322->301 323->301
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05370B8F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131402419.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5370000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: bf7a13d66fd6a1188f17ae3ee1fcb4289ae425e74da8067b09fc94f52f3bd7db
                                                  • Instruction ID: f066ea3bccd0d420f0e6853227c01557248a74aea4082ae3d2344c1bbf1630eb
                                                  • Opcode Fuzzy Hash: bf7a13d66fd6a1188f17ae3ee1fcb4289ae425e74da8067b09fc94f52f3bd7db
                                                  • Instruction Fuzzy Hash: 5E417131E012058FCB18DF79C98859DB7F2EF88218B1480BAD809EB759DB78DD45CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05370B58 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 325 5370b58-5370b95 KiUserExceptionDispatcher 326 5370b9c-5370ba6 325->326 328 5370ba9-5370baf 326->328 329 5370bb5-5370bb8 328->329 330 5370cad-5370cca 328->330 331 5370bba 329->331 360 5370bbc call 1660606 331->360 361 5370bbc call 16605e2 331->361 362 5370bbc call 166064a 331->362 333 5370bc1-5370bee 339 5370c35-5370c38 333->339 340 5370bf0-5370bf2 333->340 339->330 341 5370c3a-5370c40 339->341 363 5370bf4 call 1660606 340->363 364 5370bf4 call 16605e2 340->364 365 5370bf4 call 53714f0 340->365 366 5370bf4 call 166064a 340->366 341->331 342 5370c46-5370c4d 341->342 344 5370c4f-5370c65 342->344 345 5370c9e 342->345 343 5370bfa-5370c01 346 5370c03-5370c2a 343->346 347 5370c32 343->347 344->330 351 5370c67-5370c6f 344->351 348 5370ca8 345->348 346->347 347->339 348->328 353 5370c71-5370c7c 351->353 354 5370c90-5370c98 call 5371aff 351->354 353->330 355 5370c7e-5370c88 353->355 354->345 355->354 360->333 361->333 362->333 363->343 364->343 365->343 366->343
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05370B8F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131402419.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5370000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 89ee6fb814df9cb8ba537d1572055d0656e97473eb88c7b607946ce4d3847907
                                                  • Instruction ID: b1fad6ea4fcff47237cc38c5d3941855b24e54fd5b5ab1b0d4c7be051e07688b
                                                  • Opcode Fuzzy Hash: 89ee6fb814df9cb8ba537d1572055d0656e97473eb88c7b607946ce4d3847907
                                                  • Instruction Fuzzy Hash: 83415171E112058FCB58DF79C5886ADB7F2EF88204B1480A9D809EB369DB78DD45CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BB8CA Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 367 14bb8ca-14bb962 371 14bb967-14bb973 367->371 372 14bb964 367->372 373 14bb978-14bb981 371->373 374 14bb975 371->374 372->371 375 14bb983-14bb9a7 CreateFileW 373->375 376 14bb9d2-14bb9d7 373->376 374->373 379 14bb9d9-14bb9de 375->379 380 14bb9a9-14bb9cf 375->380 376->375 379->380
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014BB989
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 74417bd54c8960503e212d2849c0d2eda66aa87f14ce3f37eede2a27efe2fe60
                                                  • Instruction ID: 08fc108c9cde24aa80eda87d25047b6373cd040c831e0b0cd24c6712c6d7e973
                                                  • Opcode Fuzzy Hash: 74417bd54c8960503e212d2849c0d2eda66aa87f14ce3f37eede2a27efe2fe60
                                                  • Instruction Fuzzy Hash: 7031B2B1504780AFE712CF65CC40BA2BFE8EF46310F08849AE9859B662D335E809DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054819D4 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 383 54819d4-5481a4e 387 5481a50 383->387 388 5481a53-5481a5f 383->388 387->388 389 5481a61 388->389 390 5481a64-5481a6d 388->390 389->390 391 5481a6f 390->391 392 5481a72-5481a89 390->392 391->392 394 5481acb-5481ad0 392->394 395 5481a8b-5481a9e RegCreateKeyExW 392->395 394->395 396 5481aa0-5481ac8 395->396 397 5481ad2-5481ad7 395->397 397->396
                                                  APIs
                                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05481A91
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: f5e7d696448877f9ac0bb36ecc35a1c622575b39cc3e1231fca8037eb4a82cb2
                                                  • Instruction ID: ea90a5c0f1cc19e1fb1022c6e52a5d338dbe7cc7891fc52ac8b3990dff2362f3
                                                  • Opcode Fuzzy Hash: f5e7d696448877f9ac0bb36ecc35a1c622575b39cc3e1231fca8037eb4a82cb2
                                                  • Instruction Fuzzy Hash: 0231A1B1504744AFE7218B25CC44FB7BBECEF45610F08849AF985DB652D324E909CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BBE37 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 402 14bbe37-14bbe57 403 14bbe79-14bbeab 402->403 404 14bbe59-14bbe78 402->404 408 14bbeae-14bbf06 RegQueryValueExW 403->408 404->403 410 14bbf0c-14bbf22 408->410
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 014BBEFE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: f9cf1e16d7822953d3bdd6a117ceef9c4409e04bf5cdd9dbf2b776b4efba636e
                                                  • Instruction ID: d2dc1d429f823f8f442f29ae1137003c81a26c7318a9d01f735f49d378799778
                                                  • Opcode Fuzzy Hash: f9cf1e16d7822953d3bdd6a117ceef9c4409e04bf5cdd9dbf2b776b4efba636e
                                                  • Instruction Fuzzy Hash: AF31706510E7C06FD3138B358C61A61BFB4EF47610B0E85CBD9C49F6A3D129A909C7B2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA7C7 Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 411 14ba7c7-14ba855 415 14ba85a-14ba871 411->415 416 14ba857 411->416 418 14ba8b3-14ba8b8 415->418 419 14ba873-14ba886 RegOpenKeyExW 415->419 416->415 418->419 420 14ba8ba-14ba8bf 419->420 421 14ba888-14ba8b0 419->421 420->421
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 014BA879
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: bedb432e17a49efd69edd6b117fdfbd08d0a5a1b63ca50fb1ed9beff42af5156
                                                  • Instruction ID: 1fc56172f787443adcb73e054692ee0b11963218483d41fd92818bf2d79b7ec4
                                                  • Opcode Fuzzy Hash: bedb432e17a49efd69edd6b117fdfbd08d0a5a1b63ca50fb1ed9beff42af5156
                                                  • Instruction Fuzzy Hash: EF31B5B14087846FE7228B558C44FA7BFB8EF16210F08849BE9849B653D264E90DC771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480D54 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 426 5480d54-5480e13 432 5480e65-5480e6a 426->432 433 5480e15-5480e1d getaddrinfo 426->433 432->433 435 5480e23-5480e35 433->435 436 5480e6c-5480e71 435->436 437 5480e37-5480e62 435->437 436->437
                                                  APIs
                                                  • getaddrinfo.WS2_32(?,00000E24), ref: 05480E1B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: getaddrinfo
                                                  • String ID:
                                                  • API String ID: 300660673-0
                                                  • Opcode ID: 13066a5a8e63d70117000b6f7b536f3a7c1fecd9c512807a27a2d7e3d37e6df5
                                                  • Instruction ID: ba630fe5920dd682d70fa6c74705ae6ca6e85a1de862d7ca728499c4675d271d
                                                  • Opcode Fuzzy Hash: 13066a5a8e63d70117000b6f7b536f3a7c1fecd9c512807a27a2d7e3d37e6df5
                                                  • Instruction Fuzzy Hash: 3931AFB2500344AFE7219B51DC44FA7BBACEF44314F04889AFA499B692D274A948CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480C4C Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 441 5480c4c-5480c57 442 5480c59-5480cc2 441->442 443 5480cc4-5480cc6 441->443 442->443 444 5480cc8-5480cdd 443->444 445 5480ce0-5480ce1 443->445 444->445 447 5480d2e-5480d33 445->447 448 5480ce3-5480ceb GetProcessTimes 445->448 447->448 452 5480cf1-5480d03 448->452 454 5480d35-5480d3a 452->454 455 5480d05-5480d2b 452->455 454->455
                                                  APIs
                                                  • GetProcessTimes.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 05480CE9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ProcessTimes
                                                  • String ID:
                                                  • API String ID: 1995159646-0
                                                  • Opcode ID: 894fdfc5e4e35711e446ad110ecb7aa6e09e0d6d6c38237b12855a005fb26fd8
                                                  • Instruction ID: a0208a1c9e8acaea6d9de420c0b4fe1390aa271fcad142bbd48957d298e6d5f9
                                                  • Opcode Fuzzy Hash: 894fdfc5e4e35711e446ad110ecb7aa6e09e0d6d6c38237b12855a005fb26fd8
                                                  • Instruction Fuzzy Hash: 3431D6765097805FE7228F21DC44FABBFB8EF56320F0884DBE8849F192D225A509C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 458 14ba612-14ba695 462 14ba69a-14ba6a3 458->462 463 14ba697 458->463 464 14ba6a8-14ba6b1 462->464 465 14ba6a5 462->465 463->462 466 14ba6b3-14ba6d7 CreateMutexW 464->466 467 14ba702-14ba707 464->467 465->464 470 14ba709-14ba70e 466->470 471 14ba6d9-14ba6ff 466->471 467->466 470->471
                                                  APIs
                                                  • CreateMutexW.KERNELBASE(?,?), ref: 014BA6B9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: f8b4d3877e129c26bc7fb673e3dd7b51fc130ca50cb44d1790184afb13f7fbce
                                                  • Instruction ID: bbb3fc9f195cbf042230328055998f9619060cc758f6718353c9a8a769ae26aa
                                                  • Opcode Fuzzy Hash: f8b4d3877e129c26bc7fb673e3dd7b51fc130ca50cb44d1790184afb13f7fbce
                                                  • Instruction Fuzzy Hash: F731B1B15097806FE712CB65CC85B96BFF8EF06210F08849AE984CF292D374E909C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480548 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 474 5480548-54805c9 478 54805cb 474->478 479 54805ce-54805d7 474->479 478->479 480 54805d9-54805e1 ConvertStringSecurityDescriptorToSecurityDescriptorW 479->480 481 548062f-5480634 479->481 483 54805e7-54805f9 480->483 481->480 484 54805fb-548062c 483->484 485 5480636-548063b 483->485 485->484
                                                  APIs
                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 054805DF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DescriptorSecurity$ConvertString
                                                  • String ID:
                                                  • API String ID: 3907675253-0
                                                  • Opcode ID: c2923f262cc5e4005d660e191e3c6426425d7ec64f8b487ca99e219461b8929f
                                                  • Instruction ID: e9170619f14687410d08fbd74a1e013b69172742fe29056d064612ad8465beee
                                                  • Opcode Fuzzy Hash: c2923f262cc5e4005d660e191e3c6426425d7ec64f8b487ca99e219461b8929f
                                                  • Instruction Fuzzy Hash: 1131BF72504344AFE721DF65DC44FABBBE8EF46210F0884AAF944DB652D224E908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA8C1 Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 489 14ba8c1-14ba975 493 14ba9b9-14ba9be 489->493 494 14ba977-14ba97f SendMessageTimeoutA 489->494 493->494 496 14ba985-14ba997 494->496 497 14ba999-14ba9b6 496->497 498 14ba9c0-14ba9c5 496->498 498->497
                                                  APIs
                                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 014BA97D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessageSendTimeout
                                                  • String ID:
                                                  • API String ID: 1599653421-0
                                                  • Opcode ID: efb8c7968052a38f359f8a5fe75f53762975c063aeaa76bfc9ecda3e4a403b94
                                                  • Instruction ID: ea453244de658d1a581121792f55490b0fc41f16b18f4a15ea714bb7c278e313
                                                  • Opcode Fuzzy Hash: efb8c7968052a38f359f8a5fe75f53762975c063aeaa76bfc9ecda3e4a403b94
                                                  • Instruction Fuzzy Hash: EA31F8710047806FE7228F61CC44FA6BFB8EF46314F18849AE9849B553D274A408CB65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054819F6 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05481A91
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: ba11fe10e880cfdc9a03786d4e9110d9a6baa3529cfc78b916127fe97761300d
                                                  • Instruction ID: 5c4517f82c1d74140694b720f55cc5d2255422bfd4b547edb655e7faebf1f1ed
                                                  • Opcode Fuzzy Hash: ba11fe10e880cfdc9a03786d4e9110d9a6baa3529cfc78b916127fe97761300d
                                                  • Instruction Fuzzy Hash: 8221AD72500704AFEB21DF55CC84FBBBBECEF18610F08849BE946DAA51E324E509CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480F26 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 05480FD6
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FormatMessage
                                                  • String ID:
                                                  • API String ID: 1306739567-0
                                                  • Opcode ID: 63a007e210594809220ecff97c01b9a4bb17e23ebe6ddf1f18bd4f91a558a58c
                                                  • Instruction ID: 88909f9f3cc54a5c1d25468bc04b6e8878eefa1b7f5f6b28130960d06e9f3f41
                                                  • Opcode Fuzzy Hash: 63a007e210594809220ecff97c01b9a4bb17e23ebe6ddf1f18bd4f91a558a58c
                                                  • Instruction Fuzzy Hash: 54318F7150D3C45FD3038B618C61A66BFB4EF87610F0A84CBD884DF6A3D624A919C7B2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BA40C
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 5bcf259cf48dac24b4552c33654ecb4ad325234a4e0a69474814c52ff871d9f2
                                                  • Instruction ID: 668619b43be24c0abbcd3ac756fe08d5b42de0d21fab6e798292d335154dff95
                                                  • Opcode Fuzzy Hash: 5bcf259cf48dac24b4552c33654ecb4ad325234a4e0a69474814c52ff871d9f2
                                                  • Instruction Fuzzy Hash: EC314FB5505740AFE722CF15CC84F97BFF8EF06610F08849AE9459B6A2D264E909CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480D76 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • getaddrinfo.WS2_32(?,00000E24), ref: 05480E1B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: getaddrinfo
                                                  • String ID:
                                                  • API String ID: 300660673-0
                                                  • Opcode ID: 74e95b6bc813bf216aa65596d9aba3c00787b5c55b7413dc8990acf4d519fb9d
                                                  • Instruction ID: a734bc0c3789746806e8b921b54021834b6bc97317343178d6e755d02d0c1969
                                                  • Opcode Fuzzy Hash: 74e95b6bc813bf216aa65596d9aba3c00787b5c55b7413dc8990acf4d519fb9d
                                                  • Instruction Fuzzy Hash: 6321ADB2100204AEEB209B51CD84FBBFBACEF04714F04885AFA499A681D674A54D8B71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480006 Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 0548009E
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Socket
                                                  • String ID:
                                                  • API String ID: 38366605-0
                                                  • Opcode ID: 90ef2b6366335ddcf1763c8bc123ea86a07b26abedd6a0ce256842146fb40abe
                                                  • Instruction ID: 15803f22dadf2d14e346ebf5ca7810d3914f6e62994a8ea87f561e96d9ebbc5c
                                                  • Opcode Fuzzy Hash: 90ef2b6366335ddcf1763c8bc123ea86a07b26abedd6a0ce256842146fb40abe
                                                  • Instruction Fuzzy Hash: 4731C571505780AFE722CF51DC44F96FFF4EF06220F08849AE9859B692D379A408CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BB9E0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BBA75
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: 8edc6d6eb889dbe606beacc6631304ac1223cabd46fd40cfe33d7c5a071747c4
                                                  • Instruction ID: a4db0f7027a67de9df15fdd72240c2c23e1807c6f151e5c315a58ca86c377f0d
                                                  • Opcode Fuzzy Hash: 8edc6d6eb889dbe606beacc6631304ac1223cabd46fd40cfe33d7c5a071747c4
                                                  • Instruction Fuzzy Hash: 60210DB54097806FE7138B25DC81BA2BFBCEF47720F0980D6ED809B293D264A909C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054812F9 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 05481380
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CodeExitProcess
                                                  • String ID:
                                                  • API String ID: 3861947596-0
                                                  • Opcode ID: 162f94f677c919df5129dfa705e20583a7035dc97819524d31b98811553ee956
                                                  • Instruction ID: f832d7562642d95dabca5b27f772f5c7b82ac6d7d7717c32375b95a9ac244ab3
                                                  • Opcode Fuzzy Hash: 162f94f677c919df5129dfa705e20583a7035dc97819524d31b98811553ee956
                                                  • Instruction Fuzzy Hash: CC21A4715097806FE712CB25DC45FA6BFB8EF46214F0884DBE944DF692D264A908C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegSetValueExW.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BA4F8
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: db475d113a99c59bb7a2bc98dcb1338a7d32278ee504a8293620c233b062adbb
                                                  • Instruction ID: 8fd05e6cd494a2802ebe06ed29facda18c33e6f1c6e397de417e1cb43ead9a7e
                                                  • Opcode Fuzzy Hash: db475d113a99c59bb7a2bc98dcb1338a7d32278ee504a8293620c233b062adbb
                                                  • Instruction Fuzzy Hash: 1C21B2B25047806FE7228F15CC44FA7BFB8EF46210F08849AE985DB6A2D364E908C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BB90A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014BB989
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: b93771f7d53c46ddbd186768b1405257bd06816ac4a3819eb1b361bdfa9bc974
                                                  • Instruction ID: 60c296fe58dda7fe672a6b5a94f962f02036b080429864c31bd9747be462fce4
                                                  • Opcode Fuzzy Hash: b93771f7d53c46ddbd186768b1405257bd06816ac4a3819eb1b361bdfa9bc974
                                                  • Instruction Fuzzy Hash: E221B271500600AFEB21DF66CC84FA6FBE8EF18220F04845AE9459B751D375E408CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548056E Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 054805DF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DescriptorSecurity$ConvertString
                                                  • String ID:
                                                  • API String ID: 3907675253-0
                                                  • Opcode ID: 66a69d86e2c91de1480e19141a16bbfc3dc900e9c536d5c9bfbd384babdd2bf1
                                                  • Instruction ID: cfaae94e6d3659a20d32889f3ee0321b79419ec50e7c41b0f9430ab33945e5db
                                                  • Opcode Fuzzy Hash: 66a69d86e2c91de1480e19141a16bbfc3dc900e9c536d5c9bfbd384babdd2bf1
                                                  • Instruction Fuzzy Hash: 8C21B072500204AFE720DF25DC44FABBBE8EF44210F04846AF949DB651D634E50C8A71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480462 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 054804F4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 0f977c765ae1c1c88ee974b677cef335dd54a6e0ce5281f580871e8b0a221928
                                                  • Instruction ID: 537f54f0627a0c0071b4b6b8d4d741096f968f39ef2a931013fe7374617382c3
                                                  • Opcode Fuzzy Hash: 0f977c765ae1c1c88ee974b677cef335dd54a6e0ce5281f580871e8b0a221928
                                                  • Instruction Fuzzy Hash: B8219DB2505740AFE722CF55CC44FA7BFF8EF45620F08849AE9499B692D264E908CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 014BA879
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: e3117a46fa337f13dfb8f8d5b342a51582dd701292b3bb43387fece80811a3b6
                                                  • Instruction ID: f22ee8fcd85ae2796f4d85cbc4ceb92e7169405ae0498380148010555ef41fe8
                                                  • Opcode Fuzzy Hash: e3117a46fa337f13dfb8f8d5b342a51582dd701292b3bb43387fece80811a3b6
                                                  • Instruction Fuzzy Hash: CB21CFB2500204AEE7219F55CC84FABFBECEF14214F14845AEA459BB52D374E40D8AB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054814C7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 05481543
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ProcessSizeWorking
                                                  • String ID:
                                                  • API String ID: 3584180929-0
                                                  • Opcode ID: 6256a727bc9bf16129629d6ce9267ef77f09edde70f49aa96242006122a65cea
                                                  • Instruction ID: 343c3eb2ddbc633418ea890fc1235acb60d66e891b21baf82ac775c48f0eb09e
                                                  • Opcode Fuzzy Hash: 6256a727bc9bf16129629d6ce9267ef77f09edde70f49aa96242006122a65cea
                                                  • Instruction Fuzzy Hash: 6821C2B15057806FE712CB21CC44FABBFA8EF46220F08C49BF945DB292D274E908CB65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05481AD9 Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05481B6A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Connect
                                                  • String ID:
                                                  • API String ID: 3144859779-0
                                                  • Opcode ID: 15f00a39588df1489bf90f0a950c004da12dc6a0ee267a123a83802d9aedc2ae
                                                  • Instruction ID: 8d5593fb14b68a5669465e79747b89fed45f5e2be81588f94cdde8b568eb4cef
                                                  • Opcode Fuzzy Hash: 15f00a39588df1489bf90f0a950c004da12dc6a0ee267a123a83802d9aedc2ae
                                                  • Instruction Fuzzy Hash: 91219F715083809FDB228F65DC44B62FFF4EF46220F0889DEE9858B563D275A809DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054813E3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 0548145F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ProcessSizeWorking
                                                  • String ID:
                                                  • API String ID: 3584180929-0
                                                  • Opcode ID: 6256a727bc9bf16129629d6ce9267ef77f09edde70f49aa96242006122a65cea
                                                  • Instruction ID: 14da28ab6d4adfaa3c2026c0b7b9644ada1390b7496741498103a374c4a1a765
                                                  • Opcode Fuzzy Hash: 6256a727bc9bf16129629d6ce9267ef77f09edde70f49aa96242006122a65cea
                                                  • Instruction Fuzzy Hash: 7421B0B15047806FE712CB21CC44FABBFB8EF46220F08849BE944DB292D264A908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexW.KERNELBASE(?,?), ref: 014BA6B9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: b64566dd8457bc274dc88d615fd8df0ae194dd50dca5dcfaa0b4568ff6656c51
                                                  • Instruction ID: 4cf10e07516b6d0ae64b843da4110e2f536d9fc0bde47ef0aea2214f273dba00
                                                  • Opcode Fuzzy Hash: b64566dd8457bc274dc88d615fd8df0ae194dd50dca5dcfaa0b4568ff6656c51
                                                  • Instruction Fuzzy Hash: AC21C2B16042009FF721DF65CD85BA6FBE8EF14220F14846AE989DB751D374E809CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BBCC2 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BBD41
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 6ebe1ac27439b4548b2b9a199c6a93b2b5620f262e61852a0eee1189317604f4
                                                  • Instruction ID: 9240c520f4116e3509693e1300f2da68fbacfb8b26c5420cf2515ed90ab20788
                                                  • Opcode Fuzzy Hash: 6ebe1ac27439b4548b2b9a199c6a93b2b5620f262e61852a0eee1189317604f4
                                                  • Instruction Fuzzy Hash: 3821A471405780AFD722CF55DC44F97BFB8EF45210F08849AF9449B652D235A508CB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BA40C
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 1a9cdec590813588db7104f2a74ae293a113c5975e7a5dcfa4621f7fb68947f3
                                                  • Instruction ID: db80964dabcf77f4e356cc453d630d32088dd7e735d478a945dda93fce0ca58a
                                                  • Opcode Fuzzy Hash: 1a9cdec590813588db7104f2a74ae293a113c5975e7a5dcfa4621f7fb68947f3
                                                  • Instruction Fuzzy Hash: A5216DB56006049FE721CE15CC84FA7BBECEF14610F18846AE9459B7A2D774E809CA71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05481244 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 054812B0
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: 310e727da4b956d1ddb2ad822e1b68a66f85475f226b74400ebf328864ec8b98
                                                  • Instruction ID: fd28a6b8493e256cafa96ad49eafa0fdb99f0fbf7ebbbc67561cacc2c9bcc397
                                                  • Opcode Fuzzy Hash: 310e727da4b956d1ddb2ad822e1b68a66f85475f226b74400ebf328864ec8b98
                                                  • Instruction Fuzzy Hash: 5921AE725093C05FDB128B25DC94B92BFB4AF47324F0984DBEC858F663D264A908CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548071E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileView
                                                  • String ID:
                                                  • API String ID: 3314676101-0
                                                  • Opcode ID: ecc44ed8e07ca4bddeadf2808a7c0b728d4fb74d440d6bf2ca946beb6e2c8568
                                                  • Instruction ID: 50a978bf3502db2022f453b9c4a02431dae177d610a91c7222179301e011c08a
                                                  • Opcode Fuzzy Hash: ecc44ed8e07ca4bddeadf2808a7c0b728d4fb74d440d6bf2ca946beb6e2c8568
                                                  • Instruction Fuzzy Hash: 6C21F071400604AFE721DF55CC88FAAFBE8EF19224F04845AE9499BB51E375F408CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480032 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 0548009E
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Socket
                                                  • String ID:
                                                  • API String ID: 38366605-0
                                                  • Opcode ID: 1bd90bb4cc549e1d7ee7c297ceaf51d47775a57c93bc29525d13ded827c73835
                                                  • Instruction ID: 2eb4047fa236860708bb11ebd4f7d14d2869aa708119be213335599de42abc8e
                                                  • Opcode Fuzzy Hash: 1bd90bb4cc549e1d7ee7c297ceaf51d47775a57c93bc29525d13ded827c73835
                                                  • Instruction Fuzzy Hash: B4210E71500200AFEB21DF55DD44FAAFBE8EF19320F04885AEA499AB91D375E408CB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 014BA97D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessageSendTimeout
                                                  • String ID:
                                                  • API String ID: 1599653421-0
                                                  • Opcode ID: 8467654c0308f2adc2672422952f42ff19654817859e63bdf28e6ef439df9b8d
                                                  • Instruction ID: 0203559eb05bad3b2dec78e1e85c9a716f6c771c677fd35839c5b0bb68880fec
                                                  • Opcode Fuzzy Hash: 8467654c0308f2adc2672422952f42ff19654817859e63bdf28e6ef439df9b8d
                                                  • Instruction Fuzzy Hash: 5321E471500600AFEB218F51DC40FA6FBA8EF14310F14885AFE459AAA1D375F508DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 014BA780
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: d7b7a2af746c0ff470c1682b7709b2ba365320796ce94773fff2506760f5413c
                                                  • Instruction ID: 15b6686a7708d5b766640ee2ab7536160e74cc1484deb6ddaced09b4d1fdc39b
                                                  • Opcode Fuzzy Hash: d7b7a2af746c0ff470c1682b7709b2ba365320796ce94773fff2506760f5413c
                                                  • Instruction Fuzzy Hash: EE21D5B55043809FD7118F15DD85792BFB4EF42324F08849BED458B653D3359909DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegSetValueExW.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BA4F8
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: b88dd487b5bcd43727590089dc19c12cc41e796252cc5152c8f7fee1eee78e15
                                                  • Instruction ID: 645e66559451171844befc4e53e379498dc78b43fa6dfc0cda2a9ad3ee0344db
                                                  • Opcode Fuzzy Hash: b88dd487b5bcd43727590089dc19c12cc41e796252cc5152c8f7fee1eee78e15
                                                  • Instruction Fuzzy Hash: D411B1B2500600AFEB218E15CC84FA7BBECEF14614F14845AED459B792D374E508CA71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480482 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 054804F4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 1aedd06ef9da082686b202ae61222829d977d8a10048ce2524de6a475d9786f9
                                                  • Instruction ID: d1426e34186cfd791893890a5f48ca9d48a048309affef2881395f6033484654
                                                  • Opcode Fuzzy Hash: 1aedd06ef9da082686b202ae61222829d977d8a10048ce2524de6a475d9786f9
                                                  • Instruction Fuzzy Hash: B411AF72510600AFEB21DF16CC44FABBBE8EF14720F08845AE9499A791D374E50CCBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480C8A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessTimes.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 05480CE9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ProcessTimes
                                                  • String ID:
                                                  • API String ID: 1995159646-0
                                                  • Opcode ID: 39a81448208b628bbe8f1120458677d06956b9738820fcbf31295e46d5b096bb
                                                  • Instruction ID: f3f21520657254e62276820f86249735b832ed8d0a2d66186f482690764bcec4
                                                  • Opcode Fuzzy Hash: 39a81448208b628bbe8f1120458677d06956b9738820fcbf31295e46d5b096bb
                                                  • Instruction Fuzzy Hash: 6E11D076500600AFEB21DF55DC44FABBBE8EF15320F04846AE9499B655D375F408CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548100C Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05481076
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: dc6514bbbe4c98c41e972c998fb16b162b2ce4ce1d89969fd9e69a52301d64d7
                                                  • Instruction ID: 1934445a5bd6bb70e78db0c26e28a3ed74427f4f852108289d4a305cb1f5a18f
                                                  • Opcode Fuzzy Hash: dc6514bbbe4c98c41e972c998fb16b162b2ce4ce1d89969fd9e69a52301d64d7
                                                  • Instruction Fuzzy Hash: 5C1172715083809FD711CF65DC85BA7BFE8EF46220F0884ABED45DB652D234E808CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054814EA Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 05481543
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ProcessSizeWorking
                                                  • String ID:
                                                  • API String ID: 3584180929-0
                                                  • Opcode ID: 4ce8a3e66c9e16b750a07383e079fa6c6a4215b54460681a6fd53504369a22ea
                                                  • Instruction ID: 4cd03aa783c8ff3ab3d659a0954018c8a5d111c4cad5f0f6d587a8b28df7c329
                                                  • Opcode Fuzzy Hash: 4ce8a3e66c9e16b750a07383e079fa6c6a4215b54460681a6fd53504369a22ea
                                                  • Instruction Fuzzy Hash: 1011EFB1500200AFEB20DF15DC44BBBBBA8EF15220F08C46BE905DB681D274E909CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05481406 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 0548145F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ProcessSizeWorking
                                                  • String ID:
                                                  • API String ID: 3584180929-0
                                                  • Opcode ID: 4ce8a3e66c9e16b750a07383e079fa6c6a4215b54460681a6fd53504369a22ea
                                                  • Instruction ID: 910279a30c0c8898c4900d70f0eac77516c7cab99ef3209c57ee222e21278425
                                                  • Opcode Fuzzy Hash: 4ce8a3e66c9e16b750a07383e079fa6c6a4215b54460681a6fd53504369a22ea
                                                  • Instruction Fuzzy Hash: 2011DDB1500200AFEB20DB11CC44BBABBA8EF54620F08846BE9059A781D274E409CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BAF93 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BAFFE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 73227b3f2c3e95a4cff672eb7c004c65094c3aa3d07d99e05c202b0d1ccf5058
                                                  • Instruction ID: c46cec4a02443bb1a5686177702f7b0ac926f3efe9c03f934e20e6d47bfc466c
                                                  • Opcode Fuzzy Hash: 73227b3f2c3e95a4cff672eb7c004c65094c3aa3d07d99e05c202b0d1ccf5058
                                                  • Instruction Fuzzy Hash: 4F117F71409780AFDB228F55DC44B62FFF4EF4A220F08889AED858B663D275A518DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548132A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 05481380
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CodeExitProcess
                                                  • String ID:
                                                  • API String ID: 3861947596-0
                                                  • Opcode ID: c633f16abdeab449d6100c00149c0b459f924f7ae0b8eb6dfdee8ffc57696146
                                                  • Instruction ID: 484aa1fbe4fa7b407dfb97716aeab388e05fbc1e05a86001514f91f7b600feb8
                                                  • Opcode Fuzzy Hash: c633f16abdeab449d6100c00149c0b459f924f7ae0b8eb6dfdee8ffc57696146
                                                  • Instruction Fuzzy Hash: BC11C171900200AFFB11DB15DC84BBABBE8EF55224F08C4ABED44DBA81D274E509CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BBCE2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BBD41
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 58009169580d286cb2bd6bf44929a4b1175314e6606342ba050f9257b70bf573
                                                  • Instruction ID: 218cddeb6d0af02d16bfda54db084b2a47ad835b199235c4ab57c4b6ea61e849
                                                  • Opcode Fuzzy Hash: 58009169580d286cb2bd6bf44929a4b1175314e6606342ba050f9257b70bf573
                                                  • Instruction Fuzzy Hash: 0611E271500600AFEB218F51CC80FAAFBE8EF14324F04C45AE9449A661D338E4098BB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054803BE Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 0548043A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ComputerName
                                                  • String ID:
                                                  • API String ID: 3545744682-0
                                                  • Opcode ID: e4fd447a256f5faca1656c962c23ef04e1e04cbdce1af8b21652da156d910ec3
                                                  • Instruction ID: 7c72506182dfef42d867c211828b19d3b27e6af170812af6cc92e553ba013d39
                                                  • Opcode Fuzzy Hash: e4fd447a256f5faca1656c962c23ef04e1e04cbdce1af8b21652da156d910ec3
                                                  • Instruction Fuzzy Hash: 8B11C871509780AFD311DB15CC45F26FFB4EF86620F09818FE9449B692D225B915CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BABC1 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: closesocket
                                                  • String ID:
                                                  • API String ID: 2781271927-0
                                                  • Opcode ID: a17f7ecfae92b4aca586f1bead0e41cea5838cfc0d628859ebea7473ff35f11f
                                                  • Instruction ID: c6b46575f07c59d201170725d4320e5349f884bb4607caccbdebed4778558345
                                                  • Opcode Fuzzy Hash: a17f7ecfae92b4aca586f1bead0e41cea5838cfc0d628859ebea7473ff35f11f
                                                  • Instruction Fuzzy Hash: CA1160715093C0AFDB128B25DC45A92BFB4EF47220F0884DBED848F663D279A958CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 014BA330
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 201b2bbb9458b4e8622a0744b29a96b412e02c97b21acacc85fb97dc6b8920f4
                                                  • Instruction ID: 946d313b33d46ce7c8d210b0343c0af79bba45c76fbae994e2cb211dc3e75320
                                                  • Opcode Fuzzy Hash: 201b2bbb9458b4e8622a0744b29a96b412e02c97b21acacc85fb97dc6b8920f4
                                                  • Instruction Fuzzy Hash: A4115175409380AFD7128B15DD44B62BFB4EF47624F0D80DBED848B263D275A808DB72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548102E Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05481076
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 4d966a22508a144359d533ba0ae291ace55f03709f1ff992756365e352cea4b7
                                                  • Instruction ID: a709a0d99c0fb082971faa86f1def97c2044fa9f841e159584de4296bb7e6f42
                                                  • Opcode Fuzzy Hash: 4d966a22508a144359d533ba0ae291ace55f03709f1ff992756365e352cea4b7
                                                  • Instruction Fuzzy Hash: F411A1716042408FEB50DF25DC84BABFBE8EF16220F08C4ABED49DBB56D635E405CA61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BBA22 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E24,5E3FCD7C,00000000,00000000,00000000,00000000), ref: 014BBA75
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: da1d6d4963d3499b3f4795b85b8b70318ea5c22ed7874b5d41a870bf4338d1a8
                                                  • Instruction ID: e5264ad301d57619fd0ba98463dfdaad662e8a236c384a58d311a01cbe1fc1c8
                                                  • Opcode Fuzzy Hash: da1d6d4963d3499b3f4795b85b8b70318ea5c22ed7874b5d41a870bf4338d1a8
                                                  • Instruction Fuzzy Hash: A601D671900600AEE711CF15DC84BE6FBECDF59624F04C057ED059B791D374E5088AB5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05481B1E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05481B6A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: Connect
                                                  • String ID:
                                                  • API String ID: 3144859779-0
                                                  • Opcode ID: bf88007773cb8cb7de74bef6ba2ed6c3387b8188fb6e42a52c3ff0439681ee64
                                                  • Instruction ID: 88196f94dcae2442e450b14a1f207a8ccdffcf0816a43eb497970dc792a2f9a1
                                                  • Opcode Fuzzy Hash: bf88007773cb8cb7de74bef6ba2ed6c3387b8188fb6e42a52c3ff0439681ee64
                                                  • Instruction Fuzzy Hash: 65118E319006009FEB20DF55D848BA6FBE5FF48320F0889ABED458B662E335E459DF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05480F86 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 05480FD6
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: FormatMessage
                                                  • String ID:
                                                  • API String ID: 1306739567-0
                                                  • Opcode ID: b9921738e2f5dcf3ffd497e1f7f1fbcfe80852d0c4487962daa1609dfbd0cb7a
                                                  • Instruction ID: 73dfcb6f95a00177580d218cc94e4400d94e43b608fd31b5c277509098a9a255
                                                  • Opcode Fuzzy Hash: b9921738e2f5dcf3ffd497e1f7f1fbcfe80852d0c4487962daa1609dfbd0cb7a
                                                  • Instruction Fuzzy Hash: 50019E71600600ABD310DF16CC46B66FBE8EB88A20F14851AED089BB41D735F915CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BAFBA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BAFFE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 38cefcb1ed9e7a2cc767cbf9f25f82b87a78ef1e1859103823004a6edae6e225
                                                  • Instruction ID: e371599aae9da6b1bec3fa61e6d84b3762d864fbc0751aa5ef2761a61b75f6f9
                                                  • Opcode Fuzzy Hash: 38cefcb1ed9e7a2cc767cbf9f25f82b87a78ef1e1859103823004a6edae6e225
                                                  • Instruction Fuzzy Hash: 210161725007409FDB218F55D984B66FFE4EF48320F08855AED454A662D376E414DF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 014BA780
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: d7b5d31c186d1c98d113925088ffbc126ae2506eea5035f357eac6503457ce2d
                                                  • Instruction ID: e6453bccd5196ff569565383ac7423d80c4bf17522f9708512b6e301058b27ec
                                                  • Opcode Fuzzy Hash: d7b5d31c186d1c98d113925088ffbc126ae2506eea5035f357eac6503457ce2d
                                                  • Instruction Fuzzy Hash: 7801A7755042409FEB10CF15D9857A6FBE4DF45220F18C4ABDD468F756D279E408CEB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BBEAE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 014BBEFE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 3b558b7caa6b6c1d022a9956d2dc7536d9e78ebb42b8dc21559a1cb1b80372df
                                                  • Instruction ID: cb5792c0aa7d9b1c56680665560c2417c2fcaab59fe284fe07100320a5f8d185
                                                  • Opcode Fuzzy Hash: 3b558b7caa6b6c1d022a9956d2dc7536d9e78ebb42b8dc21559a1cb1b80372df
                                                  • Instruction Fuzzy Hash: 5A01A271500600ABD310DF16CC46B66FBE8FF89A20F14811AED089BB41D771F915CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 054803EA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 0548043A
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ComputerName
                                                  • String ID:
                                                  • API String ID: 3545744682-0
                                                  • Opcode ID: 28aa51015e134a6d1bdae02267afdb03a3ac7d43830579b28fa4919d92b021ec
                                                  • Instruction ID: f6d2e8f6f78e0145bc065593231fef6dc1d978c2ddb57889f20e1d5eb45f1e1c
                                                  • Opcode Fuzzy Hash: 28aa51015e134a6d1bdae02267afdb03a3ac7d43830579b28fa4919d92b021ec
                                                  • Instruction Fuzzy Hash: 2801AD71600600ABD310DF16CC86B66FBE8FF89A20F14815AED089BB41E735F915CBE6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0548127E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 054812B0
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4131580324.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5480000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotification
                                                  • String ID:
                                                  • API String ID: 2591292051-0
                                                  • Opcode ID: f103937d49f5147cd19fae71122a5055aade30a20011d08ffabef0e630068d78
                                                  • Instruction ID: 883c4b1dc078f0beca2fb22b91994fd20d36fc8f68eda96b4cce9d4f6c3f60f0
                                                  • Opcode Fuzzy Hash: f103937d49f5147cd19fae71122a5055aade30a20011d08ffabef0e630068d78
                                                  • Instruction Fuzzy Hash: 0201DF75A002408FEB10DF59D884BAAFBE4EF45220F08C0ABDD49DFB56D274E408CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BABEE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: closesocket
                                                  • String ID:
                                                  • API String ID: 2781271927-0
                                                  • Opcode ID: 13f9db7b89e82b1986323b63b4953e422f8d4ec2e67ce33a5ee0128c307f8b2a
                                                  • Instruction ID: 6fbb84f7232ae6c98119109bc5502819e4e0bcfff021ed9f1ef4c2e3e4a15f9f
                                                  • Opcode Fuzzy Hash: 13f9db7b89e82b1986323b63b4953e422f8d4ec2e67ce33a5ee0128c307f8b2a
                                                  • Instruction Fuzzy Hash: BC01D1719042409FEB10CF15D8857A6FBE4EF45220F18C4ABDD488F766D279E448CAB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014BA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 014BA330
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127425503.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14ba000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 29ab91018579b8b00f0a0ae77664baa7e9cd7f9ec33ca08bdb4bf2b1c512979e
                                                  • Instruction ID: ab3951d65f56f2fa75a5f95e31cfda77572ace5cc7562fdf798336c99af20700
                                                  • Opcode Fuzzy Hash: 29ab91018579b8b00f0a0ae77664baa7e9cd7f9ec33ca08bdb4bf2b1c512979e
                                                  • Instruction Fuzzy Hash: D5F08C35905240CFEB108F0AD8847A6FBE4EF05224F18C09BDD494B762D2B9E408CAA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01660814 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127940151.0000000001660000.00000040.00000020.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_1660000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8898db691b97aa28c6c6b1065aa8ad48c27a55a8f3427fbd3cb560ba1aa8f415
                                                  • Instruction ID: 9848c604a3e8181579b83e8558e8ab774bcd4c1e25bb680a911750e14c839793
                                                  • Opcode Fuzzy Hash: 8898db691b97aa28c6c6b1065aa8ad48c27a55a8f3427fbd3cb560ba1aa8f415
                                                  • Instruction Fuzzy Hash: 97110630604280DFDB11CB14D940B15BBA9AB99708F24C9BDF8491BB83C73BD803CA91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01660804 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127940151.0000000001660000.00000040.00000020.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_1660000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a39d3c92d96c1ab3c35ec7d2488b16d99d47d857f5269eead1a486e02755039
                                                  • Instruction ID: d2e9fa50b20bcf3d43bc7daa901f0ebace33691da811f231aa3bf565e41fe741
                                                  • Opcode Fuzzy Hash: 8a39d3c92d96c1ab3c35ec7d2488b16d99d47d857f5269eead1a486e02755039
                                                  • Instruction Fuzzy Hash: C21133355093C0DFCB16CB14C950B15BFB1AB86714F29C6EEE4895B6A3C33A9806CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016605E2 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127940151.0000000001660000.00000040.00000020.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_1660000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70f243946d1ed3e59fc95474d3a0ec887ade3ed4762bc837f9512a27973f06f0
                                                  • Instruction ID: 76d1edb112bb505a1f697454151ba48d661f611dbb0eda41f7ffc7d0dc76a1a2
                                                  • Opcode Fuzzy Hash: 70f243946d1ed3e59fc95474d3a0ec887ade3ed4762bc837f9512a27973f06f0
                                                  • Instruction Fuzzy Hash: 54F0D6B65087405FD7118F06AC40862FFE8EF86620B09C49FFC498B662D275B908CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0166064A Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127940151.0000000001660000.00000040.00000020.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_1660000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0fad09b1b785d29a278dd191a0322e6b75d56d875a0dfd461062fcdb48358eb
                                                  • Instruction ID: 0bb358f48ec5ebaee6003379dda25bc79aee9909000b8e72faa64cf549f6d19e
                                                  • Opcode Fuzzy Hash: a0fad09b1b785d29a278dd191a0322e6b75d56d875a0dfd461062fcdb48358eb
                                                  • Instruction Fuzzy Hash: B9F0C27210D7808FC3168F15AC41455BBF4EF85220B1884FBD849CB663D239E809CBA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 016608D0 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127940151.0000000001660000.00000040.00000020.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_1660000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                                                  • Instruction ID: 6d1683841839836ee6a20cce6c86c6879a74e2c9ad0f48c84103cc47c1617315
                                                  • Opcode Fuzzy Hash: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                                                  • Instruction Fuzzy Hash: 88F01935148684DFC716CF04D980B15FBA6EB89718F24CAADE9491BB62C737E813DB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01660606 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127940151.0000000001660000.00000040.00000020.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_1660000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54af1cdc4034d44c1c333f9bcc145f9a706d11ed9ebd54a6dc42d046456a7cdf
                                                  • Instruction ID: 716d3353eb6233d101016a3ca5e8c086981f772037d8a9b0b98355f44be376e1
                                                  • Opcode Fuzzy Hash: 54af1cdc4034d44c1c333f9bcc145f9a706d11ed9ebd54a6dc42d046456a7cdf
                                                  • Instruction Fuzzy Hash: FAE092B66006008B9750DF0AEC41452FBE8EF88630B08C07FEC0D8B711E27AB508CAA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014B23F4 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127406141.00000000014B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B2000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14b2000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91f6c88b2479e408f26df9c54919b661844b85b21a0eb9e31d9603beaef2aa0f
                                                  • Instruction ID: 262e5bbb6e9ccd268960ec1137b46bd4704274a3ad036bfef85c7d862f7a11fc
                                                  • Opcode Fuzzy Hash: 91f6c88b2479e408f26df9c54919b661844b85b21a0eb9e31d9603beaef2aa0f
                                                  • Instruction Fuzzy Hash: 6AD02E392006D04FE3128A0CC1A4FC63FE4AF60704F0A00FAA8008BB73C7ACE480C210
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 014B23BC Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.4127406141.00000000014B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B2000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_14b2000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d41980b1a293fada6f3d143fdcd0eaf48e902b978aeeaf24d917fa31a026e17
                                                  • Instruction ID: 704f391994c88fb67e24798522e4c40320bcfde29abb99af5c1493f2e505da1b
                                                  • Opcode Fuzzy Hash: 6d41980b1a293fada6f3d143fdcd0eaf48e902b978aeeaf24d917fa31a026e17
                                                  • Instruction Fuzzy Hash: EFD05E342012814BE715DA1CC6D4F9A3BD4AB54B14F0A54E9AC108B772C7B4E8C0DA20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:19.6%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:54
                                                  Total number of Limit Nodes:3
                                                  execution_graph 6806 67a0032 6807 67a0082 VerLanguageNameW 6806->6807 6808 67a0090 6807->6808 6896 83bc4b 6897 83bc82 GetFileVersionInfoSizeW 6896->6897 6899 83bcc7 6897->6899 6860 67a0431 6862 67a0462 DrawTextExW 6860->6862 6863 67a04bb 6862->6863 6809 83a44e 6810 83a47a SetErrorMode 6809->6810 6812 83a4a3 6809->6812 6811 83a48f 6810->6811 6812->6810 6876 83bd10 6879 83bd32 GetFileVersionInfoW 6876->6879 6878 83bd84 6879->6878 6880 83ad19 6881 83ad5a RegQueryValueExW 6880->6881 6883 83ade3 6881->6883 6829 83a622 6830 83a660 DuplicateHandle 6829->6830 6831 83a698 6829->6831 6832 83a66e 6830->6832 6831->6830 6884 83ac22 6886 83ac52 RegOpenKeyExW 6884->6886 6887 83ace0 6886->6887 6888 83a42a 6889 83a44e SetErrorMode 6888->6889 6891 83a48f 6889->6891 6892 83b42d 6894 83b45e LoadLibraryShim 6892->6894 6895 83b4b8 6894->6895 6852 83a2ac 6853 83a2f6 CreateActCtxA 6852->6853 6855 83a354 6853->6855 6837 83baf2 6838 83bb18 LoadLibraryW 6837->6838 6840 83bb34 6838->6840 6864 67a1009 6867 67a1042 PostMessageW 6864->6867 6866 67a108c 6867->6866 6856 83bab4 6859 83baf2 LoadLibraryW 6856->6859 6858 83bb34 6859->6858 6848 67a1042 6849 67a10a2 6848->6849 6850 67a1077 PostMessageW 6848->6850 6849->6850 6851 67a108c 6850->6851 6868 83a5fb 6869 83a622 DuplicateHandle 6868->6869 6871 83a66e 6869->6871 6872 67a0007 6873 67a0032 VerLanguageNameW 6872->6873 6875 67a0090 6873->6875

                                                  Executed Functions

                                                  Function 067A0DFA Relevance: 1.6, APIs: 1, Instructions: 69nativethreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4860 67a0dfa-67a0e02 4861 67a0e0c-67a0e6b 4860->4861 4862 67a0e04-67a0e07 4860->4862 4864 67a0e6d-67a0e75 NtResumeThread 4861->4864 4865 67a0ea3-67a0ea8 4861->4865 4862->4861 4866 67a0e7b-67a0e8d 4864->4866 4865->4864 4868 67a0eaa-67a0eaf 4866->4868 4869 67a0e8f-67a0ea2 4866->4869 4868->4869
                                                  APIs
                                                  • NtResumeThread.NTDLL(?,?), ref: 067A0E73
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 463853544e12db2520fad49a7023e0e49f265bf4a310f0c6190b1aef82fde23f
                                                  • Instruction ID: 3bf4b6847919aeca430ce4630bd667f8f96db4c3a020041496270cfd8c8e7c34
                                                  • Opcode Fuzzy Hash: 463853544e12db2520fad49a7023e0e49f265bf4a310f0c6190b1aef82fde23f
                                                  • Instruction Fuzzy Hash: 8421AEB14093C09FDB12CF21D854BA1BFE0AF46224F1D84DEE8C44F153D266955ADB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL ref: 067A0F24
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: fed60d1d90bec1902066bd7d1553750530ee35edffe3b59365a4cfe5883bb647
                                                  • Instruction ID: 874282a62d9506adcf035dfd275892d77b2444724352ed16d25540292d609cb0
                                                  • Opcode Fuzzy Hash: fed60d1d90bec1902066bd7d1553750530ee35edffe3b59365a4cfe5883bb647
                                                  • Instruction Fuzzy Hash: 9C119071409380AFDB228F55DC44B62FFF4EF46324F0888DAED848F562D275A518DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL ref: 067A0F24
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: e5978590fcb1b4c4d52201f7e7a6b4c8a44b3695249313fac1ad875c9d0ac1bb
                                                  • Instruction ID: 53d6c525e57bfdc3c5005612fc133da86eb9c65336f713a41c74334e34ed2077
                                                  • Opcode Fuzzy Hash: e5978590fcb1b4c4d52201f7e7a6b4c8a44b3695249313fac1ad875c9d0ac1bb
                                                  • Instruction Fuzzy Hash: 9201CC329003009FEB608F55D884B62FBE0EF48324F08C9AEDD498B656D335E408CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(?,?), ref: 067A0E73
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: f243c8c2af6c66575a724df3d323f0c88292899672ac933ebdbf496e88e690ba
                                                  • Instruction ID: 5d094bdc05d93d27636cedad503d8a4b3b0acc5ca262bb552d0492e60abfcf65
                                                  • Opcode Fuzzy Hash: f243c8c2af6c66575a724df3d323f0c88292899672ac933ebdbf496e88e690ba
                                                  • Instruction Fuzzy Hash: E201F2719083408FEB50DF15D884761FBE4EF88324F08C8AADD488F656D379E418DBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CB00D0 Relevance: 9.1, Instructions: 9148COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 4cb00d0-4cb1855 480 4cb185c-4cb2b7b 0->480 672 4cb2b82-4cb8c8d 480->672 1672 4cb8c94-4cb8c9c 672->1672 1673 4cb8ca4-4cb97f0 1672->1673 1924 4cb97f7 1673->1924 1925 4cb97fe-4cb9804 1924->1925
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1857299368.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_4cb0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 575da3b65c6e17fb87348eca2561472306c614c27fc07236adaaa1c97138bfea
                                                  • Instruction ID: 6af6444771acfb91df781c508c52855473bf811322a2f09d1f4b6936b3891968
                                                  • Opcode Fuzzy Hash: 575da3b65c6e17fb87348eca2561472306c614c27fc07236adaaa1c97138bfea
                                                  • Instruction Fuzzy Hash: BF142734601614DFD765DB30C854ADAB3B2EF89304F6148A8D55AAB3A0DF36EE86CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CB00E0 Relevance: 9.1, Instructions: 9140COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1926 4cb00e0-4cb1855 2405 4cb185c-4cb2b7b 1926->2405 2597 4cb2b82-4cb8c8d 2405->2597 3597 4cb8c94-4cb8c9c 2597->3597 3598 4cb8ca4-4cb97f0 3597->3598 3849 4cb97f7 3598->3849 3850 4cb97fe-4cb9804 3849->3850
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1857299368.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_4cb0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34ba213cd3057af34cb531118f1dca77da006bd7518eff31b99116445cba1e0d
                                                  • Instruction ID: 84fab1137c77957f3d9017b80dba3b4032b247aab8bada8d15a2997551c69385
                                                  • Opcode Fuzzy Hash: 34ba213cd3057af34cb531118f1dca77da006bd7518eff31b99116445cba1e0d
                                                  • Instruction Fuzzy Hash: AE142734601614DFD765DB30C854ADAB3B2EF89304F6148A8D55AAB3A0DF36EE86CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0CA1 Relevance: 1.6, APIs: 1, Instructions: 121processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4746 67a0ca1-67a0d1a 4749 67a0d1f-67a0d25 4746->4749 4750 67a0d1c 4746->4750 4751 67a0d2a-67a0d9c 4749->4751 4752 67a0d27 4749->4752 4750->4749 4756 67a0de9-67a0dee 4751->4756 4757 67a0d9e-67a0da6 CreateProcessA 4751->4757 4752->4751 4756->4757 4758 67a0dac-67a0dbe 4757->4758 4760 67a0df0-67a0df5 4758->4760 4761 67a0dc0-67a0de6 4758->4761 4760->4761
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,00000E24), ref: 067A0DA4
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 6ad727328d7e7837ae2141c4f8a311935a0823e76d23f7b097bec2f506fd4ea7
                                                  • Instruction ID: 874d5064a201424e5d6800e9d29346ef3698c77d120486d5ea4282d19121798f
                                                  • Opcode Fuzzy Hash: 6ad727328d7e7837ae2141c4f8a311935a0823e76d23f7b097bec2f506fd4ea7
                                                  • Instruction Fuzzy Hash: 6041A272104340AFEB22CB65CC41FE2BBECEF45714F04899AF9859B592D275F949CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0CDA Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4764 67a0cda-67a0d1a 4766 67a0d1f-67a0d25 4764->4766 4767 67a0d1c 4764->4767 4768 67a0d2a-67a0d9c 4766->4768 4769 67a0d27 4766->4769 4767->4766 4773 67a0de9-67a0dee 4768->4773 4774 67a0d9e-67a0da6 CreateProcessA 4768->4774 4769->4768 4773->4774 4775 67a0dac-67a0dbe 4774->4775 4777 67a0df0-67a0df5 4775->4777 4778 67a0dc0-67a0de6 4775->4778 4777->4778
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,00000E24), ref: 067A0DA4
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 115542834cb0e449fe9f2a8bd3b5575339380288ddfb96904a6cef1da0595e3c
                                                  • Instruction ID: fb0846fc540dfc30bde416f05c3b0ecc18a40150e58cd8437afed5e913429d57
                                                  • Opcode Fuzzy Hash: 115542834cb0e449fe9f2a8bd3b5575339380288ddfb96904a6cef1da0595e3c
                                                  • Instruction Fuzzy Hash: 4C317C72600300AFEB318B65CD41FA6F7E8EB48714F14895AFA459AA91D671F548CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0431 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4847 67a0431-67a0486 4849 67a048b-67a049a 4847->4849 4850 67a0488 4847->4850 4851 67a049f-67a04ab 4849->4851 4852 67a049c 4849->4852 4850->4849 4853 67a04ad-67a04b5 DrawTextExW 4851->4853 4854 67a04e5-67a04ea 4851->4854 4852->4851 4855 67a04bb-67a04cd 4853->4855 4854->4853 4857 67a04cf-67a04e2 4855->4857 4858 67a04ec-67a04f1 4855->4858 4858->4857
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 067A04B3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: 04dd0e1cb5b0a6ec17bcce90c7938f6a47f776e3d63f6619cddcdb3e8b7c552b
                                                  • Instruction ID: b9a836e48143ddcd6d2329398cc0bf5d636600aa11a96d270c5574634c1b4ae7
                                                  • Opcode Fuzzy Hash: 04dd0e1cb5b0a6ec17bcce90c7938f6a47f776e3d63f6619cddcdb3e8b7c552b
                                                  • Instruction Fuzzy Hash: B721A1715047809FDB22CF25DC44B62BFF8FF46214F08889AE9848F562D335E908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0007 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 067A0082
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LanguageName
                                                  • String ID:
                                                  • API String ID: 2060303382-0
                                                  • Opcode ID: 6f23d5559b1b7391cf2cdf5ff9e649148cc57910103238e75835e9323784bb5c
                                                  • Instruction ID: 79850cb1e3d5eea47d5dc8cedf9c203bc73e6dfe8bb251f102b6071738c3e879
                                                  • Opcode Fuzzy Hash: 6f23d5559b1b7391cf2cdf5ff9e649148cc57910103238e75835e9323784bb5c
                                                  • Instruction Fuzzy Hash: 5611B271545740AFD3128B16CC41F73BFF8EF86620F05819AED489BA52D274B915CBB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A1009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 067A107D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: ec5672bab600bd1b937032958b4d828e846002e497f1542e321182de33f19954
                                                  • Instruction ID: 1fcfabd61a0a76bd6d9424d9fbb3f315836fb7cdff3a364a6b4487b04f164874
                                                  • Opcode Fuzzy Hash: ec5672bab600bd1b937032958b4d828e846002e497f1542e321182de33f19954
                                                  • Instruction Fuzzy Hash: 65216A725097C09FDB238F25DC44A62BFB4EF47220F0985DAE9848F563D265A818DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 067A1405
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: bdaebd20d9d623d384b8deaf0868284bf6aba60e934008f2c022efaf4751384d
                                                  • Instruction ID: ff7acdd61f5ffa3a3a7605feee0e69a66550450d6b85d5e09504ece4c87bc152
                                                  • Opcode Fuzzy Hash: bdaebd20d9d623d384b8deaf0868284bf6aba60e934008f2c022efaf4751384d
                                                  • Instruction Fuzzy Hash: B611E2715093809FDB228F15DC45B62FFB4EF46324F0884DEED458B563C275A818CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 067A04B3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: 8f17ed72ceb6ab2769d93a3d567c78dc9d743442d7ba850dce330dc04a12375c
                                                  • Instruction ID: b1beab56b37293392a2f0fa7fc8b01c32a535c2461a2a96a40a21a93ee5c54c3
                                                  • Opcode Fuzzy Hash: 8f17ed72ceb6ab2769d93a3d567c78dc9d743442d7ba850dce330dc04a12375c
                                                  • Instruction Fuzzy Hash: 8C11A031A003049FEB60CF15D844B62FBE8FF59224F08C96ADD458F652D335E418CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 067A0082
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: LanguageName
                                                  • String ID:
                                                  • API String ID: 2060303382-0
                                                  • Opcode ID: 49e045f570d125c11611468d6661baaf8456c1ef405109b371d0881d381d2c70
                                                  • Instruction ID: 1e5085b7a2e092397a7190d0d0796331bdbbaeabf8aea880c686f5d0b659c907
                                                  • Opcode Fuzzy Hash: 49e045f570d125c11611468d6661baaf8456c1ef405109b371d0881d381d2c70
                                                  • Instruction Fuzzy Hash: 30016271600600ABD310DF16DC46B66FBE8FB99A20F14815AED089BB41D771F915CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A13CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 067A1405
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 16de35f2f2988c93e2a898f07411061d5883085b03f2fdfd1f818edf10be4bcb
                                                  • Instruction ID: 41a2d0181d342beb26600202326e168feee5da6480a460d1142cc92d49ba6228
                                                  • Opcode Fuzzy Hash: 16de35f2f2988c93e2a898f07411061d5883085b03f2fdfd1f818edf10be4bcb
                                                  • Instruction Fuzzy Hash: DF01B1329007008FEB618F1AD884B65FBE4EF55224F08C19ADD454AA62D375E458CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 067A1042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 067A107D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1858345043.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_67a0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 67369cdcc10acf33c52a557b2ba38d70f963c5d5ab1b93811ca42919f5a0dc67
                                                  • Instruction ID: e4d3b069a145f386bf32bdcfa6e652a2269eb825c8872164c21b1b0d56fb6857
                                                  • Opcode Fuzzy Hash: 67369cdcc10acf33c52a557b2ba38d70f963c5d5ab1b93811ca42919f5a0dc67
                                                  • Instruction Fuzzy Hash: 2F01A236910740DFEB618F06D984B62FBE4EF59320F08C19ADD450B662D375E418CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CBC7E1 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1857299368.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_4cb0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5240bf15e22fc504a2e48f83e9e59e212564c0865b01a06ba1818ccb3c007798
                                                  • Instruction ID: 445f5ed5ea7269a372a6daa709992eb6d1fb2ea61f1c9a4056c6c611578adacd
                                                  • Opcode Fuzzy Hash: 5240bf15e22fc504a2e48f83e9e59e212564c0865b01a06ba1818ccb3c007798
                                                  • Instruction Fuzzy Hash: FB31F175B042168FDB21DF68D8448BEBBB2FB84308B10412AE881D7354DB31EE42CBE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CBC7C0 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1857299368.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_4cb0000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a2dc62a6689d25251cafbfcf399967356cede0482519e0c95a6b66e9000002e8
                                                  • Instruction ID: 90ba4dd09e3e59939965a2c38d41e36555036a0bfa8937861418e43e065ba056
                                                  • Opcode Fuzzy Hash: a2dc62a6689d25251cafbfcf399967356cede0482519e0c95a6b66e9000002e8
                                                  • Instruction Fuzzy Hash: 8EE086A7305104ABE70585746CC5EFA6756E7D5304F958037F704C7691C6655C1F52A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 008323F4 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1853448576.0000000000832000.00000040.00000800.00020000.00000000.sdmp, Offset: 00832000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_832000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed43be1eb5d8a291d878c950cb545990b15c7ae0f310fdac7e0b026a247a1327
                                                  • Instruction ID: 4fd854379e38ec666735c15a0b5ea56e127d7fba99ba9752c5674ba69ad28a8a
                                                  • Opcode Fuzzy Hash: ed43be1eb5d8a291d878c950cb545990b15c7ae0f310fdac7e0b026a247a1327
                                                  • Instruction Fuzzy Hash: 60D05E792056C14FD316DA1CC1A4B9537D4BBA5714F4A48F9A800CB763C768E981D640
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 008323BC Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1853448576.0000000000832000.00000040.00000800.00020000.00000000.sdmp, Offset: 00832000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_832000_chargeable.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed1b29f03528b576d60fd849a1e99e6867c42b93ae03d44507d9f68915899162
                                                  • Instruction ID: b594a9db067d221c59598902e7dee7f0b2151a62e1e2f61a2b691c94fdc79df8
                                                  • Opcode Fuzzy Hash: ed1b29f03528b576d60fd849a1e99e6867c42b93ae03d44507d9f68915899162
                                                  • Instruction Fuzzy Hash: 2AD05E352402814BD715DA0CC6D4F5977D4BB94B14F0A44E8AC10CB772C7A8D8C0DA40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%